MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
SHA3-384 hash: 146352d0efa341c70851b749f1d4aac1c8823ccbd15a0d5dad3a89b9a9570dbfce476490a8dff27afd86b6129cb5d645
SHA1 hash: fb4aac120c7d4543326e06f1438a570a62524b86
MD5 hash: 641e970f32447644bd26570d3be688a1
humanhash: hawaii-social-enemy-enemy
File name:IMG_767893434432.scr
Download: download sample
Signature AZORult
Create hunting rule
File size:369'144 bytes
First seen:2021-04-07 06:00:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:eyajV1XzYabtiWSStfSrAOyFSKK1Kd7qR9QcDqd:enpdvbti5aZOOLjQDq
Threatray 154 similar samples on MalwareBazaar
TLSH D274E00AF96C740DC97C4BF818F6F3E5DEA17E6168D086C1278AB25EC63E2924E0C557
Reporter abuse_ch
Tags:AZORult scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.gryphoscorp.com
Sending IP: 173.212.209.90
From: Selene Xia <comercializacion@maxairusa.com>
Subject: FWD: FOREIGN TRADE contract
Attachment: IMG_767893434432.rar (contains "IMG_767893434432.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_767893434432.scr
Verdict:
No threats detected
Analysis date:
2021-04-07 06:05:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a6b1b18-70fd-4665-b09a-39377532eb93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132775/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.11876.20815.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Launching a service
Deleting a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668282
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383072 Sample: IMG_767893434432.scr Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 9 other signatures 2->50 7 IMG_767893434432.exe 15 6 2->7         started        process3 file4 24 C:\Users\user\...\IMG_767893434432.exe, PE32 7->24 dropped 26 C:\...\IMG_767893434432.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\...\IMG_767893434432.exe.log, ASCII 7->28 dropped 30 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->30 dropped 52 Writes to foreign memory regions 7->52 54 Injects a PE file into a foreign processes 7->54 11 IMG_767893434432.exe 32 7->11         started        16 AdvancedRun.exe 1 7->16         started        18 AdvancedRun.exe 1 7->18         started        signatures5 process6 dnsIp7 40 sterline.lt 27.122.57.229, 443, 49763, 49769 IPTELECOM-AS-APIPTELECOMGlobalHK Hong Kong 11->40 32 C:\Users\...\api-ms-win-core-heap-l1-1-0.dll, PE32 11->32 dropped 34 C:\...\api-ms-win-core-handle-l1-1-0.dll, PE32 11->34 dropped 36 C:\Users\...\api-ms-win-core-file-l2-1-0.dll, PE32 11->36 dropped 38 15 other files (none is malicious) 11->38 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->56 58 Tries to steal Instant Messenger accounts or passwords 11->58 60 Tries to steal Mail credentials (via file access) 11->60 62 3 other signatures 11->62 42 192.168.2.1 unknown unknown 16->42 20 AdvancedRun.exe 16->20         started        22 AdvancedRun.exe 18->22         started        file8 signatures9 process10
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 06:01:25 UTC
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecclmlafvqj57jep32dpen2hhu27h4ljyaylqkoowsptabnwiuoa._file
Verdict:
malicious
Similar samples:
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AZORult
1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12
AZORult
1a2beaadeb5f9bc79af30c8a9e458bff69d4b481b305451afe68d0f1a9074da1
AZORult
2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16
AZORult
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
AZORult
4dde8ce9768e8239201fd508ec359f26c1703ebcdf4147c5503b303bacecd727
AZORult
68a091c7eeb321aeb2734ae205bda995bc71c48338200d42ed334a7e0a34f495
AZORult
75692933366e01cb320075f6bcadce5fd2192a680c5671323851006561fd6fc4
AZORult
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
AZORult
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
AZORult
+ 144 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210407-y4zax1my52/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Executes dropped EXE
Nirsoft
Azorult
Malware Config
C2 Extraction:
https://sterline.lt/lokk/32/index.php
Unpacked files
SH256 hash:
cd57e145a2817d9ac9cd31b091489d61947473bae8890765be051335608f1fca
MD5 hash:
21fa4141b0eb353b92c1ab95c4faba54
SHA1 hash:
bbaf6d799c99bef15191a164fb6cc93911d85517
Link:
https://www.unpac.me/results/159db812-9927-40d2-9086-d0e2b5a51325/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/159db812-9927-40d2-9086-d0e2b5a51325/
SH256 hash:
c833e38e939296120c015f04536d02bed1a24396dc322400ce31a8b916b8b05f
MD5 hash:
e82c80ed75d57c8be05486d416421ba5
SHA1 hash:
4f7a39adce1cb9ced618beed0b7d97a9989b1361
Link:
https://www.unpac.me/results/159db812-9927-40d2-9086-d0e2b5a51325/
SH256 hash:
9aab219b13038f6a9b80dbefd7ee4d7c8955bde5332454274e6ffdb5779b9d1d
MD5 hash:
382cae0584a2bf8c2a132258b3a1a8bb
SHA1 hash:
3660cc4a635f1f17ebdd1b0d7c0e52da41afbcda
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/159db812-9927-40d2-9086-d0e2b5a51325/
Parent samples :
2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
c6971c3516ab280c7c6985ccc94062547116fcd3a7593fc84704030169c16e59
SH256 hash:
2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
MD5 hash:
641e970f32447644bd26570d3be688a1
SHA1 hash:
fb4aac120c7d4543326e06f1438a570a62524b86
Link:
https://www.unpac.me/results/159db812-9927-40d2-9086-d0e2b5a51325/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar 05cd2720dea041fe91b4e94c8497ff6a41ee1adc49cee68cd85fc9ed7bae3148

AZORult

Executable exe 2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c

(this sample)

  
Dropped by
MD5 0cee1aa638e1567fb8ca607cb2a1b856
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 05cd2720dea041fe91b4e94c8497ff6a41ee1adc49cee68cd85fc9ed7bae3148
Cape
Cape
https://www.capesandbox.com/analysis/132775/

Comments