MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b625c9d95399334aa265623e7341745fb784c71c293935b68d892b6939fa09b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b625c9d95399334aa265623e7341745fb784c71c293935b68d892b6939fa09b
SHA3-384 hash: 55120f64e1014c78b02088fc9c7cc0ebc0c624c6dd3a65843d4f1b841d9e0a25d9481d144e1757da74a88942dd50359a
SHA1 hash: 7799685dcde975e611d8c907c2916fc5be67b381
MD5 hash: e71412a5c1941bdbc7a971f1fe697a94
humanhash: march-leopard-coffee-oklahoma
File name:ArrayListDebugV.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'142'272 bytes
First seen:2022-03-27 20:05:33 UTC
Last seen:2024-07-24 12:36:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:p0Um71Y4bNdjbWXUBJaWWCfPXYo2sxy0bWqICYGG:a7rHbKUDVWaXasx3W8YGG
Threatray 1'627 similar samples on MalwareBazaar
TLSH T178350244725C1B61E3BB8BB941728200A33E244EEA7ED71E7D935CCC84E57E28762F56
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter adm1n_usa32
Tags:AZORult exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.197.136.186/kendrick/index.php https://threatfox.abuse.ch/ioc/456111/

Intelligence

File Origin
# of uploads :
2
# of downloads :
955
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
ArrayListDebugV.exe
Verdict:
Malicious activity
Analysis date:
2022-03-27 20:03:02 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/a52f6c11-96e9-4f55-9a5f-d063906e9915

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258227/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Reading critical registry keys
Stealing user critical data
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/6240c3b0a19c6494129afcbe/reports/7ed4a95f-99c3-4246-8f14-9c92d2342d47/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5a2ec5b-b2b9-49c5-b373-e8d450012e41
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965370
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b625c9d95399334aa265623e7341745fb784c71c293935b68d892b6939fa09b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 01:52:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
22 of 42 (52.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnrfzhmvhgjtjkrgkyr6onaxix5xqtdrykjzgw3i3cjlne47ucnq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
39247c12089970c5c398132f976bad9c969ef45ce1258229deaf3ce543027713
AZORult
66222812722bec06eaecb3735456800f715ebb8148a4c994c391de97c83e0868
AZORult
7c2d8d52d0278bffa26d7df8706c985e14e86ec0a3f79cc965f9e9e2b0fc1937
AZORult
bfdf0b6b9c31d50324e8cf7d4fccaccf77db84216d00ae03ac563d31e278495e
AZORult
fabe67cd06d71d24a03fe0d11e62e975de4c58903bcbc35f48a3a566970c228c
AZORult
+ 1'617 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220327-yvd1zaggcr/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M2
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
Malware Config
C2 Extraction:
http://62.197.136.186/kendrick/index.php
Unpacked files
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/393feaf3-6d68-47c5-aeaf-6476edc0fd54/
SH256 hash:
cdffee4a24ba264dfdb1fe5ea48ae776ef59ca245555e41d09f12da64285cdc5
MD5 hash:
0836743f385580846ea9fb7f2aa8dac0
SHA1 hash:
b0130b139b7784682896966b9da6845f98a35073
Link:
https://www.unpac.me/results/393feaf3-6d68-47c5-aeaf-6476edc0fd54/
SH256 hash:
fa6a9e54543031c60cddb1f8c47309f0f6109ea8c210967831977ea83905d7c9
MD5 hash:
4d88dfef4561f90bdd5bb4ebd48d7d20
SHA1 hash:
37363c67ff773f34ce828212d6c4248354fcd1c9
Link:
https://www.unpac.me/results/393feaf3-6d68-47c5-aeaf-6476edc0fd54/
SH256 hash:
7572dca1807d39698506e7696fc16f3f8d6b5f0f89efd7b30819d54c6a0bd43f
MD5 hash:
904fb65751d9ae8d8ef0b295b5272df8
SHA1 hash:
2397d9b0e9cde9d984c36303055360109b251bfc
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/393feaf3-6d68-47c5-aeaf-6476edc0fd54/
SH256 hash:
2b625c9d95399334aa265623e7341745fb784c71c293935b68d892b6939fa09b
MD5 hash:
e71412a5c1941bdbc7a971f1fe697a94
SHA1 hash:
7799685dcde975e611d8c907c2916fc5be67b381
Link:
https://www.unpac.me/results/393feaf3-6d68-47c5-aeaf-6476edc0fd54/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2b625c9d9539/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b625c9d95399334aa265623e7341745fb784c71c293935b68d892b6939fa09b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 2b625c9d95399334aa265623e7341745fb784c71c293935b68d892b6939fa09b

(this sample)

anyrun
any.run
https://app.any.run/tasks/a52f6c11-96e9-4f55-9a5f-d063906e9915
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/258227/

Comments