MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe
SHA3-384 hash:	6a811d763b6080e7e8ab9012672ffa597d57a6b3ba368775130cb75d5d1e3be31eb0218da97de845f578283a624785e5
SHA1 hash:	b3a79f4b6fa9f4bcc4c8bab8b6eda8df3b0f0ee0
MD5 hash:	3af928b8c8ff9993e7567360d26275e6
humanhash:	coffee-six-hawaii-five
File name:	Catalog.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	731'648 bytes
First seen:	2020-10-02 06:44:06 UTC
Last seen:	2020-10-02 06:44:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b9e41474d2733184de68861799509b24 (2 x AZORult, 1 x AgentTesla, 1 x AveMariaRAT)
ssdeep	12288:/cFUncJ54irus265GoqlDX1YH0COI+w7Ror6PpGg+l2K3RYUOQmT/3iJusPIW6F:lnYnuRcBIoGblBhk/qIX
Threatray	367 similar samples on MalwareBazaar
TLSH	38F48E23B2A15877C173263C9C0B5FB4593EBEF02924A9466BF8DD485F38651392D28F
Reporter	cocaman
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/67635/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Heur.25317.18742.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a file

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Threat name:

AZORult

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/479964

Signature

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Contains functionality to detect sleep reduction / modifications

Detected AZORult Info Stealer

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-10-01 07:21:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cidn3ulu6xpwd5yclgwg3ijcezmqemw5l5ynge42ukinhapp5s7a._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

discovery trojan infostealer family:azorult spyware

Link:

https://tria.ge/reports/201002-73rqtyjfms/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://207.154.240.23/index.php

Unpacked files

SH256 hash:

1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe

MD5 hash:

3af928b8c8ff9993e7567360d26275e6

SHA1 hash:

b3a79f4b6fa9f4bcc4c8bab8b6eda8df3b0f0ee0

Link:

https://www.unpac.me/results/008a952d-b478-481b-a696-f417e2a14125/

SH256 hash:

4a51221d0cfdb22ae1667889b2ca61cdde827b54065048347bae7fec90af7ee3

MD5 hash:

9b1f6700ebab67eaf6b4a4ab768c948a

SHA1 hash:

dfb1fff5addcacaf2780c86fd488c8917878e615

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/008a952d-b478-481b-a696-f417e2a14125/

Parent samples :

1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe
a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0
9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

zip 55367cd057edebd813637c5a857e217a1f52c5d09eb46aa45fef973855f31e56

AZORult

exe 1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe

(this sample)

Delivery method

Other

Dropped by

SHA256 55367cd057edebd813637c5a857e217a1f52c5d09eb46aa45fef973855f31e56

Dropped by

SHA256 6c9d2c756ec211e2a94a253bb04214d8be64b9f0f767d68bd88ec84d74e273ae

Cape

https://www.capesandbox.com/analysis/67635/

URLhaus

https://urlhaus.abuse.ch/url/638918/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample