azorult | b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c

General

Target

3a9684c70496f68a3cbd54fcdcb2ee1c.exe
Size

928KB
MD5

3a9684c70496f68a3cbd54fcdcb2ee1c
SHA1

cf8fae3e2150be663e13f34760dd64f64e4ee7c4
SHA256

b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c
SHA512

98c45b91d1015d9514a20cd876661dde7e5224542b7130a36d3e54c54d7c61b530b4d17999f2ffc34e0e6500d57831cbdc1716d42bd6f9548ec72335f0b33112
SSDEEP

12288:eyQcYxggKGu0IRdqM5BLm75n8NYLo0HTrmhs2wIfOWTrrJ3TkczwF:/QcmggTu0IpLmmOL3Wh4Q1jdT1z4

Score

10^/10

azorult oski raccoon c81fb6015c832710f869f6911e1aec18747e0184 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

c81fb6015c832710f869f6911e1aec18747e0184

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

C2

gordonhk.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2840-21-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral1/memory/2840-44-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral1/memory/2840-47-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral1/memory/2840-51-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral1/memory/2840-60-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1

Executes dropped EXE 4 IoCs

Processes:

Gerbvce.exeFDaqnav.exeFDaqnav.exeGerbvce.exe

pid process

2720 Gerbvce.exe
2844 FDaqnav.exe
2804 FDaqnav.exe
2336 Gerbvce.exe

pid	process
2720	Gerbvce.exe
2844	FDaqnav.exe
2804	FDaqnav.exe
2336	Gerbvce.exe

Loads dropped DLL 11 IoCs

Processes:

3a9684c70496f68a3cbd54fcdcb2ee1c.exeFDaqnav.exeGerbvce.exeWerFault.exe

pid	process
2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
2844	FDaqnav.exe
2720	Gerbvce.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

Processes:

3a9684c70496f68a3cbd54fcdcb2ee1c.exeFDaqnav.exeGerbvce.exe

description	pid	process	target process
PID 2772 set thread context of 2840	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
PID 2844 set thread context of 2804	2844	FDaqnav.exe	FDaqnav.exe
PID 2720 set thread context of 2336	2720	Gerbvce.exe	Gerbvce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2680 2804 WerFault.exe FDaqnav.exe

pid	pid_target	process	target process
2680	2804	WerFault.exe	FDaqnav.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

3a9684c70496f68a3cbd54fcdcb2ee1c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3a9684c70496f68a3cbd54fcdcb2ee1c.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

3a9684c70496f68a3cbd54fcdcb2ee1c.exeFDaqnav.exeGerbvce.exe

pid process

2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe
2844 FDaqnav.exe
2720 Gerbvce.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3a9684c70496f68a3cbd54fcdcb2ee1c.exeGerbvce.exeFDaqnav.exe

pid process

2772 3a9684c70496f68a3cbd54fcdcb2ee1c.exe
2720 Gerbvce.exe
2844 FDaqnav.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

3a9684c70496f68a3cbd54fcdcb2ee1c.exeFDaqnav.exeGerbvce.exeFDaqnav.exe

description	pid	process	target process
PID 2772 wrote to memory of 2720	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	Gerbvce.exe
PID 2772 wrote to memory of 2720	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	Gerbvce.exe
PID 2772 wrote to memory of 2720	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	Gerbvce.exe
PID 2772 wrote to memory of 2720	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	Gerbvce.exe
PID 2772 wrote to memory of 2844	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	FDaqnav.exe
PID 2772 wrote to memory of 2844	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	FDaqnav.exe
PID 2772 wrote to memory of 2844	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	FDaqnav.exe
PID 2772 wrote to memory of 2844	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	FDaqnav.exe
PID 2772 wrote to memory of 2840	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
PID 2772 wrote to memory of 2840	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
PID 2772 wrote to memory of 2840	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
PID 2772 wrote to memory of 2840	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
PID 2772 wrote to memory of 2840	2772	3a9684c70496f68a3cbd54fcdcb2ee1c.exe	3a9684c70496f68a3cbd54fcdcb2ee1c.exe
PID 2844 wrote to memory of 2804	2844	FDaqnav.exe	FDaqnav.exe
PID 2844 wrote to memory of 2804	2844	FDaqnav.exe	FDaqnav.exe
PID 2844 wrote to memory of 2804	2844	FDaqnav.exe	FDaqnav.exe
PID 2844 wrote to memory of 2804	2844	FDaqnav.exe	FDaqnav.exe
PID 2844 wrote to memory of 2804	2844	FDaqnav.exe	FDaqnav.exe
PID 2720 wrote to memory of 2336	2720	Gerbvce.exe	Gerbvce.exe
PID 2720 wrote to memory of 2336	2720	Gerbvce.exe	Gerbvce.exe
PID 2720 wrote to memory of 2336	2720	Gerbvce.exe	Gerbvce.exe
PID 2720 wrote to memory of 2336	2720	Gerbvce.exe	Gerbvce.exe
PID 2720 wrote to memory of 2336	2720	Gerbvce.exe	Gerbvce.exe
PID 2804 wrote to memory of 2680	2804	FDaqnav.exe	WerFault.exe
PID 2804 wrote to memory of 2680	2804	FDaqnav.exe	WerFault.exe
PID 2804 wrote to memory of 2680	2804	FDaqnav.exe	WerFault.exe
PID 2804 wrote to memory of 2680	2804	FDaqnav.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe
"C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe
"C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe
"C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe"
3⤵
- Executes dropped EXE
PID:2336

C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe
"C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe
"C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 824
4⤵
- Loads dropped DLL
- Program crash
PID:2680

C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe
"C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe"
2⤵
- Modifies system certificate store
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\FDaqnav.exe
Filesize
232KB

MD5
9234bd3aa66bbe301b7cf77e8576f820

SHA1
46d759d4feeb4e25fcdcad495457df9663175d41

SHA256
ce85712c42070afa56c562527a150d513928284d20a0ba714ad0146f6ab9958a

SHA512
4d168c47eea0ceda42543f5b1d2bef6aa6378de0df21287fc38b43206ec2514c428afba6acc2e66c8940e78d528e3eaffd0e0001bdb7da6af18d1892a5fd4921

Download Submit
\Users\Admin\AppData\Local\Temp\Gerbvce.exe
Filesize
188KB

MD5
28acd195bfcdc02ed37f5d2d5dae52be

SHA1
f8b7564585bc7cddf099faf1cec8de842d0d5cda

SHA256
20c8f4ef93504ffbc086e44879fb8bf729dc86b5e460d3bc2cb61e73bbc79790

SHA512
c3247e8e153a6a5a7e5c1dc0b7f8503cf94866904bb145ef28e6bd10a2bdd539a21fb97a81ed5a6a6fa1a8b91824c066f391a8cd155f4639ceaee5d596ba3a23

Download Submit
memory/2336-49-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2336-41-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2336-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2336-42-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2336-34-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2336-39-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2720-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2772-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2772-23-0x0000000001CD0000-0x0000000001CD8000-memory.dmp

Filesize
32KB

Download
memory/2804-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2804-43-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2804-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2804-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-44-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2840-47-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2840-48-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2840-21-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2840-51-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2840-60-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads