MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564
SHA3-384 hash: 2aa13081189a905ce2fe4cf944a8d594a25bb8bb2617c74c91480876e17f5e2bc1cabbf24e76d2d1d8e185c51b2a6f6f
SHA1 hash: 7d565d6f5650c1cdd001bbb8036ca6b807995803
MD5 hash: 70b0e5a80f2e397b8fb6b10c748cb8e2
humanhash: solar-fillet-four-delta
File name:70b0e5a80f2e397b8fb6b10c748cb8e2.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'240'064 bytes
First seen:2023-03-25 14:49:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Se+IRKXyCRHQa4l/0jCFiVnkXqRgE78FIPGk5JM:p+MoSa4lsmFiVnkaRgE7+IP
Threatray 681 similar samples on MalwareBazaar
TLSH T1B54501983B68B59FCA5BDE3689646CECA6616837430BD603901711ECCE8D9CBCF151F2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0010b0b268b49600 (12 x AgentTesla, 5 x SnakeKeylogger, 2 x Formbook)
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
70b0e5a80f2e397b8fb6b10c748cb8e2.exe
Verdict:
Malicious activity
Analysis date:
2023-03-25 14:51:24 UTC
Tags:
trojan rat azorult
Link:
https://app.any.run/tasks/864815bb-7156-4f50-b246-a4e3c97a5cd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/377420/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/641f0a1c80ca4ca1ff592cdf/reports/591f934b-cbda-4d02-9b41-85ecfe464ac9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4ff8549e-6a79-423a-912e-fb1445108eaa
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1201887
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-25 03:29:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgkckolt4nqk7g4wglclzvzv4e56xchifa7xzf7luiw56oyd2vsa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452
AZORult
3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76
AZORult
4a4a4c441355bbf90def9ab2aec89335f93237487e670df04b3d63c65b5be25a
AZORult
69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a
AZORult
722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088
AZORult
d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a
AZORult
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
AZORult
+ 671 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230325-r7kwqafc6v/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://171.22.30.164/standright/index.php
Unpacked files
SH256 hash:
7d958b3964c6689883f4fcbb7e02ef1a7036e5bca2cd16c1c4455955fcd64774
MD5 hash:
ba34aa6f520d3e6dcca947abfc8ae8ff
SHA1 hash:
eb56bc94087b3b6d46fee10eea2f3d54cd85b42b
Detections:
Azorult
Create hunting rule
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/076a5c79-164e-474b-8370-8d2241a01fc9/
Parent samples :
37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452
d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a
1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564
a6f625e40e8b7523312b9a40ce6f3080b3475b9ff349e17785bdf7b6e0cd78c1
SH256 hash:
7ef6e461c6e3cde8aa476227ca0fbdd2adcac46d6eabd963eec441399b9edd3b
MD5 hash:
ac5d596c21c9f75f8e18868557f542f0
SHA1 hash:
8d4139cfd471c636a975cf12979e41773acd3a9d
Link:
https://www.unpac.me/results/076a5c79-164e-474b-8370-8d2241a01fc9/
SH256 hash:
cde0d3400cd787fce5d1b95fa52908d64831430cc90dafddbaa79ae0d03bb3d0
MD5 hash:
06a5bc1d3143bcac174d81c5ffc09def
SHA1 hash:
650fb4549fb98ee4c7be5e03bf670241e6339cd0
Link:
https://www.unpac.me/results/076a5c79-164e-474b-8370-8d2241a01fc9/
SH256 hash:
299bf3ed53444c4b62ff60ed19cab64ee9dbdd52bc81d1b98f7ffde701dfd67e
MD5 hash:
91a968f9aa51bd11c33f84194e71f83e
SHA1 hash:
3821b6911c39b2c866b0f643c6ebece4bd285855
Link:
https://www.unpac.me/results/076a5c79-164e-474b-8370-8d2241a01fc9/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/076a5c79-164e-474b-8370-8d2241a01fc9/
SH256 hash:
1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564
MD5 hash:
70b0e5a80f2e397b8fb6b10c748cb8e2
SHA1 hash:
7d565d6f5650c1cdd001bbb8036ca6b807995803
Link:
https://www.unpac.me/results/076a5c79-164e-474b-8370-8d2241a01fc9/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1994253973e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/377420/
  
URLhaus
https://urlhaus.abuse.ch/url/2581120/
  
Delivery method
Distributed via web download

Comments