MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 140cc51fe0fc985627bacf0b95796570f22b39b30d832a24056d68d054ea25be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 140cc51fe0fc985627bacf0b95796570f22b39b30d832a24056d68d054ea25be
SHA3-384 hash: 0d75c32a014a88d237c31eeeb2b50304ffa41e4bd57abdf5e64dffe42459095a8a3df06d7973624eda5c31fd5f3d159c
SHA1 hash: 7dcef7b36250488592b18af23e885a201352027a
MD5 hash: 60e0146ff8ba8d6a4892499e096061a1
humanhash: bacon-nuts-stairway-william
File name:140cc51fe0fc985627bacf0b95796570f22b39b30d832a24056d68d054ea25be
Download: download sample
Signature AZORult
Create hunting rule
File size:269'210 bytes
First seen:2022-12-07 11:48:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep 6144:TF1IDBtDqVptc2sQD6LnMi7Ep784m1BEs5xMt/qCIx1A:XIDTStlD6LXa7TUEs/CIs
Threatray 3'754 similar samples on MalwareBazaar
TLSH T19444125B7670D4E3CDB7CBB115791A019FE8862120B517139BA03F957E03BA7922E393
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
140cc51fe0fc985627bacf0b95796570f22b39b30d832a24056d68d054ea25be
Verdict:
Malicious activity
Analysis date:
2022-12-07 11:48:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d6c745cf-9f8b-4c12-a3cd-814e315831cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/343849/
Detection(s):
Win.Ransomware.Protected-9885478-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult buer overlay packed protected ransomware shell32.dll
Link:
https://www.filescan.io/uploads/63907daed4d7598ad904ad01/reports/d7be5e2a-dd09-4f71-8964-758c7a5d9846/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/022d7f79-19f5-44fa-8b2a-5fb3e9688f1a
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130244
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/140cc51fe0fc985627bacf0b95796570f22b39b30d832a24056d68d054ea25be/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 15:01:03 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqgmkh7a7smfmj52z4fzk6lfodzcwontbwbsujafnvunavhkew7a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4
AZORult
23941746340e89fb699e4ecec106fbfd40186fc5b483bf72d82d5d5a2706863f
AZORult
2d725c799e8787ef98e26cb025144cbe405aef31bc4ddd2011c80c09efa87400
AZORult
3e5ab0b50e64201cc2f6dd7be35f3d35c0736eef0477db88a71d2ff423048241
AZORult
437dbcbd9a2a96e1d829c425db2e6bac72534f0227f63aed8f4abfa56d490f25
AZORult
689290a8b842a0fd09f5ce00654d64d70d0be3e19e2ca60d5dd3d199d3e09054
AZORult
9f452d7d0048825bc6a35952dd645d68e6b5788858481998c660b8b31d1e1b63
AZORult
d2952be5c81f4135c0953b7b36677704f24f4d780de268ce6b67a44a6f15419a
AZORult
ed34d4eba0bc7d434f32bb9bca0147632592656ddf0c2aa892fbee54b0850ff1
AZORult
f40b9e6f7cfed63bba3b6eae6b0403ab26906caa77830027ed39a05918c4b877
AZORult
+ 3'744 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/221207-ny1n2agh2v/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://nanaa.tech/index.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2aaf7f5-5285-46b1-97f4-fa231dd26582
Unpacked files
SH256 hash:
bc7e6ac9b70bea9d095dadab5a874db242bfdd29b579aded1676324105153728
MD5 hash:
708a1c4c3522e0ca8e4b19d47575d487
SHA1 hash:
6587ace85d1e70bdf12348d7f98f57aec06b640a
Detections:
Azorult
Create hunting rule
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/ecfcd39e-2674-4a7e-901e-b5f3f607c524/
SH256 hash:
a7c283adc00c41e95bec65a704eb83ecb652272c0eba1b41826bebc78d05453d
MD5 hash:
093f908f29758a3260f0455591d9c5b9
SHA1 hash:
f43a7414dbadf3e06983e1f60dd0bd9ad0999fac
Detections:
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/ecfcd39e-2674-4a7e-901e-b5f3f607c524/
SH256 hash:
140cc51fe0fc985627bacf0b95796570f22b39b30d832a24056d68d054ea25be
MD5 hash:
60e0146ff8ba8d6a4892499e096061a1
SHA1 hash:
7dcef7b36250488592b18af23e885a201352027a
Link:
https://www.unpac.me/results/ecfcd39e-2674-4a7e-901e-b5f3f607c524/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/140cc51fe0fc985627bacf0b95796570f22b39b30d832a24056d68d054ea25be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:SUSP_NullSoftInst_Combo_Oct20_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious NullSoft Installer combination with common Copyright strings
Reference:https://twitter.com/malwrhunterteam/status/1313023627177193472

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343849/

Comments