azorult | 7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f

Analysis

max time kernel
31s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cae1b3be4c37e8f0ca5dac99dbbac17.exe
Size

1.2MB
MD5

2cae1b3be4c37e8f0ca5dac99dbbac17
SHA1

fea201d9f1b3d81c67abead708afee8f619785d7
SHA256

7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
SHA512

1caaf89b50be197446e4194205b6d4165c3406fd32f39598ee52195f0c83f085bbe8297bdc518d581618b62d11b38b1602a508d6f5f77f90260fa3ee651e5ec5
SSDEEP

24576:kiKH63AanJL5WRxc493rVedPdiHxO0KQJ2dJd0+Tf7Lsg77R:vZA0L5WRq493heB2ydJ/LsS7R

Score

10^/10

azorult oski raccoon zgrat c81fb6015c832710f869f6911e1aec18747e0184 infostealer rat stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

c81fb6015c832710f869f6911e1aec18747e0184

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

kullasa.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 36 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4352-9-0x0000000007680000-0x0000000007790000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-13-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-11-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-21-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-31-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-41-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-53-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-61-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-71-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-73-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-69-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-67-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-65-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-63-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-59-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-57-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-55-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-51-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-49-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-47-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-45-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-43-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-39-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-37-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-35-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-33-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-29-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-27-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-25-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-23-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-19-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-17-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-15-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4352-10-0x0000000007680000-0x000000000778A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4332-2405-0x0000000006FF0000-0x00000000070A4000-memory.dmp	family_zgrat_v1
behavioral2/memory/2940-4177-0x0000000006F70000-0x0000000006FE2000-memory.dmp	family_zgrat_v1

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4736-2396-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4736-2402-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4344 4384 WerFault.exe Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2cae1b3be4c37e8f0ca5dac99dbbac17.exe

description pid process

Token: SeDebugPrivilege 4352 2cae1b3be4c37e8f0ca5dac99dbbac17.exe

pid	pid_target	process	target process
4344	4384	WerFault.exe	Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe

description	pid	process
Token: SeDebugPrivilege	4352	2cae1b3be4c37e8f0ca5dac99dbbac17.exe

C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
"C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Skcczlqwcscgqo.vbs"
2⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
"C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe"
3⤵
PID:4332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Evpctmxstsshc.vbs"
4⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
"C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe"
5⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
6⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1316
7⤵
- Program crash
PID:4344

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
4⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
2⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
2⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4384 -ip 4384
1⤵
PID:680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Evpctmxstsshc.vbs
Filesize
123B

MD5
d98f6a92b8ee8c68226b4663f5a7f5ed

SHA1
b26a4ce3b4b7bd674b0e8d0983b4e9cc6c6878cb

SHA256
413027179fac804119170bcb7db20531cc016a0bb01f9e4cc45a7cb09702da95

SHA512
e4dbe70ed17e846a2cbc62d9c78f24fb14494ffbc0170d19aea5bbb45993583db24e51cf9b1801b2346b8cf3d8bc5fdaa5b5a745b6856a8d8f1a4c5513b23c30

Download Submit
memory/1504-4174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1504-4168-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2940-4175-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/2940-4172-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/2940-4176-0x0000000006BF0000-0x0000000006C48000-memory.dmp

Filesize
352KB

Download
memory/2940-4177-0x0000000006F70000-0x0000000006FE2000-memory.dmp

Filesize
456KB

Download
memory/2940-4171-0x0000000000F40000-0x0000000000FA0000-memory.dmp

Filesize
384KB

Download
memory/2940-5016-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/2940-6446-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/2940-4173-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/4332-4166-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/4332-2400-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/4332-4155-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/4332-2911-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/4332-2405-0x0000000006FF0000-0x00000000070A4000-memory.dmp

Filesize
720KB

Download
memory/4332-2404-0x00000000069B0000-0x0000000006A4C000-memory.dmp

Filesize
624KB

Download
memory/4332-2403-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/4332-2399-0x0000000000E60000-0x0000000000F04000-memory.dmp

Filesize
656KB

Download
memory/4332-2401-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/4352-71-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-67-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-59-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-57-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-55-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-51-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-49-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-47-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-45-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-43-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-39-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-275-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/4352-37-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-35-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-33-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-29-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-27-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-25-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-23-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-19-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-17-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-15-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-10-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-2385-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/4352-65-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-63-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-69-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-2-0x00000000060E0000-0x0000000006684000-memory.dmp

Filesize
5.6MB

Download
memory/4352-2395-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4352-3-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/4352-73-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-1-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4352-61-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-53-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-41-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-31-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-21-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-11-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-13-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-9-0x0000000007680000-0x0000000007790000-memory.dmp

Filesize
1.1MB

Download
memory/4352-8-0x0000000007200000-0x0000000007326000-memory.dmp

Filesize
1.1MB

Download
memory/4352-7-0x0000000006CB0000-0x0000000006DD6000-memory.dmp

Filesize
1.1MB

Download
memory/4352-6-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4352-5-0x0000000005C50000-0x0000000005C5A000-memory.dmp

Filesize
40KB

Download
memory/4352-4-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/4352-0-0x0000000000F70000-0x000000000109E000-memory.dmp

Filesize
1.2MB

Download
memory/4384-6447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-6450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-2402-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4736-2396-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download