MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
SHA3-384 hash: 85f32209466288b5e721b23674a02f4c57a484feb6c24a93808e479b7ef250d324466ca13c969f646bf8701629209998
SHA1 hash: f0854a4cd8a69b3b1c8192152d3840cc6292331e
MD5 hash: d15d23927ebb3663b119dc9ece4e6f4c
humanhash: winter-echo-triple-tango
File name:d15d23927ebb3663b119dc9ece4e6f4c.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'306'624 bytes
First seen:2021-07-23 11:26:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d98bce45dab9a77041968f41ed47c4c3 (2 x RaccoonStealer, 2 x AZORult)
ssdeep 24576:BfnyBOtRsA2tzKQj6ujDHRKW21iCoiJ3cUI:8Ssbz9hRKnABiJM
Threatray 4'146 similar samples on MalwareBazaar
TLSH T15855AE643AFA901AF07A9E711BE475E7DE6ABE333506685F9341030B0453E82DDE163B
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://185.234.247.50/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.234.247.50/ https://threatfox.abuse.ch/ioc/162348/
http://danielmi.ac.ug/index.php https://threatfox.abuse.ch/ioc/162379/

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d15d23927ebb3663b119dc9ece4e6f4c.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 11:29:51 UTC
Tags:
trojan stealer vidar rat azorult loader raccoon
Link:
https://app.any.run/tasks/394d231e-8c37-4f2d-aaa5-c82620e515da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173603/
Detection(s):
Win.Malware.Trojanx-9875328-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7bb65f7-8ef1-41d0-aaaf-a32fc0caf488
Result
Threat name:
AsyncRAT Azorult Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820719
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453130 Sample: qbylC8jEWn.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 68 162.159.134.233 CLOUDFLARENETUS United States 2->68 70 omomom.ac.ug 2->70 72 3 other IPs or domains 2->72 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for URL or domain 2->90 92 13 other signatures 2->92 9 qbylC8jEWn.exe 16 2->9         started        signatures3 process4 file5 62 C:\ProgramDatabehaviorgraphFgdfgfdfasd.exe, PE32 9->62 dropped 64 C:\ProgramData\DFSfghfghfgsd.exe, PE32 9->64 dropped 106 Maps a DLL or memory area into another process 9->106 13 DFSfghfghfgsd.exe 4 9->13         started        16 GFgdfgfdfasd.exe 4 9->16         started        18 qbylC8jEWn.exe 88 9->18         started        signatures6 process7 dnsIp8 108 Antivirus detection for dropped file 13->108 110 Machine Learning detection for dropped file 13->110 112 Maps a DLL or memory area into another process 13->112 22 DFSfghfghfgsd.exe 72 13->22         started        27 GFgdfgfdfasd.exe 188 16->27         started        74 185.234.247.50, 49740, 80 INTERKONEKT-ASPL Russian Federation 18->74 76 telete.in 195.201.225.248, 443, 49738 HETZNER-ASDE Germany 18->76 38 C:\Users\user\AppData\...\vLgqx1AN4N.exe, PE32 18->38 dropped 40 C:\Users\user\AppData\...\X5da8IndlZ.exe, PE32 18->40 dropped 42 C:\Users\user\AppData\...\X4JkgQ26Bh.exe, PE32 18->42 dropped 44 61 other files (none is malicious) 18->44 dropped 114 Tries to steal Mail credentials (via file access) 18->114 116 Tries to harvest and steal browser information (history, passwords, etc) 18->116 file9 signatures10 process11 dnsIp12 78 danielmi.ac.ug 185.215.113.77, 49739, 49742, 49754 WHOLESALECONNECTIONSNL Portugal 22->78 46 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 22->46 dropped 48 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 22->48 dropped 50 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 22->50 dropped 58 50 other files (none is malicious) 22->58 dropped 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->94 96 Tries to steal Instant Messenger accounts or passwords 22->96 98 Tries to steal Mail credentials (via file access) 22->98 104 2 other signatures 22->104 29 cc.exe 22->29         started        34 ds2.exe 22->34         started        36 ds1.exe 22->36         started        80 192.168.2.1 unknown unknown 27->80 82 danielmax.ac.ug 27->82 52 C:\ProgramData\vcruntime140.dll, PE32 27->52 dropped 54 C:\ProgramData\sqlite3.dll, PE32 27->54 dropped 56 C:\ProgramData\softokn3.dll, PE32 27->56 dropped 60 4 other files (none is malicious) 27->60 dropped 100 Tries to harvest and steal browser information (history, passwords, etc) 27->100 102 Tries to steal Crypto Currency Wallets 27->102 file13 signatures14 process15 dnsIp16 84 cdn.discordapp.com 162.159.130.233, 443, 49757, 49758 CLOUDFLARENETUS United States 29->84 66 C:\Users\Public\Libraries\...\Debnemn.exe, PE32 29->66 dropped 118 Uses schtasks.exe or at.exe to add and modify task schedules 29->118 120 Injects a PE file into a foreign processes 29->120 file17 signatures18
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85/
Threat name:
Win32.Trojan.RaccoonStealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 11:27:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgofjbjs5avwf5fvflleeyj3ttwmrhe34onb3jrqv66ans34z2cq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
AZORult
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
AZORult
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
AZORult
6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0
AZORult
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
AZORult
a110fa4d0693222419b11ff74bb269c8c80b65a532efbee4ba83db50f6f04776
AZORult
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
AZORult
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
AZORult
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
AZORult
eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6
AZORult
+ 4'136 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:bitrat family:oski discovery evasion infostealer persistence rat spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210723-agn27rqmse/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Async RAT payload
AsyncRat
Azorult
BitRAT
BitRAT Payload
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
danielmax.ac.ug
omomom.ac.ug:6970
omkarusdajvc.ac.ug:6970
Unpacked files
SH256 hash:
388a69072f1a0e871d4812d7b8421f975099f7a613ce8ab10101e32ce1b88bbf
MD5 hash:
b03a7fe96bf1c43ce9eb194d3dba3301
SHA1 hash:
0111aea6ca0cd839b4aef0b9dcf67c9db5d924d9
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8de4fedf-0ce0-4e37-bfdc-28a1369e6cff/
Parent samples :
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
SH256 hash:
24d4d07086fcbc1be991f8359231e8750efcb10ceb8c5b9928898aacce3d8788
MD5 hash:
55f41f952ff4a11e09eeb894f491b29f
SHA1 hash:
f64ee2b917943258a269ac103ce1f19fe187cf53
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/8de4fedf-0ce0-4e37-bfdc-28a1369e6cff/
SH256 hash:
835268c35a1f02b34ea8ce840ef3bd25f6e8f919bf7223ba613a461333dab8fa
MD5 hash:
23975037fd7d2d50806a79e7cf25abd9
SHA1 hash:
164350df65ab8c775eecc49fa6aed982a5b01b41
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/8de4fedf-0ce0-4e37-bfdc-28a1369e6cff/
SH256 hash:
561f278d64c42497e653c67ae73eebc1ce64ed220566eed29a65e080c1442803
MD5 hash:
173eea54fd1c622168bf5e1ecec2a519
SHA1 hash:
04a77cb30c3a43572f155d41809e395da77731b9
Link:
https://www.unpac.me/results/8de4fedf-0ce0-4e37-bfdc-28a1369e6cff/
SH256 hash:
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
MD5 hash:
d15d23927ebb3663b119dc9ece4e6f4c
SHA1 hash:
f0854a4cd8a69b3b1c8192152d3840cc6292331e
Link:
https://www.unpac.me/results/8de4fedf-0ce0-4e37-bfdc-28a1369e6cff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1464224/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
Cape
Cape
https://www.capesandbox.com/analysis/173603/

Comments