MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4381f3472301d8b680f90832edd05d853bcef530b48f0476ce7ad1f6b150434c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4381f3472301d8b680f90832edd05d853bcef530b48f0476ce7ad1f6b150434c
SHA3-384 hash: e5fa800b145d00ea2c5406bfa81be706398c64ae8c59d0b6dcad924070bd630a0b94187c541a1f746c3f35ebccd7818f
SHA1 hash: db0b87c7cd2603c232b4e32d6795c099ccd8ec91
MD5 hash: 796ba20b3616c9e124f264c78926490f
humanhash: edward-oranges-lima-louisiana
File name:Scan_Document.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:559'616 bytes
First seen:2020-05-07 15:21:01 UTC
Last seen:2020-05-07 16:04:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:gz+B/+JOF5soUUZGoX9EAjmFEKjt6dh2+03u+GcUZRES3ltbMnq:h+QF5scZDt5mFEbh2yjnv
Threatray 432 similar samples on MalwareBazaar
TLSH 66C423906F880907D56A713E6FFE12920067DE5FF246FB4B93D6B18B12327D12909B87
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing AZORult:

Sending IP: 160.16.122.214
From: alan@hodari.co.uk <alan@hodari.co.uk>
Subject: Urgent: FYI
Subject: Urgent: FYI
Attachment: Scan_Document.img (contains "Scan_Document.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Nanocore.23.18299.27506.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 15:35:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioa7grzdahmlnahzbazo3uc5qu5455jqwshqi5wopli7nmkqinga._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
20a9bc3f666ce6b20c542ada396b7e3a2b222fedd94886c42a239aeb06bddda3
AZORult
5d21ac6bca0ba98cba5930bc0ad3bc702615c3169f8fd73535f920adb8f547b3
AZORult
6db812f8cde69dfe388cc2e7f8c3275c8f1dba462374e6215722de0663af526d
AZORult
6fa68728252ed2ff5085223351da61ac8491d237707846ba016f0bd2f14f47bc
AZORult
980fb51b13fc0116ca06b8e5d8116569942b53eb4ae54c33b62e731f149cb136
AZORult
a6e22fa468017d9340a33ada6f780ba5f28758f9348fdc6bdf1b5756ae2414c2
AZORult
aa699d6811b7b84893adc0734f2d1b044903ffd15d68ccde38002f34057c35fe
AZORult
c755cbe34fdad2ee86d4c6226d040ea111489e468df67a70c32cb890d1ed90ac
AZORult
f2dcf747bef15584ddd0242430a2374ef9b3b3b542b25cfd75589ec2d3dc66d6
AZORult
f519262929d4793f6fa538f80ce1a4c378b6bfa16b09cb8ac63475fd1b1bd39b
AZORult
+ 422 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
persistence family:azorult infostealer trojan
Link:
https://tria.ge/reports/201109-9775grk2bx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Azorult
Malware Config
C2 Extraction:
https://www.aljubab.com/img/vs/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

img 5df2e1e95d9faa42c63ce5814441c9a279841ac094c5b706919c865bf1f25d8c

AZORult

Executable exe 4381f3472301d8b680f90832edd05d853bcef530b48f0476ce7ad1f6b150434c

(this sample)

  
Dropped by
MD5 6d1b31d6b68f4d0381554ce778938433
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5df2e1e95d9faa42c63ce5814441c9a279841ac094c5b706919c865bf1f25d8c

Comments