MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 677bad6776101e7fcb1bb22c68ce927e4cc4e28340de5f52602731500df65236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 677bad6776101e7fcb1bb22c68ce927e4cc4e28340de5f52602731500df65236
SHA3-384 hash: 53cd40c7b344eb9efe27fef7734eaca1d4de4efed842faea2cfad14f74880128fa87b00dbf115315f4d210a78b613623
SHA1 hash: 03d33300c0d881dafde511bdb419166184cdfb58
MD5 hash: 38f7c99ce3cada141c03a21f2b1007d8
humanhash: speaker-alpha-lion-river
File name:INVOICE OVERDUE-Factura Nº 10303-30-2020.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:195'584 bytes
First seen:2020-06-04 09:03:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:CXDEeV9kLnqK05CspyL1pgWM5+O/QAUWhcTLk+KVyMmEy0FiYfDl:CXTko5Cubw8TfYkTTZ8kD
Threatray 364 similar samples on MalwareBazaar
TLSH 7014AD0447AC2596C5377679CFAB2318D6761A871E00941D7DBCD2D6BFBB180A0C2FAE
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: slot0.elatroks.com
Sending IP: 45.95.169.118
From: COMMERCIO EUROPA S.R.L.<info@elatroks.com>
Subject: Fw: Rv: Rv :Rv: Re: Re: OVERDUE PROFORMA INVOICE (URGENT!!!!)
Attachment: INVOICE OVERDUE-Factura N\xBA 10303-30-2020.z (contains "INVOICE OVERDUE-Factura Nº 10303-30-2020.exe")

AZORult C2:
http://193.42.96.108/panel/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 09:36:25 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5522z3wcaph7sy3wiwgrtuspzgmjyudidpf6utae4yvadpwki3a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
5308f89ea6ae9b511d38eaf32f0352c06279190262618737aeae66c24e4af7bd
AZORult
5d21ac6bca0ba98cba5930bc0ad3bc702615c3169f8fd73535f920adb8f547b3
AZORult
6db812f8cde69dfe388cc2e7f8c3275c8f1dba462374e6215722de0663af526d
AZORult
6deebaab103ae6c27748bd1f534cfc1780e4cb0fe74496801f15562a02a6f25b
AZORult
7c0da5d623d50dd5f42e826f37c823aebed316382aa3fca37eb65f19284edc7f
AZORult
7d993302cc848cc921c381c1689f9bc64b480e1f9b6ddcccfcd76cea8d42cbbc
AZORult
a6e22fa468017d9340a33ada6f780ba5f28758f9348fdc6bdf1b5756ae2414c2
AZORult
da4bbd6957ac3ac81d2030c5cc1c7d062229ac5499318c8289977a771a17dce4
AZORult
dd668abafa9cbdf937e710f2e2e7f6228ca99c7a226b507d43f887c03dff8509
AZORult
f519262929d4793f6fa538f80ce1a4c378b6bfa16b09cb8ac63475fd1b1bd39b
AZORult
+ 354 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/201109-1lq6hqakja/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Azorult
Malware Config
C2 Extraction:
http://193.42.96.108/panel/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

zip 559769c2dd80eb2d3a90118b319b65574b1900f51cee6592d44f2329e85afa54

AZORult

Executable exe 677bad6776101e7fcb1bb22c68ce927e4cc4e28340de5f52602731500df65236

(this sample)

  
Dropped by
MD5 ef61bd70e09d1d4b42c7c3ddfc514081
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 559769c2dd80eb2d3a90118b319b65574b1900f51cee6592d44f2329e85afa54

Comments