MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1aa02b7eecf8748545bb286cf171f4adae70a7a0aa6fdd97a38874afa5187bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1aa02b7eecf8748545bb286cf171f4adae70a7a0aa6fdd97a38874afa5187bc
SHA3-384 hash: 52495572c67d16a562c1077b2c882f8da0219371598e6628dba7c37b5b2f0f2e4d245de695d5f544e1dbeb6fa862abb0
SHA1 hash: 4bfee30b5714e23c77702bdfbebd909682dc07c8
MD5 hash: eb2ad26d4ef8137fe9f2568d5e1874d7
humanhash: december-queen-sierra-carbon
File name:ff.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:608'768 bytes
First seen:2020-05-28 11:36:20 UTC
Last seen:2020-05-28 12:58:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d288dc5caa33b7016aaba80a9d6ba09 (4 x AgentTesla, 1 x FormBook, 1 x NetWire)
ssdeep 12288:qEXTxRvHr3x2NRWc9Wt8PjIOrtkroeUp6He73uGBYrdXXu88aFKk94hh5Phi4gHM:/j7Hr3xcRWonPjIOrtkroeUp6He73uGX
Threatray 433 similar samples on MalwareBazaar
TLSH CDD48D62F2905C33C153157E9D3BA77C982EBE51392826723BF5DC4C9F29381392B296
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: mail.strongmailvault.com
Sending IP: 111.90.144.220
From: info@yosungroup.ga
Subject: RE: QUATATION
Attachment: Quatation023.rar (contains "ff.exe")

AZORult C2:
http://truva2007.com.tr/wp/wp/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 12:36:53 UTC
File Type:
PE (Exe)
Extracted files:
227
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
1282357675b44eb16d8c88bd3cd2ed75c5ddf61b5e62a6c17e537c0a6a9c0a68
AZORult
6c51eb7399c58790a092b0263fc94de25fd977f238c0f51fa0f10e45aef14d7a
AZORult
8480058fc20ebfef47d1ebccbb54b88f656715b99c2d4e80ad46b05906ff4dbe
AZORult
8f8f8f0f4037f20fc20e9245a461f8362c25c5622e6d6070d46f8cfe2425cbde
AZORult
9dd2e2e1dc00671e8faee152525a1dd54d069cdd13da671eea3a825c1ac69864
AZORult
a13d0c1da0acc8ec21d9582a9b3fd02537618a644c6bad4e9df9d59988662563
AZORult
b5c3ce747503c0c441f81cdff3e14f7d61d58cb52b6325eb9988c366e7c2501e
AZORult
c82a750c5a0dcc2a923f97b3bfbba13fd302144fdcdab020f7c7c94e24892807
AZORult
ce974c7e36a7933cdac1489c1b338eeabc04f0f418a67983012258ec914ec4ec
AZORult
f484f2e953d9571e035e86dd89c82755ce0684fddd30b3d41bac21ac65f0cff4
AZORult
+ 423 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer trojan
Link:
https://tria.ge/reports/201109-l6gatla27n/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Azorult
Malware Config
C2 Extraction:
http://truva2007.com.tr/wp/wp/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar 97543f6d04580b12dc35b102fcb4e1a3b239c601303b9e511372abb735a231f3

AZORult

Executable exe c1aa02b7eecf8748545bb286cf171f4adae70a7a0aa6fdd97a38874afa5187bc

(this sample)

  
Dropped by
MD5 07f596b7b9b7c84ef22b32887aad65cf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 97543f6d04580b12dc35b102fcb4e1a3b239c601303b9e511372abb735a231f3

Comments