MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccedefbb232fd22909bc7b342fe7d3c1e0551b149a0b2e392a23030ceef1814e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccedefbb232fd22909bc7b342fe7d3c1e0551b149a0b2e392a23030ceef1814e
SHA3-384 hash: d33fd0e7f193be9a694bc16fc0c93d57800bfcd8974d40f8bba6370111946d574f2f1e4a458c96ebf32a3b90ea1efa79
SHA1 hash: 39b7f0f603cce229cae280816e00a53bd6ec8b82
MD5 hash: 2dadfba12836421164240227b555297a
humanhash: mango-cardinal-eighteen-summer
File name:6910002637.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:302'080 bytes
First seen:2020-05-06 10:07:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:A5kOBBsBMzs09CD5xnSjNKnuc50Qy7aSXuiG9Rew:TMYDu4uc6DKJ
Threatray 428 similar samples on MalwareBazaar
TLSH 6D54093EDB98AF30EF27F67444421A965412FCD32EA1F61BEF8435998A31D9C0CD6942
Reporter abuse_ch
Tags:AZORult exe geo THA


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: server.avrasyarulman.com
Sending IP: 185.239.237.91
From: bcm_helpdesk@scb.co.th <bcm_helpdesk@scb.co.th>
Subject: SCB Corporate Alert: Transaction Notification
Attachment: 6910002637.PDF.IMG (contains "6910002637.exe")

AZORult C2:
http://ensaenerji.com/mep/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Packed.SmartAssembly.AY.26187.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 10:37:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztw67ozdf7jcscn4pm2c7z6tyhqfkgyutifs4ojkembqz3xrqfha._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0030717c09c6bcbe9db0f9837ac85415e0bc3762ec9a8f131f7f6920193582a3
AZORult
02f2ef392aadd8b486f022e3cd6bad2e6d0a2b6d39d2371b7d528e9ea6607a00
AZORult
12826d5302af642e1152b7b65718d7bcd1deca268630fa61444f131575795589
AZORult
28558516b6b4912e36105c566322d9e4a47a0fca0847c55227683c51834e98e9
AZORult
59e39b6123ed1218d7ae3b4406b3e06c1fc84ecb8fafad05e762b9867c77248b
AZORult
c82a750c5a0dcc2a923f97b3bfbba13fd302144fdcdab020f7c7c94e24892807
AZORult
e9a35c488c49d24c11d3d82d548c984f11f0987ba4ae47ac30409f2dc28508f7
AZORult
e9c42b737c586759102817b5922701598ec9c9256b36cf5fc28782fa09016ca4
AZORult
eef743fa3b72b1e9e71d02dd39db239cda0fd6e976ef0f8779501564b116de5d
AZORult
f7505d1a7254a1a38c4570f0abb3fe3a462d3c34efca6372841ac37876d2af05
AZORult
+ 418 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/201109-14rvzya23x/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
Azorult
Malware Config
C2 Extraction:
http://ensaenerji.com/mep/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_azorult_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

img cc7b6b68da60e612d1419ac3a2e10fb30f4843120add2a4cfba3c0e7e518f8f0

AZORult

Executable exe ccedefbb232fd22909bc7b342fe7d3c1e0551b149a0b2e392a23030ceef1814e

(this sample)

  
Dropped by
MD5 feb87ae94aa7193060c5e637611bd460
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cc7b6b68da60e612d1419ac3a2e10fb30f4843120add2a4cfba3c0e7e518f8f0

Comments