MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 119687640dc5deedb4b0ca917ad14c10e09d90d3fdffd6cca8256672b5261feb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	119687640dc5deedb4b0ca917ad14c10e09d90d3fdffd6cca8256672b5261feb
SHA3-384 hash:	c8363b9ece9a656a16e082cd73180e6379be1405475b17065bf8fcc3a47dce360767ecf0eb4d419cff9f4cdf7bd8dd81
SHA1 hash:	e3fbfec13dab76a34c8e606c5a92aa39999dee3e
MD5 hash:	370e959f0588178da576e74d1b682447
humanhash:	november-oscar-chicken-zebra
File name:	CMS - CCMA Case GAJB18471-21 GAJB.pdf.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	241'664 bytes
First seen:	2021-01-11 09:01:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1c111df02e2fb1f8eb1d52bfc842bac4 (8 x AZORult)
ssdeep	6144:6o0Eke8NgiCfpO9vtoVVZznaN/X6kkwN:OZZWfpO9GlnaJ
Threatray	569 similar samples on MalwareBazaar
TLSH	B734E740F240DA62E8870FB3D93BCDB1512BBE795678471E258E77291AF338600B5E5B
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

Malspam distributing AZORult:

HELO: server.biztec.co.za
Sending IP: 196.41.123.101
From: casemngtsys@ccma.org.za
Subject: CMS - CCMA Case GAJB18471-21 (GAJB) is scheduled for 'Arbitration' for Fri 15-January-2021 10:00
Attachment: CMS - CCMA Case GAJB18471-21 GAJB.pdf.gz (contains "CMS - CCMA Case GAJB18471-21 GAJB.pdf.exe")

AZORult C2:
http://193.239.147.212/azone/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CMS - CCMA Case GAJB18471-21 (GAJB).pdf.gz

Verdict:

Malicious activity

Analysis date:

2021-01-11 09:00:27 UTC

Tags:

trojan rat azorult

Link:

https://app.any.run/tasks/e1506691-79ee-4c30-a76f-3d9d3f2f2c35

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/111257/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AZORult

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/577758

Signature

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Detected AZORult Info Stealer

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/119687640dc5deedb4b0ca917ad14c10e09d90d3fdffd6cca8256672b5261feb/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-01-11 05:48:54 UTC

AV detection:

9 of 46 (19.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cgliozanyxpo3nfqzkixvukmcdqj3egt7x75ntfievthfnjgd7vq._file

Verdict:

malicious

Label(s):

azorult

netwirerc

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210111-5h14361zyj/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

119687640dc5deedb4b0ca917ad14c10e09d90d3fdffd6cca8256672b5261feb

MD5 hash:

370e959f0588178da576e74d1b682447

SHA1 hash:

e3fbfec13dab76a34c8e606c5a92aa39999dee3e

Link:

https://www.unpac.me/results/a83998d8-d29c-4862-826e-9a93ffaf72f1/

SH256 hash:

c9a8057461ff60e531cb7bba65429c22d204df15ae677870d1aae6e75c676582

MD5 hash:

af1d7ff8502106b0095e51fde6507ea3

SHA1 hash:

bd1766d308b254c4a5e7838a3e82dfa30c89b671

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/a83998d8-d29c-4862-826e-9a93ffaf72f1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/119687640dc5deedb4b0ca917ad14c10e09d90d3fdffd6cca8256672b5261feb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

gz e7d0b9f1ce991c34dc3c72d7d696213797995727b24998705724b38832f62f80

AZORult

exe 119687640dc5deedb4b0ca917ad14c10e09d90d3fdffd6cca8256672b5261feb

(this sample)

Dropped by

MD5 907434305e1d0458a8b183123634d790

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/111257/

Dropped by

SHA256 e7d0b9f1ce991c34dc3c72d7d696213797995727b24998705724b38832f62f80

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample