MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 7


Maldoc score: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781
SHA3-384 hash: a0d60d0d5c5e89f57239b3fc3780a3ccadcdd048a44dc222d29ccc48745baa5dc62d4d598e0147c97a1c85bf1fc1d852
SHA1 hash: 4888503cc056d3e279c0cac8e1fbafad76973212
MD5 hash: a8724d5484779a28ad2ef10bfdcbd46f
humanhash: steak-bakerloo-king-whiskey
File name:Purchase_Order_ARG-253A#422723.xls
Download: download sample
Signature AZORult
Create hunting rule
File size:84'992 bytes
First seen:2020-11-25 10:35:58 UTC
Last seen:2020-11-27 12:28:06 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:X/Y9k3hbdlylKsgqopeJBWhZFGkE+cL2NdAfmSb4wIE7zp0RhBv1hQz7rTk1p9St:vyk3hbdlylKsgqopeJBWhZFGkE+cL2NU
TLSH 5B834A427756C885D6560B324EE3DA9A6733FC129EB7430B3108F32F6E779909A0365B
Reporter JAMESWT_WT
Tags:AZORult xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 7
Application name is Microsoft Excel
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2244 bytesDocumentSummaryInformation
3216 bytesSummaryInformation
466286 bytesWorkbook
5537 bytes_VBA_PROJECT_CUR/PROJECT
686 bytes_VBA_PROJECT_CUR/PROJECTwm
7999 bytes_VBA_PROJECT_CUR/VBA/Feuil1
82945 bytes_VBA_PROJECT_CUR/VBA/Module1
91007 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
102673 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
111992 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
12130 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
131127 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
14156 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
15559 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecauto_openRuns when the Excel Workbook is opened
IOCaz.exeExecutable file name
SuspiciousRunMay run an executable file or a system command
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
3
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process with a hidden window
Replacing files
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Running batch commands by exploiting the app vulnerability
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Result
Threat name:
Hidden Macro 4.0
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546820
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to a URL shortener service
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322505 Sample: Purchase_Order_ARG-253A#422... Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for domain / URL 2->28 30 Antivirus detection for URL or domain 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 8 other signatures 2->34 7 EXCEL.EXE 108 32 2->7         started        process3 signatures4 36 Obfuscated command line found 7->36 38 Document exploit detected (process start blacklist hit) 7->38 10 cmd.exe 7->10         started        13 cmd.exe 7->13         started        15 cmd.exe 7->15         started        process5 signatures6 40 Obfuscated command line found 10->40 17 powershell.exe 16 7 10->17         started        20 powershell.exe 7 13->20         started        22 powershell.exe 7 15->22         started        process7 dnsIp8 24 bazaarkonections.com 173.254.222.103, 49168, 80 ASN-QUADRANET-GLOBALUS United States 17->24 26 tinyurl.com 104.20.139.65, 443, 49167 CLOUDFLARENETUS United States 17->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/
Threat name:
Document-Word.Trojan.AShadow
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 10:35:52 UTC
File Type:
Document
Extracted files:
23
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=alf4dk4anfp4cl7yqivze2kxyotaajd3tssbfijx62olk4lmq6aq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro
Link:
https://tria.ge/reports/201125-13afl35l7j/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Office loads VBA resources, possible macro or embedded object present
Deletes itself
Blacklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://tinyurl.com/y3y4ay4y
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Excel_Hidden_Macro_Sheet
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments