azorult | b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c

General

Target

3a9684c70496f68a3cbd54fcdcb2ee1c.exe
Size

928KB
MD5

3a9684c70496f68a3cbd54fcdcb2ee1c
SHA1

cf8fae3e2150be663e13f34760dd64f64e4ee7c4
SHA256

b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c
SHA512

98c45b91d1015d9514a20cd876661dde7e5224542b7130a36d3e54c54d7c61b530b4d17999f2ffc34e0e6500d57831cbdc1716d42bd6f9548ec72335f0b33112
SSDEEP

12288:eyQcYxggKGu0IRdqM5BLm75n8NYLo0HTrmhs2wIfOWTrrJ3TkczwF:/QcmggTu0IpLmmOL3Wh4Q1jdT1z4

Score

10^/10

azorult oski raccoon c81fb6015c832710f869f6911e1aec18747e0184 infostealer stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

gordonhk.ac.ug

Extracted

Family

raccoon

Botnet

c81fb6015c832710f869f6911e1aec18747e0184

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3404-52-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/3404-50-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/3404-49-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/3404-48-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/3404-62-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/3404-63-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4692 1796 WerFault.exe FDaqnav.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3a9684c70496f68a3cbd54fcdcb2ee1c.exe

pid process

4568 3a9684c70496f68a3cbd54fcdcb2ee1c.exe

pid	pid_target	process	target process
4692	1796	WerFault.exe	FDaqnav.exe

pid	process
4568	3a9684c70496f68a3cbd54fcdcb2ee1c.exe

C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe
"C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe
"C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe"
2⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe
"C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe"
3⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe
"C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe"
2⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe
"C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe"
3⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 1288
4⤵
- Program crash
PID:4692

C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe
"C:\Users\Admin\AppData\Local\Temp\3a9684c70496f68a3cbd54fcdcb2ee1c.exe"
2⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1796 -ip 1796
1⤵
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe
Filesize
26KB

MD5
494fa12409f0ec0fddfe36a1497c01a1

SHA1
b6ea2ad585bfbfe31f07d1b6967e4dde95ae8391

SHA256
6020f25566aed1dc4585a58783b3b5f243679b2b78794dbf43abee95ff32c92e

SHA512
d007e0ff786442d7903bda66af2f903056910cdf8d94fdd616b0e08d06c589969eca76e163405e267294781f43da0f4c0e53d533e4bc6b2aa85ab2f6720ccfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe
Filesize
7KB

MD5
c3e715fc045735195a3a5dae0e572090

SHA1
66a70951a55e92a1013b1f142957829d30767350

SHA256
ad0e2068325c0f508ebb28798d5c0362c1d512b3e414098592668b3a1684d460

SHA512
bdd571de464cc1f1c47aaa1df8a55b3602d5cd4a574b10235271cc15c2a80ad372179715aeadea5455be5e35b4fcbd25d04c38ce3b147c462f1aa7f02356ddca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe
Filesize
34KB

MD5
789cfca97337ad7bc3d2808e8b4989a9

SHA1
5bd171243e40101b0477a30d2004e400d76bd095

SHA256
a1cad4727e854e44c716a74f7b5a1a926b56060dae7dd71fec0fb61cd408ac75

SHA512
d638eb596bdb7a6f1b8dc61dd3be83ab2e222eda669296a0bd1c82d5e7bdcbff0c18c4cc9c84df89385b6debe42e93525d48789aecb44343bc3ed9b7e8e10c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDaqnav.exe
Filesize
67KB

MD5
1b5f4736db51b32dc94bc60004af14fc

SHA1
dc078ba6eb65541ff9a4ac0c7a25dbff9aa778b4

SHA256
9db2a705cd45d85b1a5245f57e4b6dc60bd177fa333ec6ba53d0c3a63361ebf9

SHA512
9d6e3bdc12069232d340255bf0804b5e1fa37c18a9baff902dae7647674c7c895138e567ff2769aff09b60faa9a812aa5d7914cee2cf850ef0ee854c8e28c5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe
Filesize
88KB

MD5
be977188edd0e20671e8cc2ab882702c

SHA1
25136ddea7312237503a43c2bca6a365ec709c9b

SHA256
338cf786e51147fa89cc26458d01f9ee70399342685761ef461fd3cbf41aa48a

SHA512
964ff9f2f22a85f44424d00254b3afa896e9675d3b0314b0cdd860b675cb8168849ff35ab109b4f904f4eca9a81f0f945839f4f78609a1e1f7aa643d13836583

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe
Filesize
34KB

MD5
fd5e268566f6c37cde7f46dd14831c41

SHA1
bcad36d3dcd4ed3c7814fdbe00ee39d757330193

SHA256
68cba97b56a76362eb5687a16dcb0a56b3c3c0d7af8f4420b8fafed56b2977be

SHA512
2c4b52460d6c3423a053328778bd2da43bf934b4dc7665656e6222bab2911b0389313adde82e790e00b61ee0cbdc3db2ab47f70b9cdc8d6cfcafe9bd8a1c71f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe
Filesize
31KB

MD5
d512b421d7b5fbbccdf1db008da51221

SHA1
bfe7a2fe4a78008f73244663f01353757aeb126d

SHA256
fdbb699b660823423af09db4aeac58868de23cdd7c2fe42c8fb3f6508f56e49e

SHA512
a0158a654fc66c0d35a5f4b6381bb07046ce15860172ccb5e688b09884dc68f78557d255c826c06f549aca268ff2ae1ed05320b951ceac45c214563e119749e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerbvce.exe
Filesize
102KB

MD5
a81c3a9843d2b30c833d626a1fceabe5

SHA1
701e7b0908a49ff2dfca09a40a8f4a4e9d517b76

SHA256
2f2989f74d6138062fccfb8038abac131e651dc35d3af87a0cefd06129d0b8c7

SHA512
9cf9c1bb5519af9b0da23486200aac659c34e10c4ea671f01fd7792e50b707e786d4ced9dcda08316d6b9c4a7b403688d770a6392b4a869871a1f41872123642

Download Submit
memory/752-31-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1796-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1796-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1796-42-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1796-43-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1796-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1796-46-0x0000000077C92000-0x0000000077C93000-memory.dmp

Filesize
4KB

Download
memory/1796-47-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2428-29-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2428-32-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/3404-52-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3404-54-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3404-53-0x0000000077C92000-0x0000000077C93000-memory.dmp

Filesize
4KB

Download
memory/3404-63-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3404-50-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3404-49-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3404-48-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3404-62-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4568-2-0x0000000077C92000-0x0000000077C93000-memory.dmp

Filesize
4KB

Download
memory/4568-3-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/4688-33-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4688-39-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4688-38-0x0000000077C92000-0x0000000077C93000-memory.dmp

Filesize
4KB

Download
memory/4688-36-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4688-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4688-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads