MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 295a65a8d806b7cb84d7b28e005b823aa5252501ac639293ebe330e0e151359d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	295a65a8d806b7cb84d7b28e005b823aa5252501ac639293ebe330e0e151359d
SHA3-384 hash:	264200242dec9dc9c29b7be94d48b6fb2b63120a5e4cf4322dbb681dd5cb7767529a9b9e4d05cd860101644f2dd933c2
SHA1 hash:	c2750f18f27d6febf04f08a47e3d3e16f1cba3d9
MD5 hash:	0fd8f449370d48311cb97ad8a7158210
humanhash:	burger-mirror-jig-saturn
File name:	SecuriteInfo.com.Trojan.DownloaderNET.345.3695.17763
Download:	download sample
Signature	AZORult Create hunting rule
File size:	335'840 bytes
First seen:	2022-09-30 19:17:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	3072:tGhxNkMUgH1f55twxa/2FbnZk1Y+3hoOqOWE71hEbaFSkjiRrPwHqaq:tGhPLHExagZD+RoOq/a+
Threatray	105 similar samples on MalwareBazaar
TLSH	T1D7648F7091F26AC5F896CEB2AE60E609FFE71C819940825FD13479F21633B84D6491FE
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter	SecuriteInfoCom
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

482

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/315261/

Detection(s):

SecuriteInfo.com.Trojan.DownloaderNET.345.3695.17763.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/633740ebd089a0c15dd301d8/reports/f120ee92-dd54-44d9-bdb8-aa83f153a39c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eaf8a54c-108b-4e05-ae4d-14c8bb2dc9f7

Result

Threat name:

Azorult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1081159

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Writes to foreign memory regions

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/295a65a8d806b7cb84d7b28e005b823aa5252501ac639293ebe330e0e151359d/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-09-30 19:18:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ffnglkgya234xbgxwkhaaw4chksskjibvrrzfe7l4myobykrgwoq._file

Verdict:

malicious

Label(s):

formbook

AZORult

54d181deb9b270d27858c1d344d803147adeba2da5e5e27de677c616ffe6236f

AZORult

8a07e0548084f0e3f3334cdf0c8d0b3e1c57e0b33c7df3159d6da4d11931f9ce

AZORult

91843e0ba089a90b4da071b53300a6aac7e88f432de027ce32cdbeb4a89ab4ab

AZORult

9b3692b5d3a11808edfd09509d37454c7e30bb1be82188c7564032f14b18950a

AZORult

e8cb54fc07335dd8c060f355cfb8df7b13ef33f6a3b7e29020be099c08228bbb

AZORult

f89bda16cbe45d1a83fe2c107ae20b93f95f433c72b188cb76b8070073f25fc9

AZORult

fbaa359f59c800c0ce65914c76a95e3daaf82a86a053a08e38e3aa6c5cfb00e0

AZORult

+ 95 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer trojan

Link:

https://tria.ge/reports/220930-xzxs7sfeam/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Azorult

Malware Config

C2 Extraction:

http://kngpdrp.shop/PL341/index.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0035046e-7c5c-43e5-8fbc-9a7000ccf672

Unpacked files

SH256 hash:

7bbd05ff8729f5d5cd1daeed2be08f6e28f0d1c5668626ed2cae7ce1b4de6fd0

MD5 hash:

7e5a526bfa8c3027fa25ebfd19c49c2c

SHA1 hash:

ca26492ec3117498c0669d60056347f7dd573763

Link:

https://www.unpac.me/results/5b5aba95-f9e0-4b11-8233-96961133c4db/

SH256 hash:

d861e1e99b04f2f8a8d47b5e549f406fb24b2bf1eca14fdbb22176bdb6576134

MD5 hash:

127cb8e0065b6a3fe1cfe61125a96fdd

SHA1 hash:

c4905e72903709381ecf7bcef63e58c044d738da

Detections:

win_azorult_auto

win_azorult_g1

Link:

https://www.unpac.me/results/5b5aba95-f9e0-4b11-8233-96961133c4db/

Parent samples :

20eb16150dc493901670bd428b72eaa88f8c575bded5d9df8cf174e70c4e2e2c
8a07e0548084f0e3f3334cdf0c8d0b3e1c57e0b33c7df3159d6da4d11931f9ce
13c9ec087b8177e95285fd90ddffb04a3858dbf7316bb1bddc0ab32e38f1c806
295a65a8d806b7cb84d7b28e005b823aa5252501ac639293ebe330e0e151359d

SH256 hash:

295a65a8d806b7cb84d7b28e005b823aa5252501ac639293ebe330e0e151359d

MD5 hash:

0fd8f449370d48311cb97ad8a7158210

SHA1 hash:

c2750f18f27d6febf04f08a47e3d3e16f1cba3d9

Link:

https://www.unpac.me/results/5b5aba95-f9e0-4b11-8233-96961133c4db/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/295a65a8d806/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/295a65a8d806b7cb84d7b28e005b823aa5252501ac639293ebe330e0e151359d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/315261/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample