MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 292e9d5cc40b4f968717c46b6fe69af487b1c18217e8eb5f08eadfdef36d302e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AZORult
Vendor detections: 11
| SHA256 hash: | 292e9d5cc40b4f968717c46b6fe69af487b1c18217e8eb5f08eadfdef36d302e |
|---|---|
| SHA3-384 hash: | 218c0b3e4235fe129ce30dbf3bf59a0f4264a3c0242891fe5327a69913801105239f7925d8bdc0b065b43cfd5dea1a9d |
| SHA1 hash: | 09290d0b56590e17beeabb8211af3ca8822540fa |
| MD5 hash: | ae34daead68d60119764654defc0c2cc |
| humanhash: | spaghetti-table-emma-india |
| File name: | PRODUCT LIST.exe |
| Download: | download sample |
| Signature | AZORult |
| File size: | 1'021'952 bytes |
| First seen: | 2020-12-14 08:31:11 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger) |
| ssdeep | 24576:Dv0LcXncHBStCmRw+YqCppUuEW0C83K7MH8:QyRw+YqCp5r83K7e |
| TLSH | E525D07621F86F66F13D8BF9452061025FB12A3B513DD4897CCE10EA2FA9F246A07E53 |
| Reporter |  abuse_ch |
| Tags: | AZORult exe |
abuse_ch
Malspam distributing AZORult:HELO: smtp.mailstation.cn
Sending IP: 114.118.11.17
From: Martin Václavek <mica.wang@clenergy.com.cn>
Reply-To: me <gonzajohnn@gmail.com>
Subject: ORDER REQUEST
Attachment: PRODUCT LIST.gz (contains "PRODUCT LIST.exe")
AZORult C2:
http://82.223.104.42/index.php
Intelligence
File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRODUCT LIST.exe
Verdict:
Malicious activity
Analysis date:
2020-12-14 08:36:37 UTC
Tags:
trojan rat azorult
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Gathering data
Result
Threat name:
AZORult
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Detection:
azorult
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-12-14 05:09:43 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
azorult
Score:
10/10
Tags:
family:azorult discovery infostealer spyware trojan
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://82.223.104.42/index.php
Unpacked files
SH256 hash:
292e9d5cc40b4f968717c46b6fe69af487b1c18217e8eb5f08eadfdef36d302e
MD5 hash:
ae34daead68d60119764654defc0c2cc
SHA1 hash:
09290d0b56590e17beeabb8211af3ca8822540fa
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
SH256 hash:
7b48b1aee60cc03d2bef5b7a63057d5b34344027e93864ba5879f6cc642aed00
MD5 hash:
f60a3b27ddf901de2a869e6a42530ff0
SHA1 hash:
6bcfbb3f93f39a2b6ff1720df23a46c9360be3be
Detections:
win_azorult_g1
win_azorult_auto
SH256 hash:
1d893a8f84e3524f6b361bb0415a4f6e75377e3297c83fc263ceddef0edfbded
MD5 hash:
242beb1a9ca895349958015289422994
SHA1 hash:
a14f2ceb93d31be9456b984546051c35a8b1a3ab
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.