azorult | ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30

General

Target

d95b0b49d1297b2575f3df70d569f294.exe
Size

968KB
MD5

d95b0b49d1297b2575f3df70d569f294
SHA1

8cce459259d4aa52e7ec0c740ba5a9e0583fc250
SHA256

ba0a5fc793cec47c22ad73ab7f4ee2746d0c6f1818ae7bf4ad9187a4871ebc30
SHA512

b7d753fcfc488415f706d5e525527716cd9c271e1d9a28204d75e914cd62e565c9389591d130fc1a8527a50112a5a88bbe2ed8554ebeabdfc3616ff91797a8dd
SSDEEP

24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgp:waWNC7hLVVL1sX3WxKZKgW2hrKd7j6

Score

10^/10

azorult oski raccoon 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

C2

mazooyaar.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

resource	yara_rule
behavioral2/memory/4700-40-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4700-48-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4700-43-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4700-63-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4700-65-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	d95b0b49d1297b2575f3df70d569f294.exe

Executes dropped EXE 4 IoCs

pid	Process
2832	vcxfse.exe
2224	cbvjns.exe
2436	cbvjns.exe
2752	vcxfse.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2436	2224	cbvjns.exe	96
PID 3992 set thread context of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	97
PID 2832 set thread context of 2752	2832	vcxfse.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4672	2752	WerFault.exe	98

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2224	cbvjns.exe
3992	d95b0b49d1297b2575f3df70d569f294.exe
2832	vcxfse.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3992	d95b0b49d1297b2575f3df70d569f294.exe
2832	vcxfse.exe
2224	cbvjns.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 2832	3992	d95b0b49d1297b2575f3df70d569f294.exe	92
PID 3992 wrote to memory of 2832	3992	d95b0b49d1297b2575f3df70d569f294.exe	92
PID 3992 wrote to memory of 2832	3992	d95b0b49d1297b2575f3df70d569f294.exe	92
PID 3992 wrote to memory of 2224	3992	d95b0b49d1297b2575f3df70d569f294.exe	93
PID 3992 wrote to memory of 2224	3992	d95b0b49d1297b2575f3df70d569f294.exe	93
PID 3992 wrote to memory of 2224	3992	d95b0b49d1297b2575f3df70d569f294.exe	93
PID 2224 wrote to memory of 2436	2224	cbvjns.exe	96
PID 2224 wrote to memory of 2436	2224	cbvjns.exe	96
PID 2224 wrote to memory of 2436	2224	cbvjns.exe	96
PID 2224 wrote to memory of 2436	2224	cbvjns.exe	96
PID 3992 wrote to memory of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	97
PID 3992 wrote to memory of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	97
PID 3992 wrote to memory of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	97
PID 3992 wrote to memory of 4700	3992	d95b0b49d1297b2575f3df70d569f294.exe	97
PID 2832 wrote to memory of 2752	2832	vcxfse.exe	98
PID 2832 wrote to memory of 2752	2832	vcxfse.exe	98
PID 2832 wrote to memory of 2752	2832	vcxfse.exe	98
PID 2832 wrote to memory of 2752	2832	vcxfse.exe	98

C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe
"C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
  "C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
    "C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
    3⤵
    - Executes dropped EXE
    PID:2752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 1316
      4⤵
      Program crash
      PID:4672
- C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
  "C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
    "C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
    3⤵
    - Executes dropped EXE
    PID:2436
- C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe
  "C:\Users\Admin\AppData\Local\Temp\d95b0b49d1297b2575f3df70d569f294.exe"
  2⤵
  PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2752 -ip 2752
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe

Filesize
200KB

MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe

Filesize
128KB

MD5
2b8be350bac7150c35c1ff58acf02660

SHA1
be35df99f9ac1c422da64c9f1149314da79e47fb

SHA256
46cd680ff05ad306a5e6f92f8abf651429b01b127b90b4d1044ff993afad61d2

SHA512
efbc42593c96d0af3bcc5cce78ad4d229bef29c5024eea2e738fe431f6d528e2bbdaaba0b1152a424fbbbc2574dea273b5c69a2ea38cc39c3a4240448257b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe

Filesize
14KB

MD5
186fde55d071408c3aeeab504697b480

SHA1
6b76cce7a877fd78eb2c386fce718848cdf31aa9

SHA256
5fdd590e9defaec78e974f009a7048ade11cb3c7712f79fc4eabdb1be588ac8c

SHA512
485b90edd4ad70a8f26488f34776057e6e5842660e80b183ee1ae90f9645521a2673dc3d9f2e2c90203c5f55dd0973655185b21cb1addb556ce57782a14d7dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe

Filesize
248KB

MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
memory/2224-31-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2224-41-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/2224-32-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/2436-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2436-44-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2436-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-39-0x0000000077152000-0x0000000077153000-memory.dmp

Filesize
4KB

Download
memory/2752-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-50-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-53-0x0000000077152000-0x0000000077153000-memory.dmp

Filesize
4KB

Download
memory/2752-56-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2832-42-0x0000000000720000-0x0000000000727000-memory.dmp

Filesize
28KB

Download
memory/2832-30-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3992-36-0x0000000003640000-0x0000000003647000-memory.dmp

Filesize
28KB

Download
memory/3992-2-0x0000000077152000-0x0000000077153000-memory.dmp

Filesize
4KB

Download
memory/3992-3-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4700-51-0x0000000077152000-0x0000000077153000-memory.dmp

Filesize
4KB

Download
memory/4700-54-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4700-40-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4700-43-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4700-48-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4700-63-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4700-65-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads