azorult | ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30

General

Target

d95b0b49d1297b2575f3df70d569f294.exe
Size

968KB
MD5

d95b0b49d1297b2575f3df70d569f294
SHA1

8cce459259d4aa52e7ec0c740ba5a9e0583fc250
SHA256

ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30
SHA512

b7d753fcfc488415f706d5e525527716cd9c271e1d9a28204d75e914cd62e565c9389591d130fc1a8527a50112a5a88bbe2ed8554ebeabdfc3616ff91797a8dd
SSDEEP

24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgp:waWNC7hLVVL1sX3WxKZKgW2hrKd7j6

Score

10^/10

azorult oski raccoon 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

C2

mazooyaar.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2768-26-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral1/memory/2768-42-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral1/memory/2768-48-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral1/memory/2768-60-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1

Executes dropped EXE 4 IoCs

Processes:

vcxfse.execbvjns.execbvjns.exevcxfse.exe

pid process

2084 vcxfse.exe
1856 cbvjns.exe
2484 cbvjns.exe
2332 vcxfse.exe

pid	process
2084	vcxfse.exe
1856	cbvjns.exe
2484	cbvjns.exe
2332	vcxfse.exe

Loads dropped DLL 11 IoCs

Processes:

d95b0b49d1297b2575f3df70d569f294.execbvjns.exevcxfse.exeWerFault.exe

pid	process
320	d95b0b49d1297b2575f3df70d569f294.exe
320	d95b0b49d1297b2575f3df70d569f294.exe
320	d95b0b49d1297b2575f3df70d569f294.exe
320	d95b0b49d1297b2575f3df70d569f294.exe
1856	cbvjns.exe
2084	vcxfse.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

Processes:

d95b0b49d1297b2575f3df70d569f294.execbvjns.exevcxfse.exe

description	pid	process	target process
PID 320 set thread context of 2768	320	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 1856 set thread context of 2484	1856	cbvjns.exe	cbvjns.exe
PID 2084 set thread context of 2332	2084	vcxfse.exe	vcxfse.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1480 2332 WerFault.exe vcxfse.exe

pid	pid_target	process	target process
1480	2332	WerFault.exe	vcxfse.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

d95b0b49d1297b2575f3df70d569f294.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d95b0b49d1297b2575f3df70d569f294.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d95b0b49d1297b2575f3df70d569f294.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

d95b0b49d1297b2575f3df70d569f294.execbvjns.exevcxfse.exe

pid process

320 d95b0b49d1297b2575f3df70d569f294.exe
1856 cbvjns.exe
2084 vcxfse.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d95b0b49d1297b2575f3df70d569f294.execbvjns.exevcxfse.exe

pid process

320 d95b0b49d1297b2575f3df70d569f294.exe
1856 cbvjns.exe
2084 vcxfse.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

d95b0b49d1297b2575f3df70d569f294.execbvjns.exevcxfse.exevcxfse.exe

description	pid	process	target process
PID 320 wrote to memory of 2084	320	d95b0b49d1297b2575f3df70d569f294.exe	vcxfse.exe
PID 320 wrote to memory of 2084	320	d95b0b49d1297b2575f3df70d569f294.exe	vcxfse.exe
PID 320 wrote to memory of 2084	320	d95b0b49d1297b2575f3df70d569f294.exe	vcxfse.exe
PID 320 wrote to memory of 2084	320	d95b0b49d1297b2575f3df70d569f294.exe	vcxfse.exe
PID 320 wrote to memory of 1856	320	d95b0b49d1297b2575f3df70d569f294.exe	cbvjns.exe
PID 320 wrote to memory of 1856	320	d95b0b49d1297b2575f3df70d569f294.exe	cbvjns.exe
PID 320 wrote to memory of 1856	320	d95b0b49d1297b2575f3df70d569f294.exe	cbvjns.exe
PID 320 wrote to memory of 1856	320	d95b0b49d1297b2575f3df70d569f294.exe	cbvjns.exe
PID 320 wrote to memory of 2768	320	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 320 wrote to memory of 2768	320	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 320 wrote to memory of 2768	320	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 320 wrote to memory of 2768	320	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 320 wrote to memory of 2768	320	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 1856 wrote to memory of 2484	1856	cbvjns.exe	cbvjns.exe
PID 1856 wrote to memory of 2484	1856	cbvjns.exe	cbvjns.exe
PID 1856 wrote to memory of 2484	1856	cbvjns.exe	cbvjns.exe
PID 1856 wrote to memory of 2484	1856	cbvjns.exe	cbvjns.exe
PID 1856 wrote to memory of 2484	1856	cbvjns.exe	cbvjns.exe
PID 2084 wrote to memory of 2332	2084	vcxfse.exe	vcxfse.exe
PID 2084 wrote to memory of 2332	2084	vcxfse.exe	vcxfse.exe
PID 2084 wrote to memory of 2332	2084	vcxfse.exe	vcxfse.exe
PID 2084 wrote to memory of 2332	2084	vcxfse.exe	vcxfse.exe
PID 2084 wrote to memory of 2332	2084	vcxfse.exe	vcxfse.exe
PID 2332 wrote to memory of 1480	2332	vcxfse.exe	WerFault.exe
PID 2332 wrote to memory of 1480	2332	vcxfse.exe	WerFault.exe
PID 2332 wrote to memory of 1480	2332	vcxfse.exe	WerFault.exe
PID 2332 wrote to memory of 1480	2332	vcxfse.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe
"C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 688
4⤵
- Loads dropped DLL
- Program crash
PID:1480

C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe
"C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"
2⤵
- Modifies system certificate store
PID:2768

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
1⤵
- Executes dropped EXE
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
Filesize
95KB

MD5
f7827eb2162c2502724c743c05f18328

SHA1
2c6689558745f8cd3fb73b32ade3749cfbd0e559

SHA256
d33336cd7a50482a7fcf58336bc64668db37db3964b9f83ff5504b28cce633f3

SHA512
ef7178dc24ca084a91df37f496d744de358611ab6394d1be614a80d7836e4a7eeac6c74f87c60f1612dc012c2e548469db94b0b6c5b35513094efd15243a91ae

Download Submit
\Users\Admin\AppData\Local\Temp\cbvjns.exe
Filesize
200KB

MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
\Users\Admin\AppData\Local\Temp\vcxfse.exe
Filesize
93KB

MD5
0c78e99f91388822e01f3f200aeaadb5

SHA1
6f86564149892392b7bcd43f00817d31e20263ce

SHA256
9466c3f8978889516d0c74ead1968b132ed2d2cf383272da66500c948ae9db1b

SHA512
86365d7ac406b7c78c9d7dd7da540da946e56510517a4479c08b375c2d8cd4dff21e8b864188d6435965a36bff2125ee521e11bcf2f96dbe11bb4e00df610f41

Download Submit
\Users\Admin\AppData\Local\Temp\vcxfse.exe
Filesize
248KB

MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
memory/320-22-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/320-34-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/320-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2084-27-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/2332-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-44-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-39-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2484-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2484-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2484-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2768-48-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2768-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2768-42-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2768-60-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2768-26-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads