MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13c9ec087b8177e95285fd90ddffb04a3858dbf7316bb1bddc0ab32e38f1c806. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	13c9ec087b8177e95285fd90ddffb04a3858dbf7316bb1bddc0ab32e38f1c806
SHA3-384 hash:	dedb2dbef64e641cfc4b2c3e9d385e5b64ba295ac5b213d6ddd8ffb7ae6d1dab9a75ab056b4e59b964681a97daf65e52
SHA1 hash:	24a8170fe7bd916027f7cce59c96440e033329f8
MD5 hash:	603e36c798ef46aa49807ff5c90d75a1
humanhash:	harry-illinois-bravo-four
File name:	Orden de compra [Knuth] 27092022,pdf.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	328'688 bytes
First seen:	2022-09-27 16:30:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'664 x Formbook, 12'252 x SnakeKeylogger)
ssdeep	3072:ePfue1xUk222ur+JAdYTBaAWcCElvxHATALhpPh4yW4+9wqY+mhhhmitqOToq:G73222jA2tat2xeTWTPh4y3Ki
Threatray	256 similar samples on MalwareBazaar
TLSH	T16C64B5E0317C93CFD0A28DB15FC98A7079F135AC98D0560EA0F6AB2D93D6395189C5FA
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	d4a6a494a48484a4 (65 x AgentTesla, 39 x Formbook, 8 x RemcosRAT)
Reporter	abuse_ch
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

407

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/314035/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.50.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Sending a custom TCP request

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult overlay packed

Link:

https://www.filescan.io/uploads/63332548e2ddbcc5eca6fee1/reports/ec9d26ce-1338-4462-86db-2e9ea86d5115/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed46be5b-1277-4dc9-9141-1922477cb898

Result

Threat name:

Azorult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1078671

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes to foreign memory regions

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13c9ec087b8177e95285fd90ddffb04a3858dbf7316bb1bddc0ab32e38f1c806/

Threat name:

Win32.Infostealer.Azorult

Status:

Malicious

First seen:

2022-09-27 12:41:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cpe6ycd3qf36suuf7win375qji4frw7xgfv3dpo4bkzs4ohrzada._file

Verdict:

malicious

Label(s):

formbook

AZORult

5173308acdc7cfbb18621685a0a5a6db64ad1c95aadbe4cceca348f071239245

AZORult

53867ae1994d09f07b882ff96d80fc9d38b50e3aae70054985e07b20634ac14f

AZORult

6f65bc7ad58ce2f17dec79d9dda14c31d73587552b72e7d90b5b827c1a80c9c6

AZORult

73c3dfae006c92cad0d21f619a4d129475a4bb8e0f1c8922f0975b14b5472ade

AZORult

a4e136e1ed1c634f0e0d8a11d7fdfa2fd1a316d90c1f2f18d92af62cb1a2f924

AZORult

b17982b84d161b4f3071af6cedb687b80569aff940441f244642599f0eb2f8a0

AZORult

bdaf2cc27694475beaef6b0945e952e41e3ab6972bae7243b3656c6a87d2bb0e

AZORult

c35cd99a9bd4f1a8289d3bc98bf59a57ac7816ec16de668d37cf4ee747ab7c35

AZORult

+ 246 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult collection infostealer spyware stealer trojan

Link:

https://tria.ge/reports/220927-t1dj6sfabj/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Reads local data of messenger clients

Azorult

Malware Config

C2 Extraction:

http://kngpdrp.shop/PL341/index.php

Unpacked files

SH256 hash:

d861e1e99b04f2f8a8d47b5e549f406fb24b2bf1eca14fdbb22176bdb6576134

MD5 hash:

127cb8e0065b6a3fe1cfe61125a96fdd

SHA1 hash:

c4905e72903709381ecf7bcef63e58c044d738da

Detections:

win_azorult_auto

win_azorult_g1

Link:

https://www.unpac.me/results/a27d7449-5f2c-4125-95d1-5eac76a6ade8/

Parent samples :

20eb16150dc493901670bd428b72eaa88f8c575bded5d9df8cf174e70c4e2e2c
8a07e0548084f0e3f3334cdf0c8d0b3e1c57e0b33c7df3159d6da4d11931f9ce
13c9ec087b8177e95285fd90ddffb04a3858dbf7316bb1bddc0ab32e38f1c806
295a65a8d806b7cb84d7b28e005b823aa5252501ac639293ebe330e0e151359d

SH256 hash:

93d57854416d29ca995dca665d55466767ecbc8479b166ca7c31f291e9373a84

MD5 hash:

ecab312d812b7db6f35f600ca460f3bf

SHA1 hash:

a2fa5829e4d6610f20672987124dc58e44820a71

Link:

https://www.unpac.me/results/a27d7449-5f2c-4125-95d1-5eac76a6ade8/

SH256 hash:

d49fb56947ce01c399848707865024c37177d124a1dd9d1ab86de1312df56153

MD5 hash:

02601bf98ca13991e18cbf2750225b20

SHA1 hash:

2e186c8b09679f7b73dc2bce4de5d723795a17a2

Link:

https://www.unpac.me/results/a27d7449-5f2c-4125-95d1-5eac76a6ade8/

SH256 hash:

13c9ec087b8177e95285fd90ddffb04a3858dbf7316bb1bddc0ab32e38f1c806

MD5 hash:

603e36c798ef46aa49807ff5c90d75a1

SHA1 hash:

24a8170fe7bd916027f7cce59c96440e033329f8

Link:

https://www.unpac.me/results/a27d7449-5f2c-4125-95d1-5eac76a6ade8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/13c9ec087b8177e95285fd90ddffb04a3858dbf7316bb1bddc0ab32e38f1c806

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314035/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample