Malware Analysis Report

2024-09-22 21:45

Sample ID 240310-j4cf6sgd8w
Target be1aaef37143496d75cb83643ff63f8c
SHA256 b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
Tags
azorult oski raccoon 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

Threat Level: Known bad

The file be1aaef37143496d75cb83643ff63f8c was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer spyware stealer trojan

Azorult

Raccoon Stealer V1 payload

Raccoon

Oski

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-10 08:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 08:12

Reported

2024-03-10 08:15

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe

"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 08:12

Reported

2024-03-10 08:15

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"

Signatures

Azorult

trojan infostealer azorult

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\vcxfse.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
PID 4952 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
PID 4952 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
PID 4952 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
PID 4952 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
PID 4952 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
PID 4952 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
PID 4952 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
PID 4952 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
PID 4952 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe
PID 4860 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\vcxfse.exe C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
PID 4860 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\vcxfse.exe C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
PID 4860 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\vcxfse.exe C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
PID 4860 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\vcxfse.exe C:\Users\Admin\AppData\Local\Temp\vcxfse.exe
PID 3468 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\cbvjns.exe C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
PID 3468 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\cbvjns.exe C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
PID 3468 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\cbvjns.exe C:\Users\Admin\AppData\Local\Temp\cbvjns.exe
PID 3468 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\cbvjns.exe C:\Users\Admin\AppData\Local\Temp\cbvjns.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe

"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe

"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe

"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"

C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe

"C:\Users\Admin\AppData\Local\Temp\be1aaef37143496d75cb83643ff63f8c.exe"

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe

"C:\Users\Admin\AppData\Local\Temp\vcxfse.exe"

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe

"C:\Users\Admin\AppData\Local\Temp\cbvjns.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3340 -ip 3340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1280

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 mazooyaar.ac.ug udp
US 8.8.8.8:53 telete.in udp
US 8.8.8.8:53 mazoyer.ac.ug udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 mazoyer.ac.ug udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 54.177.53.185.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/4952-2-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

memory/4952-3-0x0000000000800000-0x0000000000801000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vcxfse.exe

MD5 2c065af519ad099f60a7286e3f0dc1d3
SHA1 15b7a2da624a9cb2e7750dfc17ca853520e99e01
SHA256 822fbf405e2ffff77f8c3ad451e345f62fc476a6c678038c5b214badbed83c17
SHA512 f47b368dd3faeda1a7d143ee8353e64033633d48af620205db289bab2869d4ecd6cc3f8084cfafa43e34a3a70aabb9c08627865a5fe9ae99934e1b4b193d0b6a

C:\Users\Admin\AppData\Local\Temp\cbvjns.exe

MD5 b0ba9efb326279b8afe5e8a2656588ea
SHA1 eb42914b53580850dd56dcf6ddc80334d3bfcb45
SHA256 6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7
SHA512 cc0719e37b01b480cea20180a80af0565ffd4983ebeb68370ba87f08d56ed45dbd31dfb0355c466488938e5838e60caec2b4889f30115e3babb630d0c28e836a

memory/4860-29-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/3468-31-0x0000000000980000-0x0000000000981000-memory.dmp

memory/4952-32-0x0000000002D10000-0x0000000002D17000-memory.dmp

memory/4944-33-0x0000000000400000-0x0000000000496000-memory.dmp

memory/3468-36-0x0000000000990000-0x0000000000997000-memory.dmp

memory/4944-37-0x0000000000400000-0x0000000000496000-memory.dmp

memory/3340-38-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3340-40-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4944-35-0x0000000000400000-0x0000000000496000-memory.dmp

memory/4860-34-0x0000000000910000-0x0000000000917000-memory.dmp

memory/4860-49-0x0000000000910000-0x0000000000917000-memory.dmp

memory/4944-45-0x0000000000610000-0x0000000000611000-memory.dmp

memory/4944-43-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

memory/3208-42-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3340-44-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3340-50-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

memory/3208-54-0x0000000077AE2000-0x0000000077AE3000-memory.dmp

memory/3208-55-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3208-51-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3340-52-0x0000000002050000-0x0000000002051000-memory.dmp

memory/3208-56-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/3208-57-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3208-58-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3340-62-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3340-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4944-63-0x0000000000400000-0x0000000000492000-memory.dmp

memory/4944-64-0x0000000000400000-0x0000000000496000-memory.dmp