MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 10 File information Comments

SHA256 hash:	2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9
SHA3-384 hash:	ea85c4938f93dfdb206f8654d1e18b637472fe3bbf1302154fced7fd1fa1613bf3a47480d82114b4e83e363113a3966a
SHA1 hash:	a859952a86158d2f60ed927a966d17eede94887d
MD5 hash:	d163e4d75e3e115cce99679d08595c6e
humanhash:	cat-eight-july-equal
File name:	2CB326BF23A15DFA548DF0266743EFFFEFE1CB91450B3.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	1'130'496 bytes
First seen:	2022-02-08 16:26:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b985816070bef8efebdfdcd91627363a (1 x RaccoonStealer, 1 x AZORult)
ssdeep	12288:/9odY9SCVijMRXOtQt09oz4FMGH9uct73wNIX0809wFPXtQA:n9bVijMRXOttoz4FM0oeDAa080uT
Threatray	16'212 similar samples on MalwareBazaar
TLSH	T1C435F1567941A4F2D04E35B9E6A2B1D04629FC3626E30297F34C3E1AFF73985DD26322
File icon (PE):
dhash icon	00cca2b31382cc00 (1 x AZORult)
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://139.162.146.59/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://139.162.146.59/	https://threatfox.abuse.ch/ioc/383112/

Intelligence

File Origin

# of uploads :

# of downloads :

368

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/238333/

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Win.Trojan.VBGeneric-8264807-0

Win.Dropper.NetWire-8264833-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Creating a window

Searching for synchronization primitives

DNS request

Connecting to a non-recommended domain

Sending an HTTP GET request

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6384/overview

Behaviour

MalwareBazaar

CPUID_Instruction

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm control.exe greyware packed packed shell32.dll

Link:

https://www.filescan.io/uploads/62029a24c79b424d7208bfa1/reports/ed443a57-4a19-4684-b282-d2d78ab17025/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7897bb1-54db-4111-972e-e295bd867f53

Result

Threat name:

Azorult Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936296

Behaviour

Behavior Graph:

n/a

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9/

Threat name:

Win32.Ransomware.Locky

Status:

Malicious

First seen:

2022-02-05 01:08:00 UTC

File Type:

PE (Exe)

Extracted files:

100

AV detection:

33 of 43 (76.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fszsnpzdufo7uven6atgoq7p77x6ds4riuftcrxahzzpkhbm6dmq._file

Verdict:

malicious

Label(s):

azorult

raccoon

AZORult

547bf6d6ed5ae181513ed653109514c73e5f50c3ea3a094bcd382fbd3c4b4bb0

AZORult

855f3c89419401c9596c74f4a05b3d7cf951c2038513b8b005bcdaf5abff06c4

AZORult

b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a

AZORult

b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c

AZORult

b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f

AZORult

bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334

AZORult

+ 16'202 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:azorult family:modiloader family:oski family:raccoon botnet:125d9f8ed76e486f6563be097a710bd4cba7f7f2 collection discovery infostealer persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/220208-tx3pwsaeh7/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Gathers network information

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

ModiLoader First Stage

Azorult

ModiLoader, DBatLoader

Oski

Raccoon

Malware Config

C2 Extraction:

http://195.245.112.115/index.php
pretorian.ug

Unpacked files

SH256 hash:

2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9

MD5 hash:

d163e4d75e3e115cce99679d08595c6e

SHA1 hash:

a859952a86158d2f60ed927a966d17eede94887d

Link:

https://www.unpac.me/results/c65a521a-b800-44a6-aa27-b6e3e0be0109/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	azorult Create hunting rule
Author:	c3rb3ru5
Description:	Azorult Configuration Extractor

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	malware_Azorult Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Azorult in memory
Reference:	internal research

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_azorult_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.azorult.

Rule name:	win_oski_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.oski.

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/238333/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample