MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5053d63c375cee3c53f33df04dc76dfaa3560c35bb5f166e8238804e3ba3204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	f5053d63c375cee3c53f33df04dc76dfaa3560c35bb5f166e8238804e3ba3204
SHA3-384 hash:	f12757c174b14c0909e9be601ea4dd4b04aef2e711002794d8c1e169c1d9e3b4eb757b11af223985bbf586533042766a
SHA1 hash:	e75450cdd0a7e1c93a0f215064e974ab5e1ab768
MD5 hash:	1a2d79996f534571873d714d86863814
humanhash:	double-island-finch-cola
File name:	Order Specification.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	1'162'240 bytes
First seen:	2020-05-13 06:49:17 UTC
Last seen:	2020-05-29 14:57:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:Ftb20pkaCqT5TBWgNQ7aDbwDjUwP35NrrsJhyKEq6A:2Vg5tQ7aDbUPNut5
Threatray	1'188 similar samples on MalwareBazaar
TLSH	7135C01373DEC361C3725273BA267741AEBF782506A5F56B2FD8093DA920122521EB73
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

Malspam distributing unidentified malware:

HELO: 77-72-3-56.hosted-at.kloud.co.uk
Sending IP: 77.72.3.56
From: Michele Kester <info17@ngyusa.com>
Reply-To: Michele Kester <biz@gurytour.ro>
Subject: Request for prices and lead time
Attachment: Order Specification.zip (contains "Order Specification.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Predator

Status:

Malicious

First seen:

2020-05-13 07:18:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6uct2y6doxhohrj7gppqjxdw36vdkygdlo27czxieoeajy52gica._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer trojan

Link:

https://tria.ge/reports/201109-4azpzc2nqj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Azorult

Malware Config

C2 Extraction:

http://217.160.170.24/index.php

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

zip 2dd59713bdfc82e98cb5dd6cff53b44006e5e110d13dc71ec779590b03da2d68

AZORult

exe f5053d63c375cee3c53f33df04dc76dfaa3560c35bb5f166e8238804e3ba3204

(this sample)

Dropped by

MD5 2fd7671070753cffb4568f92c2e5dea2

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 2dd59713bdfc82e98cb5dd6cff53b44006e5e110d13dc71ec779590b03da2d68

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample