Overview

overview

10

Static

static

3

c2a770ca66...f7.exe

windows7-x64

10

c2a770ca66...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2a770ca66e4ee54f078afe8a2eb27f7.exe

  • Size

    944KB

  • MD5

    c2a770ca66e4ee54f078afe8a2eb27f7

  • SHA1

    6a7432afeeb9367febf8331fe63ffbd44a284b77

  • SHA256

    547bf6d6ed5ae181513ed653109514c73e5f50c3ea3a094bcd382fbd3c4b4bb0

  • SHA512

    571bd2d0d8267071af48525daa5b9a6aba42a14a51e3a85320135da48c0c995f34dcb2adb8440ce585554a4e6e2a17a84290de02db20f166fe6521894477b487

  • SSDEEP

    24576:0XzSYN91YjU3GJSDaBc8WNzELdGfetUG3ixJUkKEl0Ke0:wOYN91Yjk2ZLsGtUGKJUkKEl0Ke0

Score
10/10
azorultoskiraccoonc81fb6015c832710f869f6911e1aec18747e0184infostealerspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

c81fb6015c832710f869f6911e1aec18747e0184

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

hsagoi.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe
    "C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
      "C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
        "C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe"
        3⤵
        • Executes dropped EXE
        PID:2360
    • C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
      "C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
        "C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe"
        3⤵
        • Executes dropped EXE
        PID:4604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1212
          4⤵
          • Program crash
          PID:3924
    • C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe
      "C:\Users\Admin\AppData\Local\Temp\c2a770ca66e4ee54f078afe8a2eb27f7.exe"
      2⤵
        PID:2108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4604 -ip 4604
      1⤵
        PID:3036

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\GFsewerhgccbv.exe
        Filesize

        192KB

        MD5

        1f52ea06bdd59969bfa0f74cbe3d36e1

        SHA1

        4ed0c4495a502830c46715fdef20033f29df51f8

        SHA256

        e6bd46f02b26c3670dbe7af7baa83411c793f7765994bf40ada869a81a4d340a

        SHA512

        48c7f339498ee5e07be238cf4ab059639557b27ff98f0d69752047ab83cf512ea13373fd7783e2aa9fd7a6a14ae861baceaa4614500f0647cff07255d892d672

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\GFytrnvbas.exe
        Filesize

        240KB

        MD5

        b9924928f4b29aeefeae44164fcb572a

        SHA1

        a8e5d7154f5692ecb437970fa13b10d5f6459a93

        SHA256

        8a820fde18a110966a32716f5ebc4ca9a991bce2e08a58620f266d5372575bcd

        SHA512

        16b2450977d174bf43e8ea344b251469b60d4b5c7bd194637dd6418686766925cf382fdda2db4c57e060ad77b1a4b8d29b3500a07dd2e6ceb6a92b01f54ef5b9

        Download Submit

      • memory/1920-2-0x00000000778B2000-0x00000000778B3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1920-3-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1920-32-0x0000000003620000-0x0000000003627000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2108-62-0x0000000000400000-0x0000000000492000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2108-61-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2108-33-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2108-34-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2108-35-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2108-37-0x00000000778B2000-0x00000000778B3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2108-38-0x0000000000630000-0x0000000000631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2360-53-0x0000000002040000-0x0000000002041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2360-52-0x00000000778B2000-0x00000000778B3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2360-60-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2360-59-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2360-46-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2360-49-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2360-51-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4388-31-0x00000000007E0000-0x00000000007E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-45-0x00000000005B0000-0x00000000005B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-39-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4604-56-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4604-58-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4604-41-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4604-44-0x00000000778B2000-0x00000000778B3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-42-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4908-30-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

        Filesize

        4KB

        Download