MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1
SHA3-384 hash: 0a5ff9a0e6cb100a78fd951d13768ef5c77b6c4bcf0e08340417739b6cda88136b6f1f9e7b96db6c0e296255bf826b62
SHA1 hash: 999318909aabde9de6715bb75fa9e55fc83c624d
MD5 hash: 743a8a808bc63ca07f59ff692e0c3856
humanhash: undress-east-bacon-golf
File name:LPO355 Order2313518.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:412'769 bytes
First seen:2023-09-04 00:50:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 6144:uT4DtHOOUPy5MI1RhksWkoASzOba81HXvV1jrByDxZGyNgIm:uTeeZsbD13vzrwxZGyNdm
Threatray 973 similar samples on MalwareBazaar
TLSH T17E94E0807B90D9BFD39E5B3885F1E7795278ACE028229A0377953E9F3E25F4DE944210
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 61d4d4d4f8ec71b2 (4 x AZORult, 1 x GuLoader)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://mixz.shop/MI341/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LPO355 Order2313518.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-04 00:51:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8c6fc306-0cee-43ce-8273-9b757e358a37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445889/
Detection(s):
SecuriteInfo.com.FileRepMalware.3353.488.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64f529f74578d9c35e00e053/reports/57a34523-4900-4a89-aeaa-37fdf9da4472/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/eec81ba5-1a72-4b3b-bd14-765fea4f0e49
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302507
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1302507 Sample: LPO355_Order2313518.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 34 www.mixz.shop 2->34 36 mixz.shop 2->36 38 futotarsakse.hu 2->38 44 Snort IDS alert for network traffic 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 2 other signatures 2->50 9 LPO355_Order2313518.exe 5 32 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 9->24 dropped 52 Self deletion via cmd or bat file 9->52 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->54 56 Tries to detect Any.run 9->56 58 Maps a DLL or memory area into another process 9->58 13 LPO355_Order2313518.exe 64 9->13         started        signatures6 process7 dnsIp8 40 futotarsakse.hu 185.80.49.249, 50058, 80 RACKFOREST-ASHU Hungary 13->40 42 www.mixz.shop 104.21.44.116, 50059, 50060, 50061 CLOUDFLARENETUS United States 13->42 26 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->26 dropped 28 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->30 dropped 32 45 other files (none is malicious) 13->32 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->60 62 Tries to steal Instant Messenger accounts or passwords 13->62 64 Tries to steal Mail credentials (via file / registry access) 13->64 66 6 other signatures 13->66 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 00:31:34 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aurgqea3q5nh67im3ldpmmjhwwsmwoozrm5kxbliosyp73kqbkyq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6
AZORult
62173847065d1aa1b93254e623844a1f223a4df4a06499f21b64fe82389fb327
AZORult
a800f3aefe262ccf51d647a154e8db7195ff6e4a360ec3f84586f763abff19fd
AZORult
bd35948712753f7a1c073fbf50e798898e0bbf9dec42a416eb33e2f78913c314
AZORult
cb34bcf1043d10a15d4a823fe188296e161b88b630f090c8dc644de84b6105ae
AZORult
f5ad72d325fa3bb260db87cd3c251ba808c0cfb35cb0578b85071daf82b0eed1
AZORult
f5d0792248cb4a496cb1d59f94aa291e734b250760018e533290c9aa573276c0
AZORult
+ 963 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/230904-a7g2dscf9y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Azorult
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/f1fc2492-0c64-4b16-8eae-283221caae8e/
SH256 hash:
052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1
MD5 hash:
743a8a808bc63ca07f59ff692e0c3856
SHA1 hash:
999318909aabde9de6715bb75fa9e55fc83c624d
Link:
https://www.unpac.me/results/f1fc2492-0c64-4b16-8eae-283221caae8e/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/052268101b87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445889/

Comments