MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2
SHA3-384 hash:	a2b0d2cf89c678e342cd2e9838301174b2e1457df4baf98babe75fb0f29f2ac8789eeb885e41c46d21acb0673d473330
SHA1 hash:	f06799d38bb7457f7f5623a19bffc5a5439c937a
MD5 hash:	d184d4c572e2a5293702067b875817d3
humanhash:	maryland-three-monkey-tango
File name:	PO.doc
Download:	download sample
Signature	AZORult Create hunting rule
File size:	1'408'354 bytes
First seen:	2020-09-03 05:12:43 UTC
Last seen:	Never
File type:	doc
MIME type:	text/rtf
ssdeep	24576:SHV2v+axnMhxntY/C8dz4rh3k6jIQij8v5VZDRZSFewODpOFk0VVpOJ/U4SE7/Sd:J
TLSH	8D55BFF876047DE62A6F576BCA96ACDD13B616239ACBA4CC806477C305A3375FE02C05
Reporter	cocaman
Tags:	AZORult CVE-2017-11882 doc

cocaman

Malicious email
From: david.lloyd@greymonarch.com
Received: from greymonarch.com (unknown [23.106.122.237])
Date: 2 Sep 2020 22:10:50 -0700
Subject: Purchase Order
Attachment: PO.doc

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27301.RtfHeur.BadVer.UNOFFICIAL

SecuriteInfo.com.FakeRTF-2.UNOFFICIAL

TwinWave.EvilDoc.RTFFakeVersionWithObjUpdateUKSurfMix.20200514.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

DNS request

Connection attempt by exploiting the app vulnerability

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/458016

Signature

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2/

Threat name:

Document-Office.Exploit.CVE-2017-11882

Status:

Malicious

First seen:

2020-09-03 05:14:07 UTC

File Type:

Document

Extracted files:

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bktk2vam55hxynmdvtg3fuidnaps5pygneun7b3a6k2wnd55ldza._file

Result

Malware family:

azorult

Score:

10/10

Tags:

spyware discovery trojan infostealer family:azorult

Link:

https://tria.ge/reports/200903-3nj1ac531j/

Behaviour

Checks processor information in registry

Launches Equation Editor

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Blacklisted process makes network request

Executes dropped EXE

Azorult

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Exploit

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

doc 0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample