azorult | ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30

General

Target

d95b0b49d1297b2575f3df70d569f294.exe
Size

968KB
MD5

d95b0b49d1297b2575f3df70d569f294
SHA1

8cce459259d4aa52e7ec0c740ba5a9e0583fc250
SHA256

ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30
SHA512

b7d753fcfc488415f706d5e525527716cd9c271e1d9a28204d75e914cd62e565c9389591d130fc1a8527a50112a5a88bbe2ed8554ebeabdfc3616ff91797a8dd
SSDEEP

24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgp:waWNC7hLVVL1sX3WxKZKgW2hrKd7j6

Score

10^/10

azorult oski raccoon 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

C2

mazooyaar.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4700-40-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4700-48-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4700-43-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4700-63-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4700-65-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d95b0b49d1297b2575f3df70d569f294.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	d95b0b49d1297b2575f3df70d569f294.exe

Executes dropped EXE 4 IoCs

Processes:

vcxfse.execbvjns.execbvjns.exevcxfse.exe

pid process

2832 vcxfse.exe
2224 cbvjns.exe
2436 cbvjns.exe
2752 vcxfse.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2832	vcxfse.exe
2224	cbvjns.exe
2436	cbvjns.exe
2752	vcxfse.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

cbvjns.exed95b0b49d1297b2575f3df70d569f294.exevcxfse.exe

description	pid	process	target process
PID 2224 set thread context of 2436	2224	cbvjns.exe	cbvjns.exe
PID 3992 set thread context of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 2832 set thread context of 2752	2832	vcxfse.exe	vcxfse.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4672 2752 WerFault.exe vcxfse.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

cbvjns.exed95b0b49d1297b2575f3df70d569f294.exevcxfse.exe

pid process

2224 cbvjns.exe
3992 d95b0b49d1297b2575f3df70d569f294.exe
2832 vcxfse.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d95b0b49d1297b2575f3df70d569f294.exevcxfse.execbvjns.exe

pid process

3992 d95b0b49d1297b2575f3df70d569f294.exe
2832 vcxfse.exe
2224 cbvjns.exe

pid	pid_target	process	target process
4672	2752	WerFault.exe	vcxfse.exe

pid	process
2224	cbvjns.exe
3992	d95b0b49d1297b2575f3df70d569f294.exe
2832	vcxfse.exe

pid	process
3992	d95b0b49d1297b2575f3df70d569f294.exe
2832	vcxfse.exe
2224	cbvjns.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d95b0b49d1297b2575f3df70d569f294.execbvjns.exevcxfse.exe

description	pid	process	target process
PID 3992 wrote to memory of 2832	3992	d95b0b49d1297b2575f3df70d569f294.exe	vcxfse.exe
PID 3992 wrote to memory of 2832	3992	d95b0b49d1297b2575f3df70d569f294.exe	vcxfse.exe
PID 3992 wrote to memory of 2832	3992	d95b0b49d1297b2575f3df70d569f294.exe	vcxfse.exe
PID 3992 wrote to memory of 2224	3992	d95b0b49d1297b2575f3df70d569f294.exe	cbvjns.exe
PID 3992 wrote to memory of 2224	3992	d95b0b49d1297b2575f3df70d569f294.exe	cbvjns.exe
PID 3992 wrote to memory of 2224	3992	d95b0b49d1297b2575f3df70d569f294.exe	cbvjns.exe
PID 2224 wrote to memory of 2436	2224	cbvjns.exe	cbvjns.exe
PID 2224 wrote to memory of 2436	2224	cbvjns.exe	cbvjns.exe
PID 2224 wrote to memory of 2436	2224	cbvjns.exe	cbvjns.exe
PID 2224 wrote to memory of 2436	2224	cbvjns.exe	cbvjns.exe
PID 3992 wrote to memory of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 3992 wrote to memory of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 3992 wrote to memory of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 3992 wrote to memory of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	d95b0b49d1297b2575f3df70d569f294.exe
PID 2832 wrote to memory of 2752	2832	vcxfse.exe	vcxfse.exe
PID 2832 wrote to memory of 2752	2832	vcxfse.exe	vcxfse.exe
PID 2832 wrote to memory of 2752	2832	vcxfse.exe	vcxfse.exe
PID 2832 wrote to memory of 2752	2832	vcxfse.exe	vcxfse.exe

C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe
"C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
3⤵
- Executes dropped EXE
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 1316
4⤵
- Program crash
PID:4672

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
3⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe
"C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"
2⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2752 -ip 2752
1⤵
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
Filesize
200KB

MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
Filesize
128KB

MD5
2b8be350bac7150c35c1ff58acf02660

SHA1
be35df99f9ac1c422da64c9f1149314da79e47fb

SHA256
46cd680ff05ad306a5e6f92f8abf651429b01b127b90b4d1044ff993afad61d2

SHA512
efbc42593c96d0af3bcc5cce78ad4d229bef29c5024eea2e738fe431f6d528e2bbdaaba0b1152a424fbbbc2574dea273b5c69a2ea38cc39c3a4240448257b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
Filesize
14KB

MD5
186fde55d071408c3aeeab504697b480

SHA1
6b76cce7a877fd78eb2c386fce718848cdf31aa9

SHA256
5fdd590e9defaec78e974f009a7048ade11cb3c7712f79fc4eabdb1be588ac8c

SHA512
485b90edd4ad70a8f26488f34776057e6e5842660e80b183ee1ae90f9645521a2673dc3d9f2e2c90203c5f55dd0973655185b21cb1addb556ce57782a14d7dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
Filesize
248KB

MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
memory/2224-31-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2224-41-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/2224-32-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/2436-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2436-44-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2436-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-39-0x0000000077152000-0x0000000077153000-memory.dmp

Filesize
4KB

Download
memory/2752-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-50-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-53-0x0000000077152000-0x0000000077153000-memory.dmp

Filesize
4KB

Download
memory/2752-56-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2832-42-0x0000000000720000-0x0000000000727000-memory.dmp

Filesize
28KB

Download
memory/2832-30-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3992-36-0x0000000003640000-0x0000000003647000-memory.dmp

Filesize
28KB

Download
memory/3992-2-0x0000000077152000-0x0000000077153000-memory.dmp

Filesize
4KB

Download
memory/3992-3-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4700-51-0x0000000077152000-0x0000000077153000-memory.dmp

Filesize
4KB

Download
memory/4700-54-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4700-40-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4700-43-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4700-48-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4700-63-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4700-65-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads