MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c2894353e85e78ce3f7d55ce6ef7422e5ddcc52dfa1a92bbe6808c01228e57e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c2894353e85e78ce3f7d55ce6ef7422e5ddcc52dfa1a92bbe6808c01228e57e
SHA3-384 hash: 01760da0540484fb18a306f511b86072b3b5b7cac92c4b28ab2ac41c4836ec3f36802cda937708ddabb915ba67428330
SHA1 hash: b8ea778dbe7c855b270be29375d2949650fc2681
MD5 hash: b9a1e3f3bc25b19ccc08a0526a28f177
humanhash: finch-seven-harry-salami
File name:Payment Swift Notification_pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:388'608 bytes
First seen:2020-08-19 11:16:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:PKF1nui0iU2i+CMEzAU2iGG8NVqskcPfRB3iehVFDqbIaRGt3TgVlpSiQGgo1o9I:yvnu7iU23C/zBH87PfHD3iehj+uszpZD
Threatray 292 similar samples on MalwareBazaar
TLSH ED84122421CCAB36E57D9BF85538411667F68816E326E7ADBFC410E62D72F82C374623
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: nctr148.trdns.com
Sending IP: 77.245.144.119
From: Standard Chartered Bank <PaymentsAE@sc.com>
Subject: SUBJECT:Advice from Standard Chartered Bank
Attachment: Payment Swift Notification_pdf.r18 (contains "Payment Swift Notification_pdf.exe")

AZORult C2:

https://h-to-h.mixh.jp/ws/PL341/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48435/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437644
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271325 Sample: Payment Swift Notification_... Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Sigma detected: Scheduled temp file as task from temp location 2->40 42 Yara detected Azorult 2->42 44 10 other signatures 2->44 7 Payment Swift Notification_pdf.exe 8 2->7         started        process3 file4 20 C:\Users\user\AppData\Local\...\tmp20C0.tmp, XML 7->20 dropped 22 C:\...\Payment Swift Notification_pdf.exe.log, ASCII 7->22 dropped 24 C:\Users\user\Desktop\x, PE32 7->24 dropped 26 C:\Users\user\AppData\Roaming\mPzrZpr.exe, PE32 7->26 dropped 46 Injects a PE file into a foreign processes 7->46 11 Payment Swift Notification_pdf.exe 61 7->11         started        16 schtasks.exe 1 7->16         started        signatures5 process6 dnsIp7 36 h-to-h.mixh.jp 150.95.55.43, 443, 49695, 49699 INTERQGMOInternetIncJP Japan 11->36 28 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->28 dropped 30 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 11->32 dropped 34 45 other files (none is malicious) 11->34 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->48 50 Tries to steal Instant Messenger accounts or passwords 11->50 52 Tries to steal Mail credentials (via file access) 11->52 54 3 other signatures 11->54 18 conhost.exe 16->18         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c2894353e85e78ce3f7d55ce6ef7422e5ddcc52dfa1a92bbe6808c01228e57e/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 11:18:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqujinj6qxtyzy7x2voon33uels53tcs36q2sk56naemaeri4v7a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
05a1356768e4475daeebaae76e486705d2d920e7e4d511c1436ea3f9a650c1df
AZORult
151f57078e89aa2f81fcb307bf88fe23e9f2437a4df1e37def5d0b78797e12f8
AZORult
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
AZORult
573f11821c72786131d82bcdb3744b83d01615c25489f4cf2c46181ae6143226
AZORult
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
AZORult
81337231c53d0927b5aaff1792d71b5f5270e268e1909267ad3bd79951e72642
AZORult
9e17a9c1b1d0db2c9cd8fdf42c475712f8faaa68cb08bbff910a2927b910d88f
AZORult
9ffc0cc7f5b6bfb1e02d404b6d850e2fd72a778a1a2582fc061723f084cc73c2
AZORult
e539fe1b7096b7a1966ebbe10e2361c05fd90adf8ed312406f90efe13744e5af
AZORult
f0e2e9966bd7794ae8625606c47812e155333345dfdd691fc0eb4fc3d05dfd95
AZORult
+ 282 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan infostealer family:azorult discovery
Link:
https://tria.ge/reports/200819-293f3x9wfj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Azorult
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c2894353e85e78ce3f7d55ce6ef7422e5ddcc52dfa1a92bbe6808c01228e57e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar 66a405a411a5be5e380864115df0f2bf743afa9b76aaff6c544c9231f227f2ce

AZORult

Executable exe 1c2894353e85e78ce3f7d55ce6ef7422e5ddcc52dfa1a92bbe6808c01228e57e

(this sample)

  
Dropped by
MD5 35a3dc8ebdc6f18f5320af1df5abe3ad
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48435/
  
Dropped by
SHA256 66a405a411a5be5e380864115df0f2bf743afa9b76aaff6c544c9231f227f2ce

Comments