MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079
SHA3-384 hash: 1399549e8719e4eaca32eefdbaa2c53b396a7dd89db6444931f9278597d149ffc08aa5d0451a3e903c932309e5279e94
SHA1 hash: 0864cf603f4e06a32f3ae266a557d14055d4a34a
MD5 hash: 7a1618c1616dae2aa4402b2f9f0febc7
humanhash: illinois-berlin-oranges-emma
File name:7a1618c1616dae2aa4402b2f9f0febc7.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'126'400 bytes
First seen:2022-08-18 06:36:37 UTC
Last seen:2022-08-18 07:36:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f46666d491a382acce5e488bb8139c9 (1 x AZORult)
ssdeep 3072:CsCrC5C51grFd75sRnuiiNi1tq/5Olg+x7Plk+Bic:41grf2QlysOl5PZf
Threatray 15'410 similar samples on MalwareBazaar
TLSH T139354166C9691300E38C0BF835D3ED8E9774D20D5E9696D378F9217BA5AFE044EC1EA0
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
662
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
7a1618c1616dae2aa4402b2f9f0febc7.exe
Verdict:
Malicious activity
Analysis date:
2022-08-18 06:45:30 UTC
Tags:
trojan raccoon recordbreaker
Link:
https://app.any.run/tasks/5d9d3095-3039-4256-96af-7dbd3ccdb9cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299507/
Detection(s):
SecuriteInfo.com.Variant.Barys.319254.7910.15437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/62fdde1c8adad7d7739e077b/reports/e0829433-17c8-48dc-a4a8-8201e6089980/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8383867a-b731-4364-a6d2-4c7462083563
Result
Threat name:
AsyncRAT, Azorult, Clipboard Hijacker, R
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053586
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
DLL side loading technique detected
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 686099 Sample: AnTEDrTmdh.exe Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 12 other signatures 2->93 10 AnTEDrTmdh.exe 13 2->10         started        13 oobeldr.exe 2->13         started        process3 signatures4 113 Maps a DLL or memory area into another process 10->113 115 Contains functionality to detect sleep reduction / modifications 10->115 15 AnTEDrTmdh.exe 29 10->15         started        process5 dnsIp6 77 193.106.191.146, 49723, 80 BOSPOR-ASRU Russian Federation 15->77 79 wewilltoptheworld.top 193.106.191.169, 49725, 49726, 49727 BOSPOR-ASRU Russian Federation 15->79 55 C:\Users\user\AppData\Local\...\jZTsz0Uz.exe, PE32 15->55 dropped 57 C:\Users\user\AppData\Local\...\aD2R86va.exe, PE32+ 15->57 dropped 59 C:\Users\user\AppData\Local\...\T561085j.exe, PE32 15->59 dropped 61 8 other files (1 malicious) 15->61 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 15->83 85 Tries to steal Crypto Currency Wallets 15->85 20 T561085j.exe 3 15->20         started        23 6P7KYMIc.exe 4 15->23         started        25 aD2R86va.exe 1 6 15->25         started        28 jZTsz0Uz.exe 3 15->28         started        file7 signatures8 process9 file10 95 Writes to foreign memory regions 20->95 97 Allocates memory in foreign processes 20->97 99 Injects a PE file into a foreign processes 20->99 30 InstallUtil.exe 62 20->30         started        101 Antivirus detection for dropped file 23->101 103 Multi AV Scanner detection for dropped file 23->103 105 Machine Learning detection for dropped file 23->105 111 2 other signatures 23->111 35 6P7KYMIc.exe 23->35         started        63 C:\Users\user\AppData\Roaming\...\Urfddt.exe, PE32+ 25->63 dropped 107 Encrypted powershell cmdline option found 25->107 109 Modifies the context of a thread in another process (thread injection) 25->109 37 powershell.exe 25->37         started        39 powershell.exe 28->39         started        signatures11 process12 dnsIp13 75 wewilltoptheearth.top 30->75 65 C:\Users\user\AppData\...\vcruntime140.dll, PE32 30->65 dropped 67 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 30->67 dropped 69 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 30->69 dropped 73 45 other files (1 malicious) 30->73 dropped 81 DLL side loading technique detected 30->81 41 cmd.exe 30->41         started        71 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 35->71 dropped 43 schtasks.exe 35->43         started        45 conhost.exe 37->45         started        47 conhost.exe 39->47         started        file14 signatures15 process16 process17 49 conhost.exe 41->49         started        51 timeout.exe 41->51         started        53 conhost.exe 43->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-08-18 06:37:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=at5vuh3aqkqjuvn6yjxaoserrwqncad6fjb4obzd3r44y7cbgb4q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
remcos
Create hunting rule
raccoon
Create hunting rule
Similar samples:
24bb842bb98ba84cbd9db57c226cbf30bd30d240007b18c3c9a734fd4f8e63a7
AZORult
2929451852384ac9f1b289746f767b752e04ec5d778b9538ac761cb175006948
AZORult
48d97367a91454e04e0161675bc323aaea552ef9335c57090e0d471d3d28c97e
AZORult
ac1906fa0c648d42c3e1b0c7b70b0e7c0c68888d90dc48c81b225f0932cdb258
AZORult
b06040b023873e257e3cc5d803186e714ad4de74fd3bb305205550e5ce5233f7
AZORult
b0e78152cf5f5eca9be7cc47e833600e77db47786c09cc2be451f310c50881d9
AZORult
cce110eed95c36bf618669b1a290ee90b5152ee9c660b6b37f3e11dca7431419
AZORult
ceb6fcadd0f96521026c478596bbc3ba3dfdd3ecdbb2d9e4e8f5bb4a422e446d
AZORult
ec0a3b7d3636b52ae025418ec21669e06c30f58930f11303571a2af6993ef365
AZORult
f171eba23f65f99cd49caa4d84e1adc3429100573de5405534922bc784dd0d23
AZORult
+ 15'400 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:remcos botnet:08172022 discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220818-hdgsjadff2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Remcos
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
Unpacked files
SH256 hash:
79f9e2d8e73964b2ce71545c594a7a9ed8c3e3daf5e54335f5243e584dba1e7d
MD5 hash:
ec3876ea496980079b11a99911e4845a
SHA1 hash:
bfb2d7e3a812e12621db7175392ec77896c39c51
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/dda456cd-1385-455e-9285-5eb7c950a54a/
SH256 hash:
04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079
MD5 hash:
7a1618c1616dae2aa4402b2f9f0febc7
SHA1 hash:
0864cf603f4e06a32f3ae266a557d14055d4a34a
Link:
https://www.unpac.me/results/dda456cd-1385-455e-9285-5eb7c950a54a/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04fb5a1f6082/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2264641/
Cape
Cape
https://www.capesandbox.com/analysis/299507/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/2257492/
  
URLhaus
https://urlhaus.abuse.ch/url/2257580/
  
URLhaus
https://urlhaus.abuse.ch/url/2202207/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/1746809/

Comments