MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0caaaa5f4ab21a8ceaaded6e69be05b30e424980e159c6458b0c8379adee95da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	0caaaa5f4ab21a8ceaaded6e69be05b30e424980e159c6458b0c8379adee95da
SHA3-384 hash:	5dc860327fbf410c5a2217908648c2f858725849c14b88c3d6d8382d663ed9621c210a227a955fdb271504c7fcb8635f
SHA1 hash:	9071ae730d4701dc725a6e76b4a9da7256165030
MD5 hash:	a12292c5dc3ffece942e4cf4b54187f0
humanhash:	eleven-orange-sad-kilo
File name:	Bank Remittance Copy.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	565'248 bytes
First seen:	2021-08-31 09:00:34 UTC
Last seen:	2021-08-31 10:52:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep	12288:5Xe9PPlowWX0t6mOQwg1Qd15CcYk0We1nPfJoomJxRHHE6mRsc9gC8NLhPtDWlqw:ghloDX0XOf4RPfJhOa9
Threatray	4'222 similar samples on MalwareBazaar
TLSH	T174C4E163A187DCA6D649553D52A4FBAC423CCF524D1FA38970793222EA73D0B2F48CD6
dhash icon	f0f0f2b2e834b498 (29 x AgentTesla, 12 x AveMariaRAT, 8 x RedLineStealer)
Reporter	lowmal3
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

1'063

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Bank Remittance Copy.exe

Verdict:

Malicious activity

Analysis date:

2021-08-31 09:02:49 UTC

Tags:

trojan rat azorult opendir

Link:

https://app.any.run/tasks/3425af1c-76a3-490d-b0c1-46bc704e9240

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/184101/

Detection(s):

PUA.Win.Packer.Upolyx-12

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Creating a file

Deleting a recently created file

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e3366faa-89e5-4a0c-be3b-c82d4c91f855

Result

Threat name:

Azorult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/842423

Signature

AutoIt script contains suspicious strings

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0caaaa5f4ab21a8ceaaded6e69be05b30e424980e159c6458b0c8379adee95da/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2021-08-31 09:01:08 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bsvkux2kwiniz2vn5vxgtpqfwmheesma4fm4mrmlbsbxtlposxna._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer spyware stealer suricata trojan upx

Link:

https://tria.ge/reports/210831-9dybh37l7e/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

suricata: ET MALWARE AZORult v3.3 Server Response M3

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

Malware Config

C2 Extraction:

https://nagles.com.au/wp/xl/index.php

Unpacked files

SH256 hash:

41f4979f944a516ac7aa42119893cb4a166fb9413e9955b549aa409efbe0dc74

MD5 hash:

6f6e6f936f606803202779def0499706

SHA1 hash:

1bd5cb7c5730b47910ca569f576e579ef2efa4ad

Link:

https://www.unpac.me/results/848243e6-79f4-4e47-bfaa-de515d3525ce/

SH256 hash:

0caaaa5f4ab21a8ceaaded6e69be05b30e424980e159c6458b0c8379adee95da

MD5 hash:

a12292c5dc3ffece942e4cf4b54187f0

SHA1 hash:

9071ae730d4701dc725a6e76b4a9da7256165030

Link:

https://www.unpac.me/results/848243e6-79f4-4e47-bfaa-de515d3525ce/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0caaaa5f4ab2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/0caaaa5f4ab21a8ceaaded6e69be05b30e424980e159c6458b0c8379adee95da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

exe 0caaaa5f4ab21a8ceaaded6e69be05b30e424980e159c6458b0c8379adee95da

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/184101/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample