Overview

overview

10

Static

static

3

be1aaef371...8c.exe

windows7-x64

1

be1aaef371...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be1aaef37143496d75cb83643ff63f8c.exe

  • Size

    968KB

  • MD5

    be1aaef37143496d75cb83643ff63f8c

  • SHA1

    849a5bfbfdc16cad6c10edbaadcc4bad71756620

  • SHA256

    b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

  • SHA512

    478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737

  • SSDEEP

    24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgL:waWNC7hLVVL1sX3WxKZKgW2hrKd7jE

Score
10/10
azorultoskiraccoon43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3infostealerspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

mazooyaar.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
    "C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
      "C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
        "C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
        3⤵
        • Executes dropped EXE
        PID:3340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1280
          4⤵
          • Program crash
          PID:3684
    • C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
      "C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
        "C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
        3⤵
        • Executes dropped EXE
        PID:3208
    • C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
      "C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"
      2⤵
        PID:4944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3340 -ip 3340
      1⤵
        PID:1636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
        Filesize

        200KB

        MD5

        b0ba9efb326279b8afe5e8a2656588ea

        SHA1

        eb42914b53580850dd56dcf6ddc80334d3bfcb45

        SHA256

        6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

        SHA512

        cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
        Filesize

        248KB

        MD5

        2c065af519ad099f60a7286e3f0dc1d3

        SHA1

        15b7a2da624a9cb2e7750dfc17ca853520e99e01

        SHA256

        822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

        SHA512

        f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

        Download Submit

      • memory/3208-56-0x00000000005A0000-0x00000000005A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-42-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3208-54-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3208-55-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3208-58-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3208-57-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3208-51-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3340-52-0x0000000002050000-0x0000000002051000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3340-38-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3340-40-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3340-44-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3340-62-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3340-50-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3340-61-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3468-36-0x0000000000990000-0x0000000000997000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3468-31-0x0000000000980000-0x0000000000981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4860-49-0x0000000000910000-0x0000000000917000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4860-34-0x0000000000910000-0x0000000000917000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4860-29-0x00000000006F0000-0x00000000006F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4944-43-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4944-45-0x0000000000610000-0x0000000000611000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4944-35-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4944-37-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4944-33-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4944-63-0x0000000000400000-0x0000000000492000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4944-64-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4952-2-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4952-32-0x0000000002D10000-0x0000000002D17000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4952-3-0x0000000000800000-0x0000000000801000-memory.dmp

        Filesize

        4KB

        Download