MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843
SHA3-384 hash: c98475090531597febe87accada9d91d28afa6a3cf469146082e79c002366cb34335833af17a5fc84a3e29051095445a
SHA1 hash: 4960fb0a713a8e9b8e73067fee1ce86ded2a765e
MD5 hash: 8a345ac0db437c164dd5fe3ffede0a63
humanhash: oranges-gee-golf-east
File name:0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843
Download: download sample
Signature AZORult
Create hunting rule
File size:1'050'112 bytes
First seen:2025-03-07 14:23:35 UTC
Last seen:2025-03-07 15:58:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:1pBRokldAixt2AdKDMK3uArW9T35P9xYqF:NDC5uArW9Lx96q
TLSH T11225F610BF5D6315E92D39FD6A66867726362E06A904F1EAE038720D9D31207CF3739E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 094acb1609217567 (4 x SnakeKeylogger, 3 x AZORult, 1 x MassLogger)
Reporter adrian__luca
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
445
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843
Verdict:
Malicious activity
Analysis date:
2025-03-07 12:11:04 UTC
Tags:
stealer azorult loader
Link:
https://app.any.run/tasks/f712e1e5-916d-43f6-8a28-f0344ab7f3cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cb032cc668b65489bfd3fa
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Searching for synchronization primitives
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/67cb01984a3011c802ca5c95/reports/50ef13a9-5832-427c-98ab-ac8f491cc61b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843
Result
Verdict:
MALICIOUS
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/378c1baa-c229-455c-a010-3e1e145f178a
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631840
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631840 Sample: A2h6QhZIKx.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 48 k1d5.icu 2->48 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 11 other signatures 2->62 8 A2h6QhZIKx.exe 7 2->8         started        12 lpIWQr.exe 3 2->12         started        14 svchost.exe 2->14         started        signatures3 process4 dnsIp5 38 C:\Users\user\AppData\Roaming\lpIWQr.exe, PE32 8->38 dropped 40 C:\Users\user\...\lpIWQr.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp263E.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\A2h6QhZIKx.exe.log, ASCII 8->44 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 RegSvcs.exe 12 8->22         started        27 3 other processes 8->27 68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 25 WerFault.exe 12->25         started        52 127.0.0.1 unknown unknown 14->52 file6 signatures7 process8 dnsIp9 54 Loading BitLocker PowerShell Module 17->54 30 conhost.exe 17->30         started        32 WmiPrvSE.exe 17->32         started        34 conhost.exe 20->34         started        50 k1d5.icu 104.21.96.1, 49681, 80 CLOUDFLARENETUS United States 22->50 46 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->46 dropped 36 conhost.exe 27->36         started        file10 signatures11 process12
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-03-06 23:56:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6lgpphylvdqn6a3y2noe2t5davidlxl3sbqz2dzlr24optkxbbq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
azorult
Create hunting rule
Similar samples:
error
AZORult
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery execution infostealer trojan
Link:
https://tria.ge/reports/250307-rqv1cs1xez/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Azorult
Azorult family
Malware Config
C2 Extraction:
http://k1d5.icu/TP341/index.php
Verdict:
Malicious
Tags:
phishing azorult
YARA:
n/a
Link:
https://app.threat.zone/submission/100628a0-b173-4a64-b123-093e07567056
Unpacked files
SH256 hash:
0f9667bcf85d4706f81bc69ae26a7d182a81aeebdc830ce8795c75c73e6ab843
MD5 hash:
8a345ac0db437c164dd5fe3ffede0a63
SHA1 hash:
4960fb0a713a8e9b8e73067fee1ce86ded2a765e
Link:
https://www.unpac.me/results/6670dd56-62cb-4eb7-9f15-003bdd47ea91/
SH256 hash:
f315254220b9d68152a1f7f989676c9a26f01736c9e233f5e70a360e4a2ff32b
MD5 hash:
56b399421379f15e85ca4cc22d41c7d9
SHA1 hash:
5c2b7eccba665a16e024459921bf305c84d97e6f
Link:
https://www.unpac.me/results/6670dd56-62cb-4eb7-9f15-003bdd47ea91/
SH256 hash:
3147665c83368cde5138f688416f2c22c35b61ff44607e34e646e2f7af92fe09
MD5 hash:
b947873e4b3d14a22365abf692b07224
SHA1 hash:
34703b174f87ec91b8ccd81329de1141e2731c7e
Link:
https://www.unpac.me/results/6670dd56-62cb-4eb7-9f15-003bdd47ea91/
SH256 hash:
62f3b23569cf7402b1b437f9e94caeca9162fdf479b35a2166a44056e29872fd
MD5 hash:
159ba856206c19d3d62cc45a894fc563
SHA1 hash:
ac2536e891e9b9c1e180cad85b68e548a7a27147
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Azorult
Create hunting rule
Azorult
Create hunting rule
Link:
https://www.unpac.me/results/6670dd56-62cb-4eb7-9f15-003bdd47ea91/
SH256 hash:
fb84a1b680584ed51ed0c033065055f307899ece06a32d65bbbac229340c5acc
MD5 hash:
927a432a6825033a57ca07da4cd9e6b9
SHA1 hash:
be054b897798d7e3bd71fe010dd7e151fc4dde82
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6670dd56-62cb-4eb7-9f15-003bdd47ea91/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f9667bcf85d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments