azorult | 67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988

General

Target

67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
Size

1012KB
MD5

7a346721a1641a389685b55d07e8eb92
SHA1

1e5ba0e54f475a754dad3583e32055a5f1974c90
SHA256

67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988
SHA512

dbe0f2c02537b8f00f54a3bf2493ba036ab06f74c1bdae789a77c888f0e4534a8b7784ba01a7cc9eee0c1646243df54a6671a3aee09b82566311aaeb9c280482
SSDEEP

12288:hxt6hRd3GUju9Al4QMe89d18EbVAXMJrQF0p4v9TH9yzsN2j33+RgshWtqU59d3y:hxQhf3DcA78DbVAXWQF0p2hNIeQqU5wd

Score

10^/10

azorult oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

scarsa.ac.ug

Extracted

Family

raccoon

Botnet

b76017a227a0d879dec7c76613918569d03892fb

Attributes

url4cnc
http://telegka.top/brikitiki

http://telegin.top/brikitiki

https://t.me/brikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Oski family
oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 3 IoCs

resource	yara_rule
behavioral2/memory/2868-49-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/2868-48-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/2868-61-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe

Executes dropped EXE 4 IoCs

pid	Process
3224	Vtergfds.exe
4880	Vereransa.exe
4724	Vtergfds.exe
1032	Vereransa.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3224 set thread context of 4724	3224	Vtergfds.exe	87
PID 4880 set thread context of 1032	4880	Vereransa.exe	88
PID 2472 set thread context of 2868	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1300	1032	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vtergfds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vereransa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vtergfds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3224	Vtergfds.exe
4880	Vereransa.exe
2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
3224	Vtergfds.exe
4880	Vereransa.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 3224	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	83
PID 2472 wrote to memory of 3224	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	83
PID 2472 wrote to memory of 3224	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	83
PID 2472 wrote to memory of 4880	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	84
PID 2472 wrote to memory of 4880	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	84
PID 2472 wrote to memory of 4880	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	84
PID 3224 wrote to memory of 4724	3224	Vtergfds.exe	87
PID 3224 wrote to memory of 4724	3224	Vtergfds.exe	87
PID 3224 wrote to memory of 4724	3224	Vtergfds.exe	87
PID 3224 wrote to memory of 4724	3224	Vtergfds.exe	87
PID 4880 wrote to memory of 1032	4880	Vereransa.exe	88
PID 4880 wrote to memory of 1032	4880	Vereransa.exe	88
PID 4880 wrote to memory of 1032	4880	Vereransa.exe	88
PID 4880 wrote to memory of 1032	4880	Vereransa.exe	88
PID 2472 wrote to memory of 2868	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	89
PID 2472 wrote to memory of 2868	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	89
PID 2472 wrote to memory of 2868	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	89
PID 2472 wrote to memory of 2868	2472	67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe	89

C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
"C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
  "C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
    "C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4724
- C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
  "C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
    "C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
    3⤵
    - Executes dropped EXE
    PID:1032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1324
      4⤵
      Program crash
      PID:1300
- C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe
  "C:\Users\Admin\AppData\Local\Temp\67a0008d2f8433a6ed4d3af7daf87ab79e5eecb9a7b97e564e54fb8f4a417988.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1032 -ip 1032
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vereransa.exe

Filesize
264KB

MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe

Filesize
216KB

MD5
0a8854ddd119e42c62bf2904efb29c1c

SHA1
986ab504ca3cc36fc0418516f26aabc4168224d6

SHA256
69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb

SHA512
905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7

Download Submit
memory/1032-44-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1032-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1032-41-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1032-43-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1032-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-50-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2472-3-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2472-52-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2472-2-0x00000000777C2000-0x00000000777C3000-memory.dmp

Filesize
4KB

Download
memory/2868-49-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2868-61-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2868-48-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3224-32-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/3224-28-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4724-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4724-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4724-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4724-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4724-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4724-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4880-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-31-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads