azorult | 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988

General

Target

67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
Size

1012KB
MD5

7a346721a1641a389685b55d07e8eb92
SHA1

1e5ba0e54f475a754dad3583e32055a5f1974c90
SHA256

67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988
SHA512

dbe0f2c02537b8f00f54a3bf2493ba036ab06f74c1bdae789a77c888f0e4534a8b7784ba01a7cc9eee0c1646243df54a6671a3aee09b82566311aaeb9c280482
SSDEEP

12288:hxt6hRd3GUju9Al4QMe89d18EbVAXMJrQF0p4v9TH9yzsN2j33+RgshWtqU59d3y:hxQhf3DcA78DbVAXWQF0p2hNIeQqU5wd

Score

10^/10

azorult oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

oski

C2

scarsa.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Botnet

b76017a227a0d879dec7c76613918569d03892fb

Attributes

url4cnc
http://telegka.top/brikitiki

http://telegin.top/brikitiki

https://t.me/brikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Oski family
oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-44-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2172-38-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2172-52-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2172-71-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon
Executes dropped EXE 4 IoCs

Processes:

Vtergfds.exeVereransa.exeVtergfds.exeVereransa.exe

pid process

2340 Vtergfds.exe
2288 Vereransa.exe
1868 Vtergfds.exe
2768 Vereransa.exe

pid	process
2340	Vtergfds.exe
2288	Vereransa.exe
1868	Vtergfds.exe
2768	Vereransa.exe

Loads dropped DLL 11 IoCs

Processes:

67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exeVtergfds.exeVereransa.exeWerFault.exe

pid	process
2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
2340	Vtergfds.exe
2288	Vereransa.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

Processes:

Vtergfds.exe67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exeVereransa.exe

description	pid	process	target process
PID 2340 set thread context of 1868	2340	Vtergfds.exe	Vtergfds.exe
PID 2888 set thread context of 2172	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
PID 2288 set thread context of 2768	2288	Vereransa.exe	Vereransa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1668 2768 WerFault.exe Vereransa.exe

pid	pid_target	process	target process
1668	2768	WerFault.exe	Vereransa.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exeVtergfds.exeVereransa.exeVtergfds.exe67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exeVereransa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vtergfds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vereransa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vtergfds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vereransa.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Vtergfds.exe67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exeVereransa.exe

pid process

2340 Vtergfds.exe
2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
2288 Vereransa.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exeVtergfds.exeVereransa.exe

pid process

2888 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
2340 Vtergfds.exe
2288 Vereransa.exe

pid	process
2340	Vtergfds.exe
2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
2288	Vereransa.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exeVtergfds.exeVereransa.exeVereransa.exe

description	pid	process	target process
PID 2888 wrote to memory of 2340	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	Vtergfds.exe
PID 2888 wrote to memory of 2340	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	Vtergfds.exe
PID 2888 wrote to memory of 2340	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	Vtergfds.exe
PID 2888 wrote to memory of 2340	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	Vtergfds.exe
PID 2888 wrote to memory of 2288	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	Vereransa.exe
PID 2888 wrote to memory of 2288	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	Vereransa.exe
PID 2888 wrote to memory of 2288	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	Vereransa.exe
PID 2888 wrote to memory of 2288	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	Vereransa.exe
PID 2340 wrote to memory of 1868	2340	Vtergfds.exe	Vtergfds.exe
PID 2340 wrote to memory of 1868	2340	Vtergfds.exe	Vtergfds.exe
PID 2340 wrote to memory of 1868	2340	Vtergfds.exe	Vtergfds.exe
PID 2340 wrote to memory of 1868	2340	Vtergfds.exe	Vtergfds.exe
PID 2340 wrote to memory of 1868	2340	Vtergfds.exe	Vtergfds.exe
PID 2888 wrote to memory of 2172	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
PID 2888 wrote to memory of 2172	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
PID 2888 wrote to memory of 2172	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
PID 2888 wrote to memory of 2172	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
PID 2888 wrote to memory of 2172	2888	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
PID 2288 wrote to memory of 2768	2288	Vereransa.exe	Vereransa.exe
PID 2288 wrote to memory of 2768	2288	Vereransa.exe	Vereransa.exe
PID 2288 wrote to memory of 2768	2288	Vereransa.exe	Vereransa.exe
PID 2288 wrote to memory of 2768	2288	Vereransa.exe	Vereransa.exe
PID 2288 wrote to memory of 2768	2288	Vereransa.exe	Vereransa.exe
PID 2768 wrote to memory of 1668	2768	Vereransa.exe	WerFault.exe
PID 2768 wrote to memory of 1668	2768	Vereransa.exe	WerFault.exe
PID 2768 wrote to memory of 1668	2768	Vereransa.exe	WerFault.exe
PID 2768 wrote to memory of 1668	2768	Vereransa.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
"C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
  "C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
    "C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1868
- C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
  "C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
    "C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 848
      4⤵
      Loads dropped DLL
      Program crash
      PID:1668
- C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
  "C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vereransa.exe

Filesize
264KB

MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
\Users\Admin\AppData\Local\Temp\Vtergfds.exe

Filesize
216KB

MD5
0a8854ddd119e42c62bf2904efb29c1c

SHA1
986ab504ca3cc36fc0418516f26aabc4168224d6

SHA256
69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb

SHA512
905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7

Download Submit
memory/1868-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1868-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1868-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1868-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1868-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1868-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2172-38-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2172-44-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2172-71-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2172-52-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2288-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2288-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2340-24-0x0000000000440000-0x0000000000447000-memory.dmp

Filesize
28KB

Download
memory/2768-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2768-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2768-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-42-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2888-27-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2888-39-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2888-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads