MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c0da5d623d50dd5f42e826f37c823aebed316382aa3fca37eb65f19284edc7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	7c0da5d623d50dd5f42e826f37c823aebed316382aa3fca37eb65f19284edc7f
SHA3-384 hash:	d69ef80338aa15664dd0ac460a82a67f8ef09b9cfebaf94336527b26a936a3eb78114665a7128386e4d73235dab7c72f
SHA1 hash:	97895f32a17ca8bc1461518d4214f1650ccba963
MD5 hash:	ca6eb200c1e022e29c24383e11600cc2
humanhash:	connecticut-finch-muppet-football
File name:	payment.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	265'216 bytes
First seen:	2020-06-04 06:28:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:XXTFLUOSoJhX1901qPe2PXVCRSwOE3quqMgbC7wWgi:XXVUOhJhX1QcvmxOE3qu2C
Threatray	359 similar samples on MalwareBazaar
TLSH	C544BF1623521262D174337ACE8B1528D27A692A8532675E36FC5BBBFF332317081F9D
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

Malspam distributing AZORult:

HELO: spidergroupbd.com
Sending IP: 204.16.247.71
From: Jessica Bright <jessica@spidergroupbd.com>
Subject: Re: Request Order/New #P.O FHI-453-763
Attachment: New Order.gz (contains "payment.exe")

AZORult C2:
http://iscm.edu.ar/baggyaso/32/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-04 14:58:30 UTC

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pqg2lvrd2ug5l5boqjxtpsbdv27ngfryfkr7zi36wzprskco3r7q._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer spyware trojan

Link:

https://tria.ge/reports/201109-6wkevaeld6/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://iscm.edu.ar/baggyaso/32/index.php

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Trojan_W32_Gh0stMiancha_1_0_0 Create hunting rule

Rule name:	win_azorult_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator