MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18d7cdf63d95a5fd7bf6fff361655b6e8857b14d0444315b3ffca538877b9aa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18d7cdf63d95a5fd7bf6fff361655b6e8857b14d0444315b3ffca538877b9aa1
SHA3-384 hash: 7101842f6fff797632827fa8076f3a821fba895a8c632b53b867633f46381175e8128bd2a766d80ddc2a0e5c5130bffc
SHA1 hash: c748b86f978631c76bbb7f631360f431cd3ac3ad
MD5 hash: 08bf261214d109955c81c62fb4e6cdd2
humanhash: alpha-pizza-arkansas-network
File name:DHL-119055 de recibo,pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:345'072 bytes
First seen:2022-09-28 16:32:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'660 x Formbook, 12'251 x SnakeKeylogger)
ssdeep 3072:6rJZ3ZQ5F4VewO24oeK1z/JMUVoyfE5JCFZRtq971hEbaFSkjiRrP6Aq:yxO24oHz/jqJCFZeca+
Threatray 1'436 similar samples on MalwareBazaar
TLSH T15C748174A1F16ACDE896CEB28E64E909FFE31D519A42821FD02135F6463BBC5D6040FE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter abuse_ch
Tags:AZORult DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
544
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314450/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6334773fd089a0c15dd29930/reports/390c53fb-9bb5-4338-8932-de828994e21d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a737767-22e1-4afc-a0cd-7e3f0ed5bf6e
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079427
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 711985 Sample: DHL-119055 de recibo,pdf.exe Startdate: 28/09/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 6 other signatures 2->45 8 DHL-119055 de recibo,pdf.exe 1 2->8         started        process3 file4 25 C:\Users\...\DHL-119055 de recibo,pdf.exe.log, CSV 8->25 dropped 47 Writes to foreign memory regions 8->47 49 Allocates memory in foreign processes 8->49 51 Injects a PE file into a foreign processes 8->51 12 RegSvcs.exe 63 8->12         started        17 RegSvcs.exe 8->17         started        signatures5 process6 dnsIp7 35 kngppdp.shop 172.67.208.93, 49710, 49713, 80 CLOUDFLARENETUS United States 12->35 37 192.168.2.1 unknown unknown 12->37 27 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 12->29 dropped 31 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->31 dropped 33 45 other files (none is malicious) 12->33 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->53 55 Tries to steal Instant Messenger accounts or passwords 12->55 57 Tries to steal Mail credentials (via file / registry access) 12->57 59 5 other signatures 12->59 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/18d7cdf63d95a5fd7bf6fff361655b6e8857b14d0444315b3ffca538877b9aa1/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 16:33:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddl435r5sws7267w77zwczk3n2efpmknarcdcwz77sstrb33tkqq._file
Verdict:
malicious
Similar samples:
089e22b0800e63398322f535240d8043b8d7e4a561245718ed5bf88fbb22e799
AZORult
18d8d0fe50b484ffb499c851cc2964239a5693b36940879e856b970f29e22765
AZORult
364f5cfc6c99c0b408090af7528505844b1b33853c5ea7930420d8f11b4ca011
AZORult
4a7ff610e707aec96fd17933cd54dbe672829c85ea4fdad33d37a9e421b500a8
AZORult
4a9a2a77700ec22944b66a398f0642e59bfdf0a64d83aae774eeabf8ccc03c78
AZORult
5f3d522c2e8fb5fa25bee03bdd61f8b957935e4209849358d41f49c39fe82ddc
AZORult
ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91
AZORult
cea0b9ff1a5d1e74ff5fb2b63280c59ec7e81561605ec32f1b3e470276ce53f1
AZORult
dd7002a597142a426c7710e84485e6047450cbcb58e44cbbec73c20b0ee50771
AZORult
fe3e525b56aaa99c9716eb9a4b7a1884e8b1f35d38388268f627485532f25d60
AZORult
+ 1'426 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220928-t2h62shfer/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads local data of messenger clients
Azorult
Malware Config
C2 Extraction:
http://kngppdp.shop/PL341/index.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/62ab29f7-0c87-4caf-82d0-ec126f451632
Unpacked files
SH256 hash:
648e455319009ea963525336062d5de1131b1e83d4df355c28ae3e302f68261a
MD5 hash:
52c123690847f7d6c0ce0c6f7a01e701
SHA1 hash:
eb0e60cd6cf941ea7923ed5f15c12b5c426a210d
Link:
https://www.unpac.me/results/9e9dedd5-bedc-4dd3-9fca-47317b215122/
SH256 hash:
bdf7ee2ac13bb67d9f13fb57ec7c282f303d0811d4a06c6fbf2c20263d1962ae
MD5 hash:
e31cd48ccfbde94318ab5bef00b0a74e
SHA1 hash:
c9650164f85caca976ed8911a28e0196e1ba9575
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/9e9dedd5-bedc-4dd3-9fca-47317b215122/
SH256 hash:
16c21e03a8c130e6d6b2ed5de77da1068f2ffa0674dcf3f2e1db8648578517ba
MD5 hash:
6bce7f8beede5f447cfb4d6ce5da1ba7
SHA1 hash:
99829ec960df54b19bf29fee34bfbfb8db6012fb
Link:
https://www.unpac.me/results/9e9dedd5-bedc-4dd3-9fca-47317b215122/
SH256 hash:
18d7cdf63d95a5fd7bf6fff361655b6e8857b14d0444315b3ffca538877b9aa1
MD5 hash:
08bf261214d109955c81c62fb4e6cdd2
SHA1 hash:
c748b86f978631c76bbb7f631360f431cd3ac3ad
Link:
https://www.unpac.me/results/9e9dedd5-bedc-4dd3-9fca-47317b215122/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/18d7cdf63d95a5fd7bf6fff361655b6e8857b14d0444315b3ffca538877b9aa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314450/

Comments