MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18d320f41de51851ff6ff640f33d724236b27e0021bc860e38c7117d97746c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	18d320f41de51851ff6ff640f33d724236b27e0021bc860e38c7117d97746c27
SHA3-384 hash:	24cf8b8ada50ca615938f05491055f73b57e62facf07f5508120a628612160578dddde137b65d403c2156dd8d120b708
SHA1 hash:	e9848f5097c9eecf90c1a83a053bba05bacbb8f0
MD5 hash:	2609f8ca732d829a3567db921ba1a614
humanhash:	pennsylvania-table-violet-eight
File name:	Purchase Order.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	299'520 bytes
First seen:	2021-02-22 06:35:36 UTC
Last seen:	2021-02-22 08:41:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	6144:HIMyWI+V/59lqWjm21jwkU6qNrlFAWljVZsZS3bJynhwGPmk:ZEU/RqWCezU6qNrkWZsZnhw
Threatray	555 similar samples on MalwareBazaar
TLSH	E8540210316C236DC06A97FB99769094333ADE259053F7BE4CEAB0E52AF37155A93B03
Reporter	cocaman
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/118180/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42850.21460.12202.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Connection attempt

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AZORult

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/613646

Signature

Detected AZORult Info Stealer

Executable has a suspicious name (potential lure to open the executable)

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/18d320f41de51851ff6ff640f33d724236b27e0021bc860e38c7117d97746c27/

Threat name:

ByteCode-MSIL.Trojan.OutBreak

Status:

Malicious

First seen:

2021-02-21 17:38:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 48 (45.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ddjsb5a54umfd73p6zapgplsii3le7qaeg6imdryy4ix3f3unqtq._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer trojan

Link:

https://tria.ge/reports/210222-d8dxg2z8c6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Azorult

Malware Config

C2 Extraction:

http://198.71.50.125/index.php

Unpacked files

SH256 hash:

29b0129860548407b607f21c780a867cb5ab49b04b0e7dafa2f61b0235ee3b92

MD5 hash:

4b5bc07209dd7ad55b0091930bfc7ee6

SHA1 hash:

1f12ff69c5f0356d18d71ade12132ff15c92d78f

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/b623ba86-a464-4c39-80f5-595356aaabc0/

Parent samples :

24ed16aa91766bd198e5d026082e7c19a16739a1defa14b0b9a3363be6155996
18d320f41de51851ff6ff640f33d724236b27e0021bc860e38c7117d97746c27

SH256 hash:

f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671

MD5 hash:

f984a71581f6da5732110be2a569a392

SHA1 hash:

10de05b6b35fc5dbc00c42d59a4b850bcaae01e6

Link:

https://www.unpac.me/results/b623ba86-a464-4c39-80f5-595356aaabc0/

SH256 hash:

bc05b3ed043ddf69f7204b912149b377ddd86ca9b3c7d29c51f175cc772c027b

MD5 hash:

2d7955895e6e5d0e008e6b99a57bd120

SHA1 hash:

0183f190562603fe5f356583a4f34b950c2be0c7

Link:

https://www.unpac.me/results/b623ba86-a464-4c39-80f5-595356aaabc0/

SH256 hash:

18d320f41de51851ff6ff640f33d724236b27e0021bc860e38c7117d97746c27

MD5 hash:

2609f8ca732d829a3567db921ba1a614

SHA1 hash:

e9848f5097c9eecf90c1a83a053bba05bacbb8f0

Link:

https://www.unpac.me/results/b623ba86-a464-4c39-80f5-595356aaabc0/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

zip 6e469b7ca5b32ee54ab3e3e3ca6a6157ee9f9102a190b62bf6560ea9d523f4cc

AZORult

exe 18d320f41de51851ff6ff640f33d724236b27e0021bc860e38c7117d97746c27

(this sample)

Delivery method

Other

Dropped by

SHA256 6e469b7ca5b32ee54ab3e3e3ca6a6157ee9f9102a190b62bf6560ea9d523f4cc

Cape

https://www.capesandbox.com/analysis/118180/

URLhaus

https://urlhaus.abuse.ch/url/1023467/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample