azorult | 7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f

Analysis

max time kernel
31s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cae1b3be4c37e8f0ca5dac99dbbac17.exe
Size

1.2MB
MD5

2cae1b3be4c37e8f0ca5dac99dbbac17
SHA1

fea201d9f1b3d81c67abead708afee8f619785d7
SHA256

7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
SHA512

1caaf89b50be197446e4194205b6d4165c3406fd32f39598ee52195f0c83f085bbe8297bdc518d581618b62d11b38b1602a508d6f5f77f90260fa3ee651e5ec5
SSDEEP

24576:kiKH63AanJL5WRxc493rVedPdiHxO0KQJ2dJd0+Tf7Lsg77R:vZA0L5WRq493heB2ydJ/LsS7R

Score

10^/10

azorult oski raccoon zgrat c81fb6015c832710f869f6911e1aec18747e0184 infostealer rat stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

c81fb6015c832710f869f6911e1aec18747e0184

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

kullasa.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 36 IoCs

resource	yara_rule
behavioral2/memory/4352-9-0x0000000007680000-0x0000000007790000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-13-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-11-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-21-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-31-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-41-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-53-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-61-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-71-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-73-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-69-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-67-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-65-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-63-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-59-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-57-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-55-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-51-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-49-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-47-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-45-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-43-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-39-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-37-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-35-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-33-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-29-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-27-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-25-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-23-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-19-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-17-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-15-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-10-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4332-2405-0x0000000006FF0000-0x00000000070A4000-memory.dmp	family_zgrat_v1
behavioral2/memory/2940-4177-0x0000000006F70000-0x0000000006FE2000-memory.dmp	family_zgrat_v1

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

resource	yara_rule
behavioral2/memory/4736-2396-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4736-2402-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4344	4384	WerFault.exe	110

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	2cae1b3be4c37e8f0ca5dac99dbbac17.exe

C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
"C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Skcczlqwcscgqo.vbs"
  2⤵
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
    "C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe"
    3⤵
    PID:4332
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Evpctmxstsshc.vbs"
      4⤵
      PID:1496
    - - C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe"
        5⤵
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
        
        C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
        6⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1316
        7⤵
        Program crash
        
        PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
      C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
      4⤵
      PID:1504
- C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
  C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
  2⤵
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
  C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
  2⤵
  PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4384 -ip 4384
1⤵
PID:680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Evpctmxstsshc.vbs

Filesize
123B

MD5
d98f6a92b8ee8c68226b4663f5a7f5ed

SHA1
b26a4ce3b4b7bd674b0e8d0983b4e9cc6c6878cb

SHA256
413027179fac804119170bcb7db20531cc016a0bb01f9e4cc45a7cb09702da95

SHA512
e4dbe70ed17e846a2cbc62d9c78f24fb14494ffbc0170d19aea5bbb45993583db24e51cf9b1801b2346b8cf3d8bc5fdaa5b5a745b6856a8d8f1a4c5513b23c30

Download Submit
memory/1504-4174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1504-4168-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2940-4175-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/2940-4172-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/2940-4176-0x0000000006BF0000-0x0000000006C48000-memory.dmp

Filesize
352KB

Download
memory/2940-4177-0x0000000006F70000-0x0000000006FE2000-memory.dmp

Filesize
456KB

Download
memory/2940-4171-0x0000000000F40000-0x0000000000FA0000-memory.dmp

Filesize
384KB

Download
memory/2940-5016-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/2940-6446-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/2940-4173-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/4332-4166-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/4332-2400-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/4332-4155-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/4332-2911-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/4332-2405-0x0000000006FF0000-0x00000000070A4000-memory.dmp

Filesize
720KB

Download
memory/4332-2404-0x00000000069B0000-0x0000000006A4C000-memory.dmp

Filesize
624KB

Download
memory/4332-2403-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/4332-2399-0x0000000000E60000-0x0000000000F04000-memory.dmp

Filesize
656KB

Download
memory/4332-2401-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/4352-71-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-67-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-59-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-57-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-55-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-51-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-49-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-47-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-45-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-43-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-39-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-275-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/4352-37-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-35-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-33-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-29-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-27-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-25-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-23-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-19-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-17-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-15-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-10-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-2385-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/4352-65-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-63-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-69-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-2-0x00000000060E0000-0x0000000006684000-memory.dmp

Filesize
5.6MB

Download
memory/4352-2395-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4352-3-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/4352-73-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-1-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4352-61-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-53-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-41-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-31-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-21-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-11-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-13-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-9-0x0000000007680000-0x0000000007790000-memory.dmp

Filesize
1.1MB

Download
memory/4352-8-0x0000000007200000-0x0000000007326000-memory.dmp

Filesize
1.1MB

Download
memory/4352-7-0x0000000006CB0000-0x0000000006DD6000-memory.dmp

Filesize
1.1MB

Download
memory/4352-6-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4352-5-0x0000000005C50000-0x0000000005C5A000-memory.dmp

Filesize
40KB

Download
memory/4352-4-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/4352-0-0x0000000000F70000-0x000000000109E000-memory.dmp

Filesize
1.2MB

Download
memory/4384-6447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-6450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-2402-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4736-2396-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads