MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f
SHA3-384 hash: 0d1dbe18cf3663f6ddb32ce82c6396d2d4703a3e6befab353bf212882ada7710e3b6aa51df7ec96ef2a9ffdee2e52025
SHA1 hash: afecb6a0480f23da1c2ae84ebcb48b2c81058741
MD5 hash: 931c265188600b3a34e011409a9bc7ed
humanhash: single-leopard-item-charlie
File name:Quotation Request.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:2'806'784 bytes
First seen:2021-05-03 05:48:46 UTC
Last seen:2021-05-03 06:01:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:Pfwb1c0QLA2iYWhk9T3u2/+AIzLP4MZT8idB0e3uG6rgJ2KiSIIC44wxlFfk+kcr:Pfwb1c0QLA2YG9zrYFK+Ke96rgzilICG
Threatray 46 similar samples on MalwareBazaar
TLSH A5D52366723C6F66C27B577FC899614143FDFC0A8611DA27ACF934AE16E2B808875703
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148195/
Detection(s):
SecuriteInfo.com.Artemis931C26518860.20031.18885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707316
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402577 Sample: Quotation Request.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Antivirus detection for dropped file 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 10 other signatures 2->33 7 Quotation Request.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\IcZAABSUuwq.exe, PE32 7->19 dropped 21 C:\Users\...\IcZAABSUuwq.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp47D4.tmp, XML 7->23 dropped 25 C:\Users\user\...\Quotation Request.exe.log, ASCII 7->25 dropped 35 Injects a PE file into a foreign processes 7->35 11 schtasks.exe 1 7->11         started        13 Quotation Request.exe 1 7->13         started        15 Quotation Request.exe 7->15         started        signatures5 process6 process7 17 conhost.exe 11->17         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 05:49:07 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fagma54akwgq2m3iutullngkuqa6ebe4pqsw4jgnalgzrfytcqxq._file
Verdict:
malicious
Similar samples:
1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd
AZORult
4f3d500dc26e8a87fe7361064a50b7715731c378ec019e4643986f1e5c524cee
AZORult
c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a
AZORult
d68a5a2bf92f0f08b8eb6f39351462f81d65d54085c1c7ae3aa81b2d3018434e
AZORult
d6b229f25b3f185395e58f98c048cad58d929c7a25e6b95319d27da5f5292588
AZORult
d7105dfaf2690af5ecb82d31c891c8b6e36af889ddf4c10af513f4d0efd2d073
AZORult
d8b589a43f9499ffec0bc949540579b25a1c333d6e0531c7f40336e720e04a6b
AZORult
e582696b2f3c980a6d81be401fc5da4c24a4b0c490ff6764516a0aa3e3aae23b
AZORult
f40a960ed96e9a20965c184a7f798a5c2510f5673fde3b2274e4ea7ab463a324
AZORult
f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0
AZORult
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210503-f3wa611tk6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UAC bypass
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/82023118-8420-4a0a-ad6f-1c7585ec797a/
SH256 hash:
280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f
MD5 hash:
931c265188600b3a34e011409a9bc7ed
SHA1 hash:
afecb6a0480f23da1c2ae84ebcb48b2c81058741
Link:
https://www.unpac.me/results/82023118-8420-4a0a-ad6f-1c7585ec797a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe 280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/148195/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 06:05:49 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection