MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eb39c14abcac667ca35cf294bfda8ac6282b93028d830f1665afa2a87cff4ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1eb39c14abcac667ca35cf294bfda8ac6282b93028d830f1665afa2a87cff4ef
SHA3-384 hash: 1cbd2a83b48fa983dd284ea16d31e42d9212893a2d935bce7fb0265c55966b2485640aec06883ab29888d37c0dc7fb5f
SHA1 hash: 961267a60529e5fa8cf5186386563afc634ef615
MD5 hash: 9ecf4d06241c3f09c06ca879261d43fa
humanhash: uncle-papa-hamper-salami
File name:1EB39C14ABCAC667CA35CF294BFDA8AC6282B93028D83.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:451'584 bytes
First seen:2021-08-30 02:36:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d88d597200c0081784c27940d743ec5 (6 x AZORult, 3 x RaccoonStealer, 1 x MBRLocker)
ssdeep 12288:Qi1nQBuPot+7pyxKmAoFFK7ehFmGh7q+5RoS:Q6Qrt+7KU7evmGU+5
Threatray 7'395 similar samples on MalwareBazaar
TLSH T172A42329CD7E01BDD9B4A57F8492A128B3000478A9F94C579D5BD24FC9A8E08C5ECFED
dhash icon 26ecccc492a896c6 (1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.252/ https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183368/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.VBGeneric-8264807-0
Create hunting rule

Win.Dropper.NetWire-8264833-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a window
Deleting a recently created file
Searching for the window
Sending a UDP request
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Creating a file
Connection attempt to an infection source
Launching a process
Creating a file in the %temp% subdirectories
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e944052-044d-49cc-81ea-17a8984c6de0
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841208
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected BatToExe compiled binary
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473639 Sample: 1EB39C14ABCAC667CA35CF294BF... Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 145 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 14 other signatures 2->151 13 1EB39C14ABCAC667CA35CF294BFDA8AC6282B93028D83.exe 6 2->13         started        process3 file4 127 C:\Users\user\AppData\Local\Temp\...\kgen.exe, PE32 13->127 dropped 129 C:\Users\user\AppData\Local\Temp\...\KG.exe, PE32 13->129 dropped 16 cmd.exe 1 13->16         started        18 conhost.exe 13->18         started        process5 process6 20 kgen.exe 13 16->20         started        23 KG.exe 2 16->23         started        file7 157 Creates HTML files with .exe extension (expired dropper behavior) 20->157 159 Maps a DLL or memory area into another process 20->159 26 kgen.exe 21 20->26         started        103 C:\Users\user\AppData\Local\Temp\...\KG.tmp, PE32 23->103 dropped 31 KG.tmp 4 12 23->31         started        signatures8 process9 dnsIp10 135 gordons.ac.ug 185.215.113.77, 49731, 49732, 49734 WHOLESALECONNECTIONSNL Portugal 26->135 137 rebrand.ly 54.165.3.33, 49729, 49730, 80 AMAZON-AESUS United States 26->137 139 5 other IPs or domains 26->139 105 C:\Users\user\AppData\...\CcmfdgsaYsd.exe, PE32 26->105 dropped 107 C:\Users\user\AppData\...\CHmfdgaYsHsd.exe, PE32 26->107 dropped 109 C:\Users\user\AppData\Local\...\zxcvb[1].exe, PE32 26->109 dropped 111 C:\Users\user\AppData\Local\...\zxcv[1].EXE, PE32 26->111 dropped 177 Hides threads from debuggers 26->177 33 CcmfdgsaYsd.exe 7 26->33         started        37 CHmfdgaYsHsd.exe 3 6 26->37         started        113 C:\Users\user\AppData\...\nsf_player.dll, PE32 31->113 dropped 115 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->115 dropped file11 signatures12 process13 file14 79 C:\Users\user\AppData\...behaviorgraphFytrnvbas.exe, PE32 33->79 dropped 81 C:\Users\user\AppData\...behaviorgraphFsewerhgccbv.exe, PE32 33->81 dropped 153 Maps a DLL or memory area into another process 33->153 39 GFsewerhgccbv.exe 4 33->39         started        42 CcmfdgsaYsd.exe 33->42         started        46 GFytrnvbas.exe 4 33->46         started        83 C:\Users\user\...\Fnpgaloxjuodppdmbufkms.vbs, ASCII 37->83 dropped 85 Leoiinwzyjvulnfehm...vbaconsoleapp13.exe, PE32 37->85 dropped 155 Injects a PE file into a foreign processes 37->155 48 CHmfdgaYsHsd.exe 37->48         started        50 wscript.exe 37->50         started        signatures15 process16 dnsIp17 171 Maps a DLL or memory area into another process 39->171 52 GFsewerhgccbv.exe 39->52         started        141 5.181.156.252, 49736, 49744, 80 MIVOCLOUDMD Moldova Republic of 42->141 143 telete.in 195.201.225.248, 443, 49735, 49743 HETZNER-ASDE Germany 42->143 117 C:\Users\user\AppData\...\vcruntime140.dll, PE32 42->117 dropped 119 C:\Users\user\AppData\...\ucrtbase.dll, PE32 42->119 dropped 121 C:\Users\user\AppData\...\softokn3.dll, PE32 42->121 dropped 125 55 other files (none is malicious) 42->125 dropped 173 Tries to steal Mail credentials (via file access) 42->173 57 cmd.exe 42->57         started        59 GFytrnvbas.exe 46->59         started        123 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 48->123 dropped 175 Tries to harvest and steal browser information (history, passwords, etc) 48->175 61 Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe 50->61         started        file18 signatures19 process20 dnsIp21 131 gordons.ac.ug 52->131 87 C:\Users\user\AppData\...\vcruntime140.dll, PE32 52->87 dropped 89 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 52->89 dropped 91 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 52->91 dropped 99 45 other files (none is malicious) 52->99 dropped 161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->161 163 Tries to steal Instant Messenger accounts or passwords 52->163 165 Tries to steal Mail credentials (via file access) 52->165 169 2 other signatures 52->169 63 cmd.exe 52->63         started        65 conhost.exe 57->65         started        67 timeout.exe 57->67         started        133 hsagoi.ac.ug 59->133 93 C:\ProgramData\vcruntime140.dll, PE32 59->93 dropped 95 C:\ProgramData\sqlite3.dll, PE32 59->95 dropped 97 C:\ProgramData\softokn3.dll, PE32 59->97 dropped 101 4 other files (none is malicious) 59->101 dropped 167 Tries to steal Crypto Currency Wallets 59->167 69 cmd.exe 59->69         started        file22 signatures23 process24 process25 71 conhost.exe 63->71         started        73 timeout.exe 63->73         started        75 conhost.exe 69->75         started        77 taskkill.exe 69->77         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1eb39c14abcac667ca35cf294bfda8ac6282b93028d830f1665afa2a87cff4ef/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2020-07-03 15:09:00 UTC
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2zzyfflzldgpsrvz4uux7nivrrifojqfdmdb4lgll5cvb6p6txq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
AZORult
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
AZORult
547bf6d6ed5ae181513ed653109514c73e5f50c3ea3a094bcd382fbd3c4b4bb0
AZORult
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
AZORult
895100760e67763505b9cad311be16b533db48d1f2cb28424a98495406220a2f
AZORult
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
AZORult
b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c
AZORult
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
AZORult
+ 7'385 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:c81fb6015c832710f869f6911e1aec18747e0184 discovery infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/210830-kats4jdsde/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
hsagoi.ac.ug
Unpacked files
SH256 hash:
d6b536f536e9ae4f3dfadd68f0cd2846a5a77a7253592c61017bb841be464f11
MD5 hash:
4b31723648352120e64d5ee267f922e3
SHA1 hash:
2f6b7318fe0c007f756376361e988537424cc644
Link:
https://www.unpac.me/results/27d02f10-362f-4a18-9b03-957c4928f0ab/
SH256 hash:
704cb2f8533e366273073b7866052be98c9150d56845cf745f6c3268e239479f
MD5 hash:
14db910d6fde44d9e87dcef52cbe6430
SHA1 hash:
e730e958cd0c52518d696f192b16482d5bd7b70e
Link:
https://www.unpac.me/results/27d02f10-362f-4a18-9b03-957c4928f0ab/
SH256 hash:
04cf90592acf1f6033ba299b18ef8a7c8b1ab6f356d6bb9ff33b44743fe2c787
MD5 hash:
2898e4611e6b86fa578342cb15474b2a
SHA1 hash:
98357be30082787c709ca216000d0799973221d4
Link:
https://www.unpac.me/results/27d02f10-362f-4a18-9b03-957c4928f0ab/
SH256 hash:
3897f8806e47a0ec215c10ea33ae63cd78a68bd79b0b64562885451e61eca0de
MD5 hash:
0c93ef21a2411cb49765f1b5b5e92d29
SHA1 hash:
6d3d5a53ef7d53af3e91a14ffbace721e7828a86
Link:
https://www.unpac.me/results/27d02f10-362f-4a18-9b03-957c4928f0ab/
SH256 hash:
8fb512c25825cb4daeb70d28fca1b4f6f587a0ed29e6e859556463e94bd0f5cd
MD5 hash:
9f9c912b45eed518c88e87b5cf2f7d37
SHA1 hash:
fd4abaa423b8a380924c790d5d1fdd1fee061129
Link:
https://www.unpac.me/results/27d02f10-362f-4a18-9b03-957c4928f0ab/
SH256 hash:
1eb39c14abcac667ca35cf294bfda8ac6282b93028d830f1665afa2a87cff4ef
MD5 hash:
9ecf4d06241c3f09c06ca879261d43fa
SHA1 hash:
961267a60529e5fa8cf5186386563afc634ef615
Link:
https://www.unpac.me/results/27d02f10-362f-4a18-9b03-957c4928f0ab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1eb39c14abca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1eb39c14abcac667ca35cf294bfda8ac6282b93028d830f1665afa2a87cff4ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Meteorite
Create hunting rule
Author:ditekSHen
Description:Detects Meteorite downloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183368/

Comments