MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f
SHA3-384 hash: 40f5a6b14b5d14be3208a27908b3aa2098f07b52e9eb66a27e67e18d2af991a7a55a226a476e735a0d55c4d2f96e9757
SHA1 hash: 8f5b5241ffbff92bc59d5801c064b881fbdd69dc
MD5 hash: f39696f5a42d2d53c17050bbfcc5154e
humanhash: steak-happy-india-stairway
File name:PI_#06875654.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:627'712 bytes
First seen:2020-07-09 12:19:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 927c37aff1985dca3a480112dcc5320c (11 x AgentTesla, 5 x NanoCore, 3 x Loki)
ssdeep 12288:3XjgbnMmIKCXsLIN4KKD6fpkR+ypsKtvP1QZTQC+ILopSxzbLmkOtE8ssrvcH5bU:nkb4uLgpfpkZqKJstY
Threatray 1'983 similar samples on MalwareBazaar
TLSH 0FD48E22F6A14833C163167BBC1B5778983ABE103D6479862BE55C4C9F39781393AF93
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: peninsulapetroleurn.com
Sending IP: 194.71.227.32
From: TF Chong <spark@peninsulapetroleurn.com>
Subject: Fw: Profomer Invoice_09072020
Attachment: PI_06875654.zip (contains "PI_#06875654.exe")

AZORult C2:
http://45.95.168.162/city/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23763/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.11080.11062.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Launching a service
Running batch commands
Creating a process with a hidden window
Launching a process
Replacing files
Stealing user critical data
Deleting of the original file
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 08:56:37 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lxm45cvqdf74eihk6cviix2xivfcxcgjlxvvtlf25dujiw5slnhq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
06de75b87333ad16ff8f3a9d1729784ef6f5ac11076d0a5effa2c023e683bd98
AZORult
188cd2049f2d511fbe6ede085f60214b76f73125a16165026d4e4d392f1a721a
AZORult
44c9345759f82e06403ff2312e21c4c487c7445707bc28e62046268d141afd16
AZORult
6d01ee99d5c720b96cc5d8d468305ad87fd0cb0e3730fd907f74a27d13239a06
AZORult
baf6a75e20150f7383f636a2a41241dd6f5a1fcfbfec13944ebd8e02479123ee
AZORult
c755cbe34fdad2ee86d4c6226d040ea111489e468df67a70c32cb890d1ed90ac
AZORult
dc9b22b1af973bd12495cfd6e2c6621eb21e347a3f6a32edafb823a91d4e721a
AZORult
e9a35c488c49d24c11d3d82d548c984f11f0987ba4ae47ac30409f2dc28508f7
AZORult
e9c42b737c586759102817b5922701598ec9c9256b36cf5fc28782fa09016ca4
AZORult
f484f2e953d9571e035e86dd89c82755ce0684fddd30b3d41bac21ac65f0cff4
AZORult
+ 1'973 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
spyware discovery trojan infostealer family:azorult
Link:
https://tria.ge/reports/200709-p2zkkvwfxx/
Behaviour
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Checks for installed software on the system
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://45.95.168.162/city/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

zip 9665993758f1e1b1c83655a8d196c7651f1d143bf59d35e48a66eff7f6be1f53

AZORult

Executable exe 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f

(this sample)

  
Dropped by
MD5 7222bf84a8554639250b27906fc988cd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9665993758f1e1b1c83655a8d196c7651f1d143bf59d35e48a66eff7f6be1f53
Cape
Cape
https://www.capesandbox.com/analysis/23763/

Comments