MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b7410c41dd49a7a43487fa0e56f5b336951609e67b873d5cdd70632a954b4a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b7410c41dd49a7a43487fa0e56f5b336951609e67b873d5cdd70632a954b4a8
SHA3-384 hash: 2c8c1555d5488f691f74dfe00f9eee513040e078f71cb20ee9a6c1a39dcfc426747aa23c82259ba02a2f55e5cd7de6f0
SHA1 hash: 4fca8630117e276b664de8e75a0c6ae3ed5ad48e
MD5 hash: 1fdf9b9ac3b1b74a73f0dfdbdbd99827
humanhash: mango-early-salami-south
File name:0B7410C41DD49A7A43487FA0E56F5B336951609E67B87.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:524'288 bytes
First seen:2022-02-09 18:36:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fb0fb8edc31fffe9bb05edbac608d5c5 (5 x RaccoonStealer, 4 x AZORult, 1 x NetWire)
ssdeep 12288:bv3rCh5neWBqk/THRo0DcO5NHeJjFMNjjTp1qBJ2nj/J:reO2/HRXcIUFM5TpICnTJ
Threatray 9'143 similar samples on MalwareBazaar
TLSH T110B4D00BB765015AF08A097819B059F64F7A9C3371462D4FF785FE1C1AF2AC6A8E0367
File icon (PE):PE icon
dhash icon 71f89a99c8fc3480 (1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://185.163.204.20/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.20/ https://threatfox.abuse.ch/ioc/384586/

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239811/
Detection(s):
Win.Dropper.Raccoon-9884067-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit greyware obfuscated packed raccoon shell32.dll
Link:
https://www.filescan.io/uploads/6204099c36f992191832570f/reports/181442dd-11e4-464f-b397-79b339df369c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1326d118-d2bf-4b17-9b56-4ecea4d9c82a
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
82 / 100
Link:
https://www.joesandbox.com/analysis/937165
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to resolve many domain names, but no domain seems valid
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 569641 Sample: 0B7410C41DD49A7A43487FA0E56... Startdate: 09/02/2022 Architecture: WINDOWS Score: 82 52 pretorian.ug 2->52 54 underdohag.ac.ug 2->54 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 77 12 other signatures 2->77 10 0B7410C41DD49A7A43487FA0E56F5B336951609E67B87.exe 15 2->10         started        signatures3 75 Tries to resolve many domain names, but no domain seems valid 52->75 process4 file5 50 C:\Users\user\AppData\Local\...\SAvavasnb.exe, PE32 10->50 dropped 87 Maps a DLL or memory area into another process 10->87 89 Contains functionality to detect sleep reduction / modifications 10->89 14 SAvavasnb.exe 4 10->14         started        17 0B7410C41DD49A7A43487FA0E56F5B336951609E67B87.exe 10->17         started        signatures6 process7 signatures8 91 Antivirus detection for dropped file 14->91 93 Performs DNS queries to domains with low reputation 14->93 95 Machine Learning detection for dropped file 14->95 97 Maps a DLL or memory area into another process 14->97 19 SAvavasnb.exe 28 14->19         started        process9 dnsIp10 56 wishamag.ac.ug 19->56 59 partiad.xyz 19->59 61 21 other IPs or domains 19->61 38 C:\Users\user\AppData\Local\...\ropakxa.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Local\...\Dropakxa.exe, PE32 19->40 dropped 42 C:\Users\user\AppData\Local\...\DropaGkxa.exe, PE32 19->42 dropped 44 5 other malicious files 19->44 dropped 23 Dropakxa.exe 7 19->23         started        27 DroCpakxa.exe 4 19->27         started        29 DropaGkxa.exe 4 19->29         started        31 ropakxa.exe 4 19->31         started        file11 85 Tries to resolve many domain names, but no domain seems valid 59->85 signatures12 process13 file14 46 C:\Users\user\AppData\Local\...\dfgasdme.exe, PE32 23->46 dropped 48 C:\Users\user\AppData\Local\...\Dbvsdfe.exe, PE32 23->48 dropped 79 Antivirus detection for dropped file 23->79 81 Multi AV Scanner detection for dropped file 23->81 83 Machine Learning detection for dropped file 23->83 33 Dbvsdfe.exe 4 23->33         started        36 dfgasdme.exe 4 23->36         started        signatures15 process16 signatures17 63 Antivirus detection for dropped file 33->63 65 Multi AV Scanner detection for dropped file 33->65 67 Machine Learning detection for dropped file 33->67
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b7410c41dd49a7a43487fa0e56f5b336951609e67b873d5cdd70632a954b4a8/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-12-10 11:48:44 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
34 of 43 (79.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bn2bbra52snhuq2ip6qok323gnuvcye6m64hhvon24ddfkkuwsua._file
Verdict:
malicious
Similar samples:
250c1dda429b8b2c8b638ddc80999039267bda7b959d5a854c5f4855601df548
AZORult
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9
AZORult
36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf
AZORult
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
AZORult
5d7bc178cb3eafae7b2c99b2cfd2ceec87119cf2403f86af87435d4479f36724
AZORult
5f674444804a14848e4bc25616732d85d2d6e7e9b96e19aa90c36070c16b0570
AZORult
820b1216485962fa3501dc8bd02a76bdb821fd7b6ffab858c4ebe135c4246090
AZORult
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
AZORult
cceb5da1ebba042d949f4afef5f5e4638826493201564245be0448920dac639c
AZORult
ce931ede894759cdd518d9dd8f4a9888b7fa3656bd6fa3bc0b66514b985efb5d
AZORult
+ 9'133 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:125d9f8ed76e486f6563be097a710bd4cba7f7f2 discovery infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/220209-w8yanabbf3/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
pretorian.ug
Unpacked files
SH256 hash:
95b94a7a06b6cd5734013ef7ebb9f9cea6d04f7f467fffa203a09a8e6d5ff0d3
MD5 hash:
5acd21381d600765601be0e4e7b6597a
SHA1 hash:
879cec8513536dfb7a2b562e05893bbf0ef6f5ee
Link:
https://www.unpac.me/results/e6bfac02-85fa-4dd6-8f91-5b9bc2e2500d/
SH256 hash:
2bad052bd2fcca9e96b30ed8a78d07dd31cfdf071d8648bdf083e0f2363db59d
MD5 hash:
24f3d84f47286c5821af21fab61b3889
SHA1 hash:
84de7d922f1528a6bab51f807aa4a4546e884128
Link:
https://www.unpac.me/results/e6bfac02-85fa-4dd6-8f91-5b9bc2e2500d/
SH256 hash:
0b7410c41dd49a7a43487fa0e56f5b336951609e67b873d5cdd70632a954b4a8
MD5 hash:
1fdf9b9ac3b1b74a73f0dfdbdbd99827
SHA1 hash:
4fca8630117e276b664de8e75a0c6ae3ed5ad48e
Link:
https://www.unpac.me/results/e6bfac02-85fa-4dd6-8f91-5b9bc2e2500d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/239811/

Comments