Behavioral Report

General

Target

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
Size

1013KB
MD5

20b4ed91510de8b2766a7b27b643a007
SHA1

e52812e0a3a17a291f524bde23a7dea44339bbf3
SHA256

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a
SHA512

bad5c56aeb9b57c7b4591f34f41a157fc60e5038eeef82aaaa297a267bfb6c69ad8d52a9b60142c502756f56829c8a44840c620e1191458135fbb5b319feed0f
SSDEEP

24576:/axyj3UlpY02W9pNydU50sTmJf2fU+NAmAOLm+t:/ac3UoW9OGxTmJ6emACm+

Score

10^/10

azorult oski raccoon 1cc7ea34e0c2ffcad2b614bf34887c32c8a79609 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.7.1-hotfix

Botnet

1cc7ea34e0c2ffcad2b614bf34887c32c8a79609

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

darkangel.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Raccoon Stealer payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/1116-146-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon
Executes dropped EXE 4 IoCs

Processes:

HJsdfccdf.exeYTfghawe.exeHJsdfccdf.exeYTfghawe.exe

pid process

4804 HJsdfccdf.exe
1632 YTfghawe.exe
4744 HJsdfccdf.exe
332 YTfghawe.exe

resource	yara_rule
behavioral2/memory/1116-146-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

pid	process
4804	HJsdfccdf.exe
1632	YTfghawe.exe
4744	HJsdfccdf.exe
332	YTfghawe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exeHJsdfccdf.exeYTfghawe.exe

description	pid	process	target process
PID 1232 set thread context of 1116	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
PID 4804 set thread context of 4744	4804	HJsdfccdf.exe	HJsdfccdf.exe
PID 1632 set thread context of 332	1632	YTfghawe.exe	YTfghawe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4620 332 WerFault.exe YTfghawe.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exeHJsdfccdf.exeYTfghawe.exe

pid process

1232 0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
4804 HJsdfccdf.exe
1632 YTfghawe.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exeHJsdfccdf.exeYTfghawe.exe

pid process

1232 0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
4804 HJsdfccdf.exe
1632 YTfghawe.exe

pid	pid_target	process	target process
4620	332	WerFault.exe	YTfghawe.exe

pid	process
1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
4804	HJsdfccdf.exe
1632	YTfghawe.exe

pid	process
1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
4804	HJsdfccdf.exe
1632	YTfghawe.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exeHJsdfccdf.exeYTfghawe.exe

description	pid	process	target process
PID 1232 wrote to memory of 4804	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	HJsdfccdf.exe
PID 1232 wrote to memory of 4804	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	HJsdfccdf.exe
PID 1232 wrote to memory of 4804	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	HJsdfccdf.exe
PID 1232 wrote to memory of 1632	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	YTfghawe.exe
PID 1232 wrote to memory of 1632	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	YTfghawe.exe
PID 1232 wrote to memory of 1632	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	YTfghawe.exe
PID 1232 wrote to memory of 1116	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
PID 1232 wrote to memory of 1116	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
PID 1232 wrote to memory of 1116	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
PID 1232 wrote to memory of 1116	1232	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
PID 4804 wrote to memory of 4744	4804	HJsdfccdf.exe	HJsdfccdf.exe
PID 4804 wrote to memory of 4744	4804	HJsdfccdf.exe	HJsdfccdf.exe
PID 4804 wrote to memory of 4744	4804	HJsdfccdf.exe	HJsdfccdf.exe
PID 4804 wrote to memory of 4744	4804	HJsdfccdf.exe	HJsdfccdf.exe
PID 1632 wrote to memory of 332	1632	YTfghawe.exe	YTfghawe.exe
PID 1632 wrote to memory of 332	1632	YTfghawe.exe	YTfghawe.exe
PID 1632 wrote to memory of 332	1632	YTfghawe.exe	YTfghawe.exe
PID 1632 wrote to memory of 332	1632	YTfghawe.exe	YTfghawe.exe

C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
"C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe"
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
"C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe"
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
"C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe"
- Executes dropped EXE
PID:4744

C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
"C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe"
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
"C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe"
- Executes dropped EXE
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 1296
- Program crash
PID:4620

C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
"C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe"
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 332 -ip 332
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
memory/332-150-0x0000000000000000-mapping.dmp

Download
memory/332-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-146-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1116-142-0x0000000000000000-mapping.dmp

Download
memory/1232-145-0x00000000036E0000-0x00000000036E7000-memory.dmp

Filesize
28KB

Download
memory/1632-139-0x0000000000000000-mapping.dmp

Download
memory/4744-147-0x0000000000000000-mapping.dmp

Download
memory/4744-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4744-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4804-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Downloads