MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2634e559a8907c6111964e180fdeb468f73bd3989959d0affed0cb9582842831. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2634e559a8907c6111964e180fdeb468f73bd3989959d0affed0cb9582842831
SHA3-384 hash: 2e09c86fd0a92bc0c19289151047f8fbdee77863d314d0da89537cfee3459e3f7c348e37637d0bbcee4b6e6fadae9c25
SHA1 hash: 926b79817a4f02e2f5eb7f948dc0a73f8ef764e6
MD5 hash: d76839cf5c55a204827148a0e5ecd68e
humanhash: minnesota-tennis-east-kansas
File name:AZScan0871pdf.vbs
Download: download sample
Signature AZORult
Create hunting rule
File size:2'801 bytes
First seen:2022-09-13 12:40:41 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:3ASiqlv74fYIIz+vEVWu+HtQ0qIe/Iz10qPXQ5YhjwYu28I5Q:3ASCfzK+8x+Hi0qIsIz10kX8YhjfAUQ
TLSH T13051F0CE70833421A41308F1EC8B747EB871235254F984917715EBCA1C799ACE7AAD7E
Reporter abuse_ch
Tags:AZORult vbs


Avatar
abuse_ch
AZORult C2:
http://185.29.9.47/aristo/Panel/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.29.9.47/aristo/Panel/index.php https://threatfox.abuse.ch/ioc/849480/

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309731/
Detection(s):
SecuriteInfo.com.VBS.Agent.ANG.gen.Eldorado.14140.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63207b1cba7b8113dd5a324f/reports/59677770-2da7-4664-931c-0c9a08eb62ca/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069474
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 702006 Sample: AZScan0871pdf.vbs Startdate: 13/09/2022 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 5 other signatures 2->86 9 wscript.exe 1 2->9         started        12 wscript.exe 1 2->12         started        14 iexplore.exe 1 72 2->14         started        16 iexplore.exe 1 57 2->16         started        process3 signatures4 100 VBScript performs obfuscated calls to suspicious functions 9->100 102 Wscript starts Powershell (via cmd or directly) 9->102 104 Very long command line found 9->104 18 powershell.exe 14 20 9->18         started        22 powershell.exe 11 9->22         started        24 powershell.exe 12->24         started        26 iexplore.exe 1 30 14->26         started        29 iexplore.exe 27 16->29         started        process5 dnsIp6 60 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 18->60 dropped 88 Writes to foreign memory regions 18->88 90 DLL side loading technique detected 18->90 92 Injects a PE file into a foreign processes 18->92 94 Powershell drops PE file 18->94 31 aspnet_compiler.exe 66 18->31         started        36 conhost.exe 18->36         started        96 Drops VBS files to the startup folder 22->96 98 Drops PE files to the startup folder 22->98 38 conhost.exe 22->38         started        40 aspnet_compiler.exe 63 24->40         started        42 conhost.exe 24->42         started        44 aspnet_compiler.exe 24->44         started        62 185.20.186.53, 49723, 49724, 49727 DELTAHOST-ASUA Ukraine 26->62 file7 signatures8 process9 dnsIp10 64 185.29.9.47, 49730, 49760, 49764 DATACLUB-SE European Union 31->64 52 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 31->52 dropped 54 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 31->54 dropped 56 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->56 dropped 58 45 other files (none is malicious) 31->58 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->66 68 Tries to steal Instant Messenger accounts or passwords 31->68 70 Tries to steal Mail credentials (via file / registry access) 31->70 78 2 other signatures 31->78 46 cmd.exe 31->46         started        72 Tries to harvest and steal ftp login credentials 40->72 74 Tries to harvest and steal browser information (history, passwords, etc) 40->74 76 Tries to steal Crypto Currency Wallets 40->76 file11 signatures12 process13 process14 48 conhost.exe 46->48         started        50 timeout.exe 46->50         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2634e559a8907c6111964e180fdeb468f73bd3989959d0affed0cb9582842831/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 12:41:06 UTC
File Type:
Text (VBS)
AV detection:
4 of 40 (10.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ey2okwnisb6gcemwjyma7xvund3txu4ytfm5bl762dfzlauefayq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220913-pwrh1sffb2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Azorult
Malware Config
C2 Extraction:
http://185.29.9.47/aristo/Panel/index.php
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2634e559a890/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2634e559a8907c6111964e180fdeb468f73bd3989959d0affed0cb9582842831

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309731/

Comments