azorult | b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

General

Target

be1aaef37143496d75cb83643ff63f8c.exe
Size

968KB
MD5

be1aaef37143496d75cb83643ff63f8c
SHA1

849a5bfbfdc16cad6c10edbaadcc4bad71756620
SHA256

b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
SHA512

478d565fa97298583fc72debf544f556d0c113f51fc20ab626726dd6882401f06ba73f13772f1fed0d418c1ca4160e04b52949e82d97c189fc0848f1c6c8d737
SSDEEP

24576:waR0NC7TnVeuFVVo2f1sSu/3WxF0ZSFgazrw7bYOggrF0dz+QgAgL:waWNC7hLVVL1sX3WxKZKgW2hrKd7jE

Score

10^/10

azorult oski raccoon 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

C2

mazooyaar.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4944-33-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4944-37-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4944-35-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1
behavioral2/memory/4944-63-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4944-64-0x0000000000400000-0x0000000000496000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

be1aaef37143496d75cb83643ff63f8c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	be1aaef37143496d75cb83643ff63f8c.exe

Executes dropped EXE 4 IoCs

Processes:

vcxfse.execbvjns.exevcxfse.execbvjns.exe

pid process

4860 vcxfse.exe
3468 cbvjns.exe
3340 vcxfse.exe
3208 cbvjns.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4860	vcxfse.exe
3468	cbvjns.exe
3340	vcxfse.exe
3208	cbvjns.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

be1aaef37143496d75cb83643ff63f8c.exevcxfse.execbvjns.exe

description	pid	process	target process
PID 4952 set thread context of 4944	4952	be1aaef37143496d75cb83643ff63f8c.exe	be1aaef37143496d75cb83643ff63f8c.exe
PID 4860 set thread context of 3340	4860	vcxfse.exe	vcxfse.exe
PID 3468 set thread context of 3208	3468	cbvjns.exe	cbvjns.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3684 3340 WerFault.exe vcxfse.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

be1aaef37143496d75cb83643ff63f8c.exevcxfse.execbvjns.exe

pid process

4952 be1aaef37143496d75cb83643ff63f8c.exe
4860 vcxfse.exe
3468 cbvjns.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

be1aaef37143496d75cb83643ff63f8c.exevcxfse.execbvjns.exe

pid process

4952 be1aaef37143496d75cb83643ff63f8c.exe
4860 vcxfse.exe
3468 cbvjns.exe

pid	pid_target	process	target process
3684	3340	WerFault.exe	vcxfse.exe

pid	process
4952	be1aaef37143496d75cb83643ff63f8c.exe
4860	vcxfse.exe
3468	cbvjns.exe

pid	process
4952	be1aaef37143496d75cb83643ff63f8c.exe
4860	vcxfse.exe
3468	cbvjns.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

be1aaef37143496d75cb83643ff63f8c.exevcxfse.execbvjns.exe

description	pid	process	target process
PID 4952 wrote to memory of 4860	4952	be1aaef37143496d75cb83643ff63f8c.exe	vcxfse.exe
PID 4952 wrote to memory of 4860	4952	be1aaef37143496d75cb83643ff63f8c.exe	vcxfse.exe
PID 4952 wrote to memory of 4860	4952	be1aaef37143496d75cb83643ff63f8c.exe	vcxfse.exe
PID 4952 wrote to memory of 3468	4952	be1aaef37143496d75cb83643ff63f8c.exe	cbvjns.exe
PID 4952 wrote to memory of 3468	4952	be1aaef37143496d75cb83643ff63f8c.exe	cbvjns.exe
PID 4952 wrote to memory of 3468	4952	be1aaef37143496d75cb83643ff63f8c.exe	cbvjns.exe
PID 4952 wrote to memory of 4944	4952	be1aaef37143496d75cb83643ff63f8c.exe	be1aaef37143496d75cb83643ff63f8c.exe
PID 4952 wrote to memory of 4944	4952	be1aaef37143496d75cb83643ff63f8c.exe	be1aaef37143496d75cb83643ff63f8c.exe
PID 4952 wrote to memory of 4944	4952	be1aaef37143496d75cb83643ff63f8c.exe	be1aaef37143496d75cb83643ff63f8c.exe
PID 4952 wrote to memory of 4944	4952	be1aaef37143496d75cb83643ff63f8c.exe	be1aaef37143496d75cb83643ff63f8c.exe
PID 4860 wrote to memory of 3340	4860	vcxfse.exe	vcxfse.exe
PID 4860 wrote to memory of 3340	4860	vcxfse.exe	vcxfse.exe
PID 4860 wrote to memory of 3340	4860	vcxfse.exe	vcxfse.exe
PID 4860 wrote to memory of 3340	4860	vcxfse.exe	vcxfse.exe
PID 3468 wrote to memory of 3208	3468	cbvjns.exe	cbvjns.exe
PID 3468 wrote to memory of 3208	3468	cbvjns.exe	cbvjns.exe
PID 3468 wrote to memory of 3208	3468	cbvjns.exe	cbvjns.exe
PID 3468 wrote to memory of 3208	3468	cbvjns.exe	cbvjns.exe

C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"
3⤵
- Executes dropped EXE
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1280
4⤵
- Program crash
PID:3684

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"
3⤵
- Executes dropped EXE
PID:3208

C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"
2⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3340 -ip 3340
1⤵
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
Filesize
200KB

MD5
b0ba9efb326279b8afe5e8a2656588ea

SHA1
eb42914b53580850dd56dcf6ddc80334d3bfcb45

SHA256
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7

SHA512
cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
Filesize
248KB

MD5
2c065af519ad099f60a7286e3f0dc1d3

SHA1
15b7a2da624a9cb2e7750dfc17ca853520e99e01

SHA256
822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17

SHA512
f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

Download Submit
memory/3208-56-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3208-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3208-54-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

Filesize
4KB

Download
memory/3208-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3208-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3208-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3208-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3340-52-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/3340-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3340-40-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3340-44-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3340-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-50-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

Filesize
4KB

Download
memory/3340-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3468-36-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/3468-31-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4860-49-0x0000000000910000-0x0000000000917000-memory.dmp

Filesize
28KB

Download
memory/4860-34-0x0000000000910000-0x0000000000917000-memory.dmp

Filesize
28KB

Download
memory/4860-29-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4944-43-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

Filesize
4KB

Download
memory/4944-45-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4944-35-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4944-37-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4944-33-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4944-63-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4944-64-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4952-2-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

Filesize
4KB

Download
memory/4952-32-0x0000000002D10000-0x0000000002D17000-memory.dmp

Filesize
28KB

Download
memory/4952-3-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads