MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b
SHA3-384 hash: 813478fc3169304b6ad9c7dc70f68c32f7372d1fdfdf57dac103f80979824d1c087a476229a5e9afdda9da3587b17e4a
SHA1 hash: cb7f1e3acc3636a6f890edb8c44d0abe2674ec1c
MD5 hash: 5fea51478a01f10a78d428751e973aba
humanhash: edward-don-ohio-seven
File name:5fea51478a01f10a78d428751e973aba.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:401'408 bytes
First seen:2022-04-08 09:44:23 UTC
Last seen:2022-04-08 11:10:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 17b4b1fe70fbbdccbba7c09889838934 (3 x AZORult, 2 x Worm.Ramnit, 1 x RedLineStealer)
ssdeep 6144:2lQvwtXnjXFCOSNUUTN3lLGrlQvSQzrZ6pn5SOpsNeJm7SOpsNesmvm:2FjXFzYpcFQfGsOWOOhvm
Threatray 10'605 similar samples on MalwareBazaar
TLSH T15B84E00E99AB4533F2078E785FC482E886BE3C2736A6F44FEB406E9507723444A95777
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
822
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
5fea51478a01f10a78d428751e973aba.exe
Verdict:
Malicious activity
Analysis date:
2022-04-08 21:25:13 UTC
Tags:
trojan rat redline arkei stealer vidar loader
Link:
https://app.any.run/tasks/8d8b7e4f-a434-483a-bd70-2cd1dec96f8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/262052/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.29086.10568.15838.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm control.exe expand.exe greyware hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/62500429cccdcb99472a11b7/reports/8ed539ec-d226-4cc4-bbaa-f53d5a16c493/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe30d9ca-cab5-477a-9f9b-7c828b47717f
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973135
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 605623 Sample: tTRN8ebXfO.exe Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 47 charisma.ac.ug 2->47 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 13 other signatures 2->57 9 tTRN8ebXfO.exe 2 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\...\Fvdfggf.exe, PE32 9->43 dropped 67 Detected unpacking (creates a PE file in dynamic memory) 9->67 69 Found evasive API chain (may stop execution after checking mutex) 9->69 71 Self deletion via cmd delete 9->71 73 5 other signatures 9->73 13 Fvdfggf.exe 9->13         started        16 tTRN8ebXfO.exe 73 9->16         started        signatures6 process7 dnsIp8 75 Antivirus detection for dropped file 13->75 77 Multi AV Scanner detection for dropped file 13->77 79 Machine Learning detection for dropped file 13->79 87 3 other signatures 13->87 19 RegAsm.exe 15 8 13->19         started        24 RegAsm.exe 13->24         started        26 RegAsm.exe 13->26         started        45 charisma.ac.ug 62.204.41.69, 49747, 49757, 49758 TNNET-ASTNNetOyMainnetworkFI United Kingdom 16->45 81 Self deletion via cmd delete 16->81 83 Tries to harvest and steal browser information (history, passwords, etc) 16->83 85 Tries to steal Crypto Currency Wallets 16->85 28 cmd.exe 1 16->28         started        signatures9 process10 dnsIp11 49 62.204.41.166, 27688, 49752 TNNET-ASTNNetOyMainnetworkFI United Kingdom 19->49 39 C:\Users\user\AppData\Local\Temp\kaxfds.exe, PE32 19->39 dropped 41 C:\Users\user\AppData\Local\...\kaxfcfdds.exe, PE32 19->41 dropped 59 Tries to harvest and steal browser information (history, passwords, etc) 19->59 61 Tries to steal Crypto Currency Wallets 19->61 30 kaxfcfdds.exe 19->30         started        33 kaxfds.exe 14 2 19->33         started        63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->63 65 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->65 35 conhost.exe 28->35         started        37 timeout.exe 1 28->37         started        file12 signatures13 process14 signatures15 89 Antivirus detection for dropped file 30->89 91 Multi AV Scanner detection for dropped file 30->91 93 Machine Learning detection for dropped file 30->93
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b/
Threat name:
Win32.Trojan.MarsStealer
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 09:34:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5r3jndfsre65z3gmefpqf5xq3u425rcoq4fdt33ofbqme6xkinq._file
Verdict:
malicious
Similar samples:
0b7410c41dd49a7a43487fa0e56f5b336951609e67b873d5cdd70632a954b4a8
AZORult
175b071e0af990176bee9c03654353b1ace449489048941e7c567a7f897814e5
AZORult
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9
AZORult
4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6
AZORult
94e022cc268feee9f2a1a08260ecbb9767bfc0383ccabfb12330c30b5edf4933
AZORult
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AZORult
+ 10'595 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:azorult family:redline botnet:04062022 botnet:default discovery infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220408-lq2v1sgfhq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Arkei
Azorult
RedLine
RedLine Payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Malware Config
C2 Extraction:
62.204.41.166:27688
http://62.204.41.69/p8jG9WvgbE.php
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
0778ed10c134884367243988f1935de83ff4fbc0863095de2aa0fed7bd374de3
MD5 hash:
48ebbc07bc8420bae4cea4cb3327eb2a
SHA1 hash:
d4b26eaedd2254d2da8ed3a945889363554b44d6
Link:
https://www.unpac.me/results/68aba973-00f8-421d-9a9a-9dc1c90b5b81/
SH256 hash:
271220416c0b371aca412417a3d519e40a653a3d107508fd599f0fdd1c9f93b6
MD5 hash:
28e3b7a14791b9a03b591258cfddc806
SHA1 hash:
d9b2882e6db9b30cda24bc79accb19e0ccd4374a
Link:
https://www.unpac.me/results/68aba973-00f8-421d-9a9a-9dc1c90b5b81/
SH256 hash:
0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b
MD5 hash:
5fea51478a01f10a78d428751e973aba
SHA1 hash:
cb7f1e3acc3636a6f890edb8c44d0abe2674ec1c
Link:
https://www.unpac.me/results/68aba973-00f8-421d-9a9a-9dc1c90b5b81/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0f63b4b46594/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 0f63b4b4659449eee766610af817b786e9cd7622743851cf7b71430613d7521b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1746813/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
Cape
Cape
https://www.capesandbox.com/analysis/262052/

Comments