MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 062984754c78988300d9b2611b81c4f2c1bcae16380952c7ab550498b4249e3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AZORult
Vendor detections: 13
| SHA256 hash: | 062984754c78988300d9b2611b81c4f2c1bcae16380952c7ab550498b4249e3f |
|---|---|
| SHA3-384 hash: | ddb2c0cd23c8f9f48a8a1f03e4303997f6ece958e69b98bc2d50041a35987ff4b562fd62c35aa925b794266e7034c7e4 |
| SHA1 hash: | 9f8fba9b7b8404f02f4417169803d369a290910d |
| MD5 hash: | 52eac81cc6e67c2a28249295c6bcf3c5 |
| humanhash: | washington-oranges-idaho-georgia |
| File name: | Lisect_AVT_24003_G1A_55.exe |
| Download: | download sample |
| Signature | AZORult |
| File size: | 1'610'752 bytes |
| First seen: | 2024-07-25 02:04:50 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla) |
| ssdeep | 49152:dTvC/MTQYxsWR7acyejdjIQl6kX7sXf8n0irmNmSb6HCjsZ:RjTQYxsWR5yejdjIQl6kX7sXf8nzrm8l |
| TLSH | T1A4758D823382902AFFE6A9720E66E23A07746E5C5252E40E12F53D7BB7FC163152F157 |
| TrID | 57.4% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 16.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 10.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.4% (.EXE) Win32 Executable (generic) (4504/4/1) |
| File icon (PE): |  |
| dhash icon | e4d09292f2c8b4c0 (2 x AZORult, 1 x AgentTesla) |
| Reporter | Anonymous |
| Tags: | AZORult exe |
Anonymous
this malware sample is very nasty!Intelligence
File Origin
# of uploads :
1
# of downloads :
302
Origin country :
CNVendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Launching a process
Сreating synchronization primitives
DNS request
Modifying an executable file
Query of malicious DNS domain
Infecting executable files
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin microsoft_visual_cc shell32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult, Bdaejec
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Bdaejec
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Detection:
azorult
Threat name:
Win32.Virus.Jadtre
Status:
Malicious
First seen:
2024-07-25 05:10:38 UTC
AV detection:
35 of 38 (92.11%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
azorult
Result
Malware family:
azorult
Score:
10/10
Tags:
family:azorult aspackv2 discovery infostealer trojan
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
AutoIT Executable
Suspicious use of SetThreadContext
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Azorult
Malware Config
C2 Extraction:
http://mhlc.shop/MC341/index.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
1561b05f97e378b5a8a9e8a14634393e9ae88ba8e7fbc59d6e6682dc78071dc8
MD5 hash:
c43d76cd3509c6da4f04d93ad20dfab7
SHA1 hash:
7d4c66505d126607bff79372aa2d8808adca6368
Detections:
Azorult
win_azorult_g1
win_azorult_auto
Azorult
SH256 hash:
308975bcaf1f519f015a0bee5cca4b58fd030841ac5fdb716f29e86af758a082
MD5 hash:
450740d156bd3065eeed613f07937eee
SHA1 hash:
2cea497de6d29b318847a1d1d4fde5628c9383a7
Detections:
win_unidentified_045_auto
win_unidentified_045_g0
SH256 hash:
062984754c78988300d9b2611b81c4f2c1bcae16380952c7ab550498b4249e3f
MD5 hash:
52eac81cc6e67c2a28249295c6bcf3c5
SHA1 hash:
9f8fba9b7b8404f02f4417169803d369a290910d
Detections:
AutoIT_Compiled
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | maldoc_find_kernel32_base_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | maldoc_getEIP_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.