MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
SHA3-384 hash: e47ca1729560777ca9f694d6788c57488548cde2831fdb4a7a75962af36e2b1d672a3d2b059a591ca864030434818869
SHA1 hash: 41c371b7053bcf1b7867aeada51e716650afa19a
MD5 hash: 7fb10b8ea68c1e0064730018fca3cb39
humanhash: nevada-mike-island-floor
File name:7fb10b8ea68c1e0064730018fca3cb39.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'015'808 bytes
First seen:2021-08-05 10:30:56 UTC
Last seen:2021-08-05 12:09:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fb0fb8edc31fffe9bb05edbac608d5c5 (5 x RaccoonStealer, 4 x AZORult, 1 x NetWire)
ssdeep 24576:/E0lHcgqgh7/0tgIugNw6GQlGDI/NKs/Y:/Ew8gXYzVtGQVNn/Y
Threatray 5'123 similar samples on MalwareBazaar
TLSH T1A025F11BBB66054BF0CA0975566064F61F7E9C7372852C1FEB829E0C44F2686B8E07B7
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://5.252.179.21/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.252.179.21/ https://threatfox.abuse.ch/ioc/165702/

Intelligence

File Origin
# of uploads :
2
# of downloads :
527
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fb10b8ea68c1e0064730018fca3cb39.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 10:35:34 UTC
Tags:
trojan stealer vidar rat azorult raccoon loader
Link:
https://app.any.run/tasks/9663e505-8851-4b1a-8c1f-94cb9b6703d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176609/
Detection(s):
SecuriteInfo.com.Variant.Barys.102299.11931.17263.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6d89668-92cd-43b4-8534-6210a711e9b8
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827749
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460182 Sample: BrUPY0rcg3.exe Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 65 cdn.discordapp.com 2->65 67 arsaxa.ac.ug 2->67 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 9 other signatures 2->79 9 BrUPY0rcg3.exe 16 2->9         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\DSFnbyhgfrtydfg.exe, PE32 9->57 dropped 59 C:\ProgramDatabehaviorgraphFDyrtucbvfdg.exe, PE32 9->59 dropped 93 Maps a DLL or memory area into another process 9->93 13 GFDyrtucbvfdg.exe 4 9->13         started        16 BrUPY0rcg3.exe 80 9->16         started        20 DSFnbyhgfrtydfg.exe 4 9->20         started        signatures6 process7 dnsIp8 95 Antivirus detection for dropped file 13->95 97 Multi AV Scanner detection for dropped file 13->97 99 Machine Learning detection for dropped file 13->99 22 GFDyrtucbvfdg.exe 72 13->22         started        61 telete.in 195.201.225.248, 443, 49730 HETZNER-ASDE Germany 16->61 63 45.138.172.138, 49731, 80 COMBAHTONcombahtonGmbHDE Germany 16->63 33 C:\Users\user\AppData\...\vcruntime140.dll, PE32 16->33 dropped 35 C:\Users\user\AppData\...\ucrtbase.dll, PE32 16->35 dropped 37 C:\Users\user\AppData\...\softokn3.dll, PE32 16->37 dropped 39 56 other files (none is malicious) 16->39 dropped 101 Tries to steal Mail credentials (via file access) 16->101 103 Tries to harvest and steal browser information (history, passwords, etc) 16->103 105 Maps a DLL or memory area into another process 20->105 27 DSFnbyhgfrtydfg.exe 188 20->27         started        file9 signatures10 process11 dnsIp12 69 danielmi.ac.ug 185.215.113.77, 49728, 49737, 49739 WHOLESALECONNECTIONSNL Portugal 22->69 41 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 22->41 dropped 43 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 22->43 dropped 45 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 22->45 dropped 53 50 other files (none is malicious) 22->53 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->81 83 Tries to steal Instant Messenger accounts or passwords 22->83 85 Tries to steal Mail credentials (via file access) 22->85 91 2 other signatures 22->91 29 cc.exe 22->29         started        31 ds2.exe 22->31         started        71 danielmax.ac.ug 27->71 47 C:\ProgramData\vcruntime140.dll, PE32 27->47 dropped 49 C:\ProgramData\sqlite3.dll, PE32 27->49 dropped 51 C:\ProgramData\softokn3.dll, PE32 27->51 dropped 55 4 other files (none is malicious) 27->55 dropped 87 Tries to harvest and steal browser information (history, passwords, etc) 27->87 89 Tries to steal Crypto Currency Wallets 27->89 file13 signatures14 process15
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 10:31:04 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhhsv3dcyniewgiujbh674l24rylkerjwhpqn4ndam2kbc3nweva._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
AZORult
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
AZORult
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
AZORult
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
AZORult
6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0
AZORult
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
AZORult
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
AZORult
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
AZORult
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
AZORult
eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6
AZORult
+ 5'113 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:bitrat family:oski family:raccoon botnet:fe25b858c52ebb889260990dc343e5dbcf4a96e4 discovery evasion infostealer persistence rat spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210805-3n1f6kvxje/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Async RAT payload
AsyncRat
Azorult
BitRAT
BitRAT Payload
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Raccoon Stealer Payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
danielmax.ac.ug
icando.ug:6970
icacxndo.ac.ug:6970
Unpacked files
SH256 hash:
388a69072f1a0e871d4812d7b8421f975099f7a613ce8ab10101e32ce1b88bbf
MD5 hash:
b03a7fe96bf1c43ce9eb194d3dba3301
SHA1 hash:
0111aea6ca0cd839b4aef0b9dcf67c9db5d924d9
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/93901e0b-652d-4b51-922c-384ffc9efa82/
Parent samples :
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
SH256 hash:
fb00afc60df3416b775848acc2001493da992885541a89fae37c566073d944f1
MD5 hash:
a60bb5c700599bae685700624089dd9c
SHA1 hash:
3f49e903dfaceef29cea16b8c0c36669e55e5923
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/93901e0b-652d-4b51-922c-384ffc9efa82/
SH256 hash:
ae0d732212803c964d395993bd31c7e9ca598b3e3630b0244bc1ef992d6fb68f
MD5 hash:
df1a374c7f476791980e56edec5e8860
SHA1 hash:
0807594042f5e33ec0feaf545f727a0f23192993
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/93901e0b-652d-4b51-922c-384ffc9efa82/
SH256 hash:
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
MD5 hash:
7fb10b8ea68c1e0064730018fca3cb39
SHA1 hash:
41c371b7053bcf1b7867aeada51e716650afa19a
Link:
https://www.unpac.me/results/93901e0b-652d-4b51-922c-384ffc9efa82/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/29cf2aec62c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
Cape
Cape
https://www.capesandbox.com/analysis/176609/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/

Comments