Analysis Overview
SHA256
b6afb4c2d094c9e803015e65043ee6a48bbf0e31bdd66963078ca1454195b1c6
Threat Level: Known bad
The file 9fbb8a90e9b971800f4bdb85e1bf8f7c was found to be: Known bad.
Malicious Activity Summary
Azorult
Raccoon
Oski
Raccoon Stealer V1 payload
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-19 21:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-19 21:08
Reported
2023-12-20 04:25
Platform
win7-20231215-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2632 set thread context of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe |
| PID 2160 set thread context of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | C:\Users\Admin\AppData\Local\Temp\ssme.exe |
| PID 2644 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | C:\Users\Admin\AppData\Local\Temp\faame.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\faame.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"
C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"
C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 788
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | ailsom.ac.ug | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | milsom.ug | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ailsom.ac.ug | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
memory/2632-2-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\ssme.exe
| MD5 | 59337e167d10c145b4907027b618ae62 |
| SHA1 | 8a7b0f563297f060a8f2cbcc32b8bac7028bbd6b |
| SHA256 | b22e796ca4e1031b444aafbcd498fefe0cbc1f6fd37334090529be8c9bc14cf4 |
| SHA512 | 40ceae1055f7cf9bb9068c84bb7b29a37eb4720fa30de709e82a96335a2c71b8a58a51b2543b277b4d2b6362339280f6dc5dd7000247589b2d75692cad7c6e52 |
C:\Users\Admin\AppData\Local\Temp\faame.exe
| MD5 | 2618de7ce265814bb7c9db2d040a648c |
| SHA1 | 8124cdb548ade9b39c84cc3d87de270e46bd0496 |
| SHA256 | 0ee0befc1f8446bc1a86d0c18ad5674520c779434eb3a78ea0d64be1ef5d7622 |
| SHA512 | 925e1a29e20bd343132b465504245643f6fc345bd42cc75944278a6559e919dabf606e8b56a36ca3aec2780c12981065ffa08f273adfe828084758af3702e253 |
memory/2632-24-0x00000000005A0000-0x00000000005A7000-memory.dmp
memory/2160-26-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2644-30-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2696-37-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2832-31-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2796-29-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2832-38-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2832-42-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2796-43-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2696-45-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2796-46-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2832-48-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2832-49-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2796-50-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2696-51-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2796-58-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2696-60-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2696-61-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-19 21:08
Reported
2023-12-20 04:26
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3572 set thread context of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | C:\Users\Admin\AppData\Local\Temp\ssme.exe |
| PID 2016 set thread context of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe |
| PID 4872 set thread context of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | C:\Users\Admin\AppData\Local\Temp\faame.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\faame.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ssme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faame.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"
C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
C:\Users\Admin\AppData\Local\Temp\ssme.exe
"C:\Users\Admin\AppData\Local\Temp\ssme.exe"
C:\Users\Admin\AppData\Local\Temp\faame.exe
"C:\Users\Admin\AppData\Local\Temp\faame.exe"
C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe
"C:\Users\Admin\AppData\Local\Temp\9fbb8a90e9b971800f4bdb85e1bf8f7c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2616 -ip 2616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1308
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ailsom.ac.ug | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | milsom.ug | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ailsom.ac.ug | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/2016-2-0x0000000077512000-0x0000000077513000-memory.dmp
memory/2016-3-0x0000000000630000-0x0000000000631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ssme.exe
| MD5 | 59337e167d10c145b4907027b618ae62 |
| SHA1 | 8a7b0f563297f060a8f2cbcc32b8bac7028bbd6b |
| SHA256 | b22e796ca4e1031b444aafbcd498fefe0cbc1f6fd37334090529be8c9bc14cf4 |
| SHA512 | 40ceae1055f7cf9bb9068c84bb7b29a37eb4720fa30de709e82a96335a2c71b8a58a51b2543b277b4d2b6362339280f6dc5dd7000247589b2d75692cad7c6e52 |
C:\Users\Admin\AppData\Local\Temp\faame.exe
| MD5 | 2618de7ce265814bb7c9db2d040a648c |
| SHA1 | 8124cdb548ade9b39c84cc3d87de270e46bd0496 |
| SHA256 | 0ee0befc1f8446bc1a86d0c18ad5674520c779434eb3a78ea0d64be1ef5d7622 |
| SHA512 | 925e1a29e20bd343132b465504245643f6fc345bd42cc75944278a6559e919dabf606e8b56a36ca3aec2780c12981065ffa08f273adfe828084758af3702e253 |
memory/3572-29-0x0000000000910000-0x0000000000911000-memory.dmp
memory/4872-31-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/3572-32-0x0000000000920000-0x0000000000927000-memory.dmp
memory/2076-33-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2076-36-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2616-38-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3148-40-0x0000000000400000-0x0000000000497000-memory.dmp
memory/3148-37-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2076-43-0x0000000077512000-0x0000000077513000-memory.dmp
memory/2076-46-0x0000000000590000-0x0000000000591000-memory.dmp
memory/2616-50-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3148-49-0x0000000077512000-0x0000000077513000-memory.dmp
memory/3148-54-0x00000000020B0000-0x00000000020B1000-memory.dmp
memory/3148-53-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2616-52-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/2616-51-0x0000000077512000-0x0000000077513000-memory.dmp
memory/2616-45-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3148-44-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2616-42-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2076-56-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2076-55-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2616-60-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2616-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3148-61-0x0000000000400000-0x0000000000493000-memory.dmp