azorult | b6afb4c2d094c9e803015e65043ee6a48bbf0e31bdd66963078ca1454195b1c6

General

Target

9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
Size

1.0MB
MD5

9fbb8a90e9b971800f4bdb85e1bf8f7c
SHA1

cf116f3df69bbb896f34f24d26c4573b14af2fe5
SHA256

b6afb4c2d094c9e803015e65043ee6a48bbf0e31bdd66963078ca1454195b1c6
SHA512

437907045e9a5af27db8a60db05780e72e60b58cc4949723d3f4b2b0d372aee13ed18335dec3ba33e32ae583046a9ef200eaf40df991746adf480bfda07be9f7
SSDEEP

24576:IlE2q8MnAWRpnwU9QtTJaur6Syt4VhkFha1OIgImZk3xk5npFhkF96x5hkFYelP:2EeKTqtN7r7VV0VIm0yRpF0I0N

Score

10^/10

azorult oski raccoon e16d9c3413a8d3bc552d87560e5a14148908608d infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

milsom.ug

Extracted

Family

raccoon

Version

1.8.1

Botnet

e16d9c3413a8d3bc552d87560e5a14148908608d

Attributes

url4cnc
https://t.me/brikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3148-40-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/3148-37-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/3148-53-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/3148-44-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/3148-61-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9fbb8a90e9b971800f4bdb85e1bf8f7c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe

Executes dropped EXE 4 IoCs

Processes:

ssme.exefaame.exessme.exefaame.exe

pid process

3572 ssme.exe
4872 faame.exe
2076 ssme.exe
2616 faame.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3572	ssme.exe
4872	faame.exe
2076	ssme.exe
2616	faame.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ssme.exe9fbb8a90e9b971800f4bdb85e1bf8f7c.exefaame.exe

description	pid	process	target process
PID 3572 set thread context of 2076	3572	ssme.exe	ssme.exe
PID 2016 set thread context of 3148	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 4872 set thread context of 2616	4872	faame.exe	faame.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

836 2616 WerFault.exe faame.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

ssme.exe9fbb8a90e9b971800f4bdb85e1bf8f7c.exefaame.exe

pid process

3572 ssme.exe
2016 9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
4872 faame.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

9fbb8a90e9b971800f4bdb85e1bf8f7c.exessme.exefaame.exe

pid process

2016 9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
3572 ssme.exe
4872 faame.exe

pid	pid_target	process	target process
836	2616	WerFault.exe	faame.exe

pid	process
3572	ssme.exe
2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
4872	faame.exe

pid	process
2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
3572	ssme.exe
4872	faame.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

9fbb8a90e9b971800f4bdb85e1bf8f7c.exessme.exefaame.exe

description	pid	process	target process
PID 2016 wrote to memory of 3572	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	ssme.exe
PID 2016 wrote to memory of 3572	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	ssme.exe
PID 2016 wrote to memory of 3572	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	ssme.exe
PID 2016 wrote to memory of 4872	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	faame.exe
PID 2016 wrote to memory of 4872	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	faame.exe
PID 2016 wrote to memory of 4872	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	faame.exe
PID 3572 wrote to memory of 2076	3572	ssme.exe	ssme.exe
PID 3572 wrote to memory of 2076	3572	ssme.exe	ssme.exe
PID 3572 wrote to memory of 2076	3572	ssme.exe	ssme.exe
PID 3572 wrote to memory of 2076	3572	ssme.exe	ssme.exe
PID 2016 wrote to memory of 3148	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2016 wrote to memory of 3148	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2016 wrote to memory of 3148	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 2016 wrote to memory of 3148	2016	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe	9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
PID 4872 wrote to memory of 2616	4872	faame.exe	faame.exe
PID 4872 wrote to memory of 2616	4872	faame.exe	faame.exe
PID 4872 wrote to memory of 2616	4872	faame.exe	faame.exe
PID 4872 wrote to memory of 2616	4872	faame.exe	faame.exe

C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
3⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
3⤵
- Executes dropped EXE
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1308
4⤵
- Program crash
PID:836

C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"
2⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2616 -ip 2616
1⤵
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\faame.exe
Filesize
276KB

MD5
2618de7ce265814bb7c9db2d040a648c

SHA1
8124cdb548ade9b39c84cc3d87de270e46bd0496

SHA256
0ee0befc1f8446bc1a86d0c18ad5674520c779434eb3a78ea0d64be1ef5d7622

SHA512
925e1a29e20bd343132b465504245643f6fc345bd42cc75944278a6559e919dabf606e8b56a36ca3aec2780c12981065ffa08f273adfe828084758af3702e253

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssme.exe
Filesize
228KB

MD5
59337e167d10c145b4907027b618ae62

SHA1
8a7b0f563297f060a8f2cbcc32b8bac7028bbd6b

SHA256
b22e796ca4e1031b444aafbcd498fefe0cbc1f6fd37334090529be8c9bc14cf4

SHA512
40ceae1055f7cf9bb9068c84bb7b29a37eb4720fa30de709e82a96335a2c71b8a58a51b2543b277b4d2b6362339280f6dc5dd7000247589b2d75692cad7c6e52

Download Submit
memory/2016-3-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2016-2-0x0000000077512000-0x0000000077513000-memory.dmp

Filesize
4KB

Download
memory/2076-43-0x0000000077512000-0x0000000077513000-memory.dmp

Filesize
4KB

Download
memory/2076-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2076-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2076-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2076-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2076-46-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2616-50-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-52-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2616-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-42-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-51-0x0000000077512000-0x0000000077513000-memory.dmp

Filesize
4KB

Download
memory/3148-49-0x0000000077512000-0x0000000077513000-memory.dmp

Filesize
4KB

Download
memory/3148-53-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3148-54-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/3148-44-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3148-37-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3148-40-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3148-61-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3572-29-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/3572-32-0x0000000000920000-0x0000000000927000-memory.dmp

Filesize
28KB

Download
memory/4872-31-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads