MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe1b4c61d1b55965a4110b896daec0051ebca266c20c8f75d839e42b03587ec4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe1b4c61d1b55965a4110b896daec0051ebca266c20c8f75d839e42b03587ec4
SHA3-384 hash: d48dd915895e6cdf62b1a4bb140bcd781f9af0aa36abce6ea5e9775dff9b2068855d29aef80f3f1a88c473c41ccd623d
SHA1 hash: dcd04b735be74b8110c69bb906e28ad3ef8e48bd
MD5 hash: 598ba912454b81e94bb0b68de4b0b874
humanhash: mockingbird-delaware-gee-south
File name:Payment Notification Slip_pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:857'088 bytes
First seen:2020-07-09 12:12:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e335e0f383b17202864efb975d29d538 (14 x AgentTesla, 6 x Loki, 3 x AZORult)
ssdeep 12288:uVDQmQK44+3gCiU24vBV3RpqTf5RqH+YalI3QmMTP/DsgeA9sUZicctjON6s5S:SkAVCi74LofeHXecQmiDXeOoti8so
Threatray 810 similar samples on MalwareBazaar
TLSH 84058C22B3904833C1631A3D8D5B6778982ABE512E28BA4B7FF5DC4C5F3A6403975397
Reporter abuse_ch
Tags:AZORult exe SCB


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: nctr148.trdns.com
Sending IP: 77.245.144.119
From: Standard Chartered Bank <AdviceAED@sc.com>
Subject: SUBJECT:Advice from Standard Chartered Bank
Attachment: Payment Notification Slip_pdf.gz (contains "Payment Notification Slip_pdf.exe")

AZORult C2:
http://h-to-h.mixh.jp/ws/PL341/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23744/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.14887.31971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
DNS request
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Launching a service
Reading Telegram data
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe1b4c61d1b55965a4110b896daec0051ebca266c20c8f75d839e42b03587ec4/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 08:02:48 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ynuyyorwvmwljarboew3lwaauplzitgyigi65oyhhscwa2yp3ca._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
151f57078e89aa2f81fcb307bf88fe23e9f2437a4df1e37def5d0b78797e12f8
AZORult
1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0
AZORult
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
AZORult
6fa66f7851bea577cc6adfda11d3225a69b7c6554f028851eddd4d23ea074a59
AZORult
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
AZORult
81337231c53d0927b5aaff1792d71b5f5270e268e1909267ad3bd79951e72642
AZORult
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
AZORult
9e17a9c1b1d0db2c9cd8fdf42c475712f8faaa68cb08bbff910a2927b910d88f
AZORult
9ffc0cc7f5b6bfb1e02d404b6d850e2fd72a778a1a2582fc061723f084cc73c2
AZORult
e539fe1b7096b7a1966ebbe10e2361c05fd90adf8ed312406f90efe13744e5af
AZORult
+ 800 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult spyware discovery
Link:
https://tria.ge/reports/200709-lv3d6er5ex/
Behaviour
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
NTFS ADS
Suspicious use of SetThreadContext
Checks for installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Executes dropped EXE
Azorult
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

gz 09e682ea38058bc5170a7fa499be6d864b90dc3d4d42a3410168766cd79b991e

AZORult

Executable exe fe1b4c61d1b55965a4110b896daec0051ebca266c20c8f75d839e42b03587ec4

(this sample)

  
Dropped by
MD5 f40b2f5e8e364f7fa05d05194781e461
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23744/
  
Dropped by
SHA256 09e682ea38058bc5170a7fa499be6d864b90dc3d4d42a3410168766cd79b991e

Comments