azorult | 3bdaeb542939de272d46fa125a9fbfc4a2bb551c3a49c5fbb68d17c45a11446d

General

Target

8dcc97027d77b67586b46d6ba571d2b4.exe
Size

1.5MB
MD5

8dcc97027d77b67586b46d6ba571d2b4
SHA1

ad22432eda3951e822f5a5ec37e66d503a4703eb
SHA256

3bdaeb542939de272d46fa125a9fbfc4a2bb551c3a49c5fbb68d17c45a11446d
SHA512

233a913966a876ad4d7604a4f9c646fabba8e2c6e5d5a125f2317e6168efa05aa001e7a183b293fc573717b540983777fcf17acfe9bb1c0ff98ced401ceedbbd
SSDEEP

24576:i13JKz0ildRWDDD/I1bH1tORRC+ixrw3ORR1+h5LORR5+X1S:i15KzmD+T1toC+ixrw3o1+h5Lo5+X1S

Score

10^/10

azorult oski raccoon c81fb6015c832710f869f6911e1aec18747e0184 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

c81fb6015c832710f869f6911e1aec18747e0184

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

kullasa.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2800-26-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral1/memory/2800-41-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral1/memory/2800-45-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral1/memory/2800-46-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral1/memory/2800-60-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1

Executes dropped EXE 4 IoCs

Processes:

Vdgfgjkhsdwr.exeDropakcx.exeDropakcx.exeVdgfgjkhsdwr.exe

pid process

3004 Vdgfgjkhsdwr.exe
2524 Dropakcx.exe
2700 Dropakcx.exe
2928 Vdgfgjkhsdwr.exe

pid	process
3004	Vdgfgjkhsdwr.exe
2524	Dropakcx.exe
2700	Dropakcx.exe
2928	Vdgfgjkhsdwr.exe

Loads dropped DLL 11 IoCs

Processes:

8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exeWerFault.exe

pid	process
1340	8dcc97027d77b67586b46d6ba571d2b4.exe
1340	8dcc97027d77b67586b46d6ba571d2b4.exe
1340	8dcc97027d77b67586b46d6ba571d2b4.exe
1340	8dcc97027d77b67586b46d6ba571d2b4.exe
2524	Dropakcx.exe
3004	Vdgfgjkhsdwr.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

Processes:

8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exe

description	pid	process	target process
PID 1340 set thread context of 2800	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	8dcc97027d77b67586b46d6ba571d2b4.exe
PID 2524 set thread context of 2700	2524	Dropakcx.exe	Dropakcx.exe
PID 3004 set thread context of 2928	3004	Vdgfgjkhsdwr.exe	Vdgfgjkhsdwr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2852 2700 WerFault.exe Dropakcx.exe

pid	pid_target	process	target process
2852	2700	WerFault.exe	Dropakcx.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

8dcc97027d77b67586b46d6ba571d2b4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8dcc97027d77b67586b46d6ba571d2b4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8dcc97027d77b67586b46d6ba571d2b4.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exe

pid process

1340 8dcc97027d77b67586b46d6ba571d2b4.exe
2524 Dropakcx.exe
3004 Vdgfgjkhsdwr.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exe

pid process

1340 8dcc97027d77b67586b46d6ba571d2b4.exe
2524 Dropakcx.exe
3004 Vdgfgjkhsdwr.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

8dcc97027d77b67586b46d6ba571d2b4.exeDropakcx.exeVdgfgjkhsdwr.exeDropakcx.exe

description	pid	process	target process
PID 1340 wrote to memory of 3004	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	Vdgfgjkhsdwr.exe
PID 1340 wrote to memory of 3004	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	Vdgfgjkhsdwr.exe
PID 1340 wrote to memory of 3004	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	Vdgfgjkhsdwr.exe
PID 1340 wrote to memory of 3004	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	Vdgfgjkhsdwr.exe
PID 1340 wrote to memory of 2524	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	Dropakcx.exe
PID 1340 wrote to memory of 2524	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	Dropakcx.exe
PID 1340 wrote to memory of 2524	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	Dropakcx.exe
PID 1340 wrote to memory of 2524	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	Dropakcx.exe
PID 1340 wrote to memory of 2800	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	8dcc97027d77b67586b46d6ba571d2b4.exe
PID 1340 wrote to memory of 2800	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	8dcc97027d77b67586b46d6ba571d2b4.exe
PID 1340 wrote to memory of 2800	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	8dcc97027d77b67586b46d6ba571d2b4.exe
PID 1340 wrote to memory of 2800	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	8dcc97027d77b67586b46d6ba571d2b4.exe
PID 1340 wrote to memory of 2800	1340	8dcc97027d77b67586b46d6ba571d2b4.exe	8dcc97027d77b67586b46d6ba571d2b4.exe
PID 2524 wrote to memory of 2700	2524	Dropakcx.exe	Dropakcx.exe
PID 2524 wrote to memory of 2700	2524	Dropakcx.exe	Dropakcx.exe
PID 2524 wrote to memory of 2700	2524	Dropakcx.exe	Dropakcx.exe
PID 2524 wrote to memory of 2700	2524	Dropakcx.exe	Dropakcx.exe
PID 2524 wrote to memory of 2700	2524	Dropakcx.exe	Dropakcx.exe
PID 3004 wrote to memory of 2928	3004	Vdgfgjkhsdwr.exe	Vdgfgjkhsdwr.exe
PID 3004 wrote to memory of 2928	3004	Vdgfgjkhsdwr.exe	Vdgfgjkhsdwr.exe
PID 3004 wrote to memory of 2928	3004	Vdgfgjkhsdwr.exe	Vdgfgjkhsdwr.exe
PID 3004 wrote to memory of 2928	3004	Vdgfgjkhsdwr.exe	Vdgfgjkhsdwr.exe
PID 3004 wrote to memory of 2928	3004	Vdgfgjkhsdwr.exe	Vdgfgjkhsdwr.exe
PID 2700 wrote to memory of 2852	2700	Dropakcx.exe	WerFault.exe
PID 2700 wrote to memory of 2852	2700	Dropakcx.exe	WerFault.exe
PID 2700 wrote to memory of 2852	2700	Dropakcx.exe	WerFault.exe
PID 2700 wrote to memory of 2852	2700	Dropakcx.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe
"C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340

C:\ProgramData\Vdgfgjkhsdwr.exe
"C:\ProgramData\Vdgfgjkhsdwr.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004

C:\ProgramData\Vdgfgjkhsdwr.exe
"C:\ProgramData\Vdgfgjkhsdwr.exe"
3⤵
- Executes dropped EXE
PID:2928

C:\ProgramData\Dropakcx.exe
"C:\ProgramData\Dropakcx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

C:\ProgramData\Dropakcx.exe
"C:\ProgramData\Dropakcx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 780
4⤵
- Loads dropped DLL
- Program crash
PID:2852

C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe
"C:\Users\Admin\AppData\Local\Temp\8dcc97027d77b67586b46d6ba571d2b4.exe"
2⤵
- Modifies system certificate store
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dropakcx.exe
Filesize
444KB

MD5
e21551a13085e0ba0fad3e733d807559

SHA1
87aeaaf58c1d8cf23755697489267f289e7c5780

SHA256
abf5833a2ffa007792753f5d49fd21f00a2c8d20e623f57d9e3748c41fb1435a

SHA512
21497f7f742b5c2e61bd5b04e10eb71538d6bafd9c00aa793f9798a7035b9c02ac80bce3baa38d6e97a10239df726246a157b8c7db5ceffc31937187659ac189

Download Submit
C:\ProgramData\Dropakcx.exe
Filesize
351KB

MD5
c8743b5adf8d41b30759e0b3cf90d5e9

SHA1
ebde06255cf726e4eaa6c4568c958cb9c34b92dd

SHA256
a1531f02c5b450aec494f892131135e7a84945f72b9197a5d8c5e604b23b5dc7

SHA512
5aa27e97ef87b21945958485381032e031af7200ffda8a2931c7108d483bfe27e6c890b71774c6bd3b9e7a0f327a5e1477d31e981971f3a8fbc1441077f34cb7

Download Submit
C:\ProgramData\Vdgfgjkhsdwr.exe
Filesize
315KB

MD5
3b44bd97a18196b7960831f0a90baf41

SHA1
3e6b918a2d29a17b9419ea260786db705ba2794a

SHA256
c9c838a115a9c9f662e324f5f34be5f4275e73b64b1061672fa7ec88f3dd0eca

SHA512
cc3807218fe08dc903bebe76656148c1426b938bf09cd8f6fb28ef4ad8f3bf893cb4706790fa82f835fefff3f34d70763ec53eb2142b1a3ebe6c8e42e08778de

Download Submit
C:\ProgramData\Vdgfgjkhsdwr.exe
Filesize
375KB

MD5
e67dabcc0cfd964ada27a2c160ce253e

SHA1
88b4c598a8fe62e2cd38046f26ba9ba7a6d368c5

SHA256
2ab840136702c6336403dbd913f3910135b622accb4c8fb585ca96085e9419a1

SHA512
5f0ac2f2595026da34ff71717f1410efac14a0aa4b38bddb7643c235c9ee3f00673d3f27719eee8d970f403ac55986050bee1355bd6c22b7ff77807d983b8e03

Download Submit
\ProgramData\Dropakcx.exe
Filesize
331KB

MD5
e2b1a6633acfe733f9efdadd2f3ab690

SHA1
dc88d002bd93ff1a3ae48f7815013046931a8230

SHA256
59ba611c8762341a28a470cef09c3fb57862db0b70dc6d6674e6281d74845d18

SHA512
55e0c9cfee285c0e7ba7aa7d6e30a75f65cf812d24463723cf4ac15e34ed6f2e568535913b0a0c38da23ac07e3e1addc3db111c85b6c7dc61a55e06bc47fabb4

Download Submit
\ProgramData\Vdgfgjkhsdwr.exe
Filesize
396KB

MD5
b92b398d4e25a976dc699f2099fa8452

SHA1
900e6fedf9898adbbc5f3dc7185372ffb811c8ad

SHA256
6deb2679783cdd1f005ef86488a11de88fe52443f31f0c6e481b51f307271177

SHA512
5b854a34d489a94d2b193af192cb0d9f224ef1b7d2d0cd50b119a9cd24693c720482e9ddf910b2e9e0ef44e8ad263aa4a69094b503a01ff9a177d8c2cef5f1ed

Download Submit
memory/1340-22-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1340-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2524-49-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2524-27-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2700-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-44-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2700-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-41-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2800-45-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2800-60-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2800-46-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2800-26-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2928-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2928-37-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3004-34-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads