MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0
SHA3-384 hash: bed4f5cf00ef4f31ded0b75aa446c8f7e9f7595f6135c13d2a7dc7fd2aa7467a29c057aa8e52aba53e80732e9f971686
SHA1 hash: ed1497c47dc283118bbc57d49cd9f354785cf73d
MD5 hash: 63645a9e1f5e77ba3c75366f3a14ab87
humanhash: item-quebec-kitten-enemy
File name:63645a9e1f5e77ba3c75366f3a14ab87.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:786'944 bytes
First seen:2022-06-19 17:06:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:cmXRqybmhFE0sf6H22qla5w/yXbxmt6hI3uZWQCurQ/EnsNQ3Nxy:cIRqthqf6H0MW/Ibx03SQusNQ3P
TLSH T112F47D4EB34C5E9BECA54779C2F70EA09211DA30641F834B5602AD7FB3274DABE416C6
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eaa98b5c243d8ab6 (4 x AZORult, 3 x RemcosRAT, 2 x XFilesStealer)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://phila.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://phila.ac.ug/index.php https://threatfox.abuse.ch/ioc/716384/

Intelligence

File Origin
# of uploads :
1
# of downloads :
921
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281323/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint packed stealer wacatac
Link:
https://www.filescan.io/uploads/62af57bbc07f2e38a15e7f5b/reports/aa1f6303-51a3-486e-8bb9-bc7fb316ac43/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5252909d-5359-40af-bb50-31570081e6e1
Result
Threat name:
Azorult, Clipboard Hijacker, Record Stea
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015947
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Encrypted powershell cmdline option found
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected Record Stealer
Yara detected Remcos RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 648443 Sample: 2i2qY5a93Z.exe Startdate: 19/06/2022 Architecture: WINDOWS Score: 100 125 wiwirdo.ac.ug 2->125 127 werido.ug 2->127 129 6 other IPs or domains 2->129 155 Snort IDS alert for network traffic 2->155 157 Malicious sample detected (through community Yara rule) 2->157 159 Antivirus detection for URL or domain 2->159 161 17 other signatures 2->161 11 2i2qY5a93Z.exe 3 2->11         started        15 oobeldr.exe 2->15         started        17 dllhost.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 file5 111 C:\Users\...\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe, PE32 11->111 dropped 113 C:\Users\user\AppData\...\2i2qY5a93Z.exe.log, ASCII 11->113 dropped 179 Encrypted powershell cmdline option found 11->179 181 Injects a PE file into a foreign processes 11->181 21 2i2qY5a93Z.exe 11->21         started        26 Fvmidruhvvwkpvmfzdjkqkyhgrn.exe 15 4 11->26         started        28 powershell.exe 24 11->28         started        30 oobeldr.exe 15->30         started        signatures6 process7 dnsIp8 135 136.244.65.99, 49747, 80 AS-CHOOPAUS United States 21->135 137 werido.ug 45.143.201.4, 49748, 49750, 49751 PATENT-MEDIA-ASRU Russian Federation 21->137 103 C:\Users\user\AppData\Local\...\eebqlWpe.exe, PE32 21->103 dropped 105 C:\Users\user\AppData\Local\...\b9mdWy89.exe, PE32+ 21->105 dropped 107 C:\Users\user\AppData\Local\...\Bzk63O73.exe, PE32 21->107 dropped 109 8 other files (none is malicious) 21->109 dropped 169 Tries to harvest and steal browser information (history, passwords, etc) 21->169 171 Tries to steal Crypto Currency Wallets 21->171 32 b9mdWy89.exe 21->32         started        36 eebqlWpe.exe 21->36         started        38 Bzk63O73.exe 21->38         started        40 uru7301s.exe 21->40         started        173 Detected unpacking (creates a PE file in dynamic memory) 26->173 175 Encrypted powershell cmdline option found 26->175 177 Injects a PE file into a foreign processes 26->177 42 Fvmidruhvvwkpvmfzdjkqkyhgrn.exe 26->42         started        44 powershell.exe 26->44         started        50 2 other processes 26->50 46 conhost.exe 28->46         started        48 schtasks.exe 30->48         started        file9 signatures10 process11 file12 91 C:\Users\user\AppData\Roaming\dllhost.exe, PE32+ 32->91 dropped 139 Encrypted powershell cmdline option found 32->139 141 Creates multiple autostart registry keys 32->141 143 Writes to foreign memory regions 32->143 145 Modifies the context of a thread in another process (thread injection) 32->145 52 RegAsm.exe 32->52         started        56 powershell.exe 32->56         started        93 C:\Users\user\AppData\Roaming\winost.exe, PE32 36->93 dropped 147 Injects a PE file into a foreign processes 36->147 58 MSBuild.exe 36->58         started        60 powershell.exe 36->60         started        149 Uses schtasks.exe or at.exe to add and modify task schedules 38->149 62 Bzk63O73.exe 38->62         started        65 uru7301s.exe 40->65         started        95 C:\Users\user\AppData\...\places.sqlite-shm, data 42->95 dropped 97 C:\Users\user\AppData\...\cookies.sqlite-shm, data 42->97 dropped 99 C:\Users\user\AppData\Local\...\azne[1].exe, PE32 42->99 dropped 101 7 other files (none is malicious) 42->101 dropped 151 Tries to harvest and steal browser information (history, passwords, etc) 42->151 153 Tries to steal Crypto Currency Wallets 42->153 67 cmd.exe 42->67         started        69 conhost.exe 44->69         started        71 conhost.exe 48->71         started        signatures13 process14 dnsIp15 131 82.102.27.195, 24317, 49782, 49786 M247GB United Kingdom 52->131 163 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 52->163 165 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 52->165 73 conhost.exe 56->73         started        133 nikahuve.ac.ug 194.5.98.107, 49758, 49759, 49760 DANILENKODE Netherlands 58->133 167 Installs a global keyboard hook 58->167 75 conhost.exe 60->75         started        115 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 62->115 dropped 77 schtasks.exe 62->77         started        117 C:\Users\user\AppData\...\vcruntime140.dll, PE32 65->117 dropped 119 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 65->119 dropped 121 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 65->121 dropped 123 45 other files (none is malicious) 65->123 dropped 79 cmd.exe 65->79         started        81 conhost.exe 67->81         started        83 timeout.exe 67->83         started        file16 signatures17 process18 process19 85 conhost.exe 77->85         started        87 conhost.exe 79->87         started        89 timeout.exe 79->89         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-06-19 17:07:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftwzwnvzgg3twhjslpwozua7bzh2npip76mprn3pf5c3i4zrdtia._file
Verdict:
malicious
Result
Malware family:
recordbreaker
Create hunting rule
Score:
  10/10
Tags:
family:recordbreaker discovery spyware stealer suricata
Link:
https://tria.ge/reports/220619-vmytmafdbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RecordBreaker
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://136.244.65.99/
http://140.82.52.55/
Unpacked files
SH256 hash:
74403db789b290edd250cdcccbe14f8ce60923f683ccfa227c6727a9a25acdde
MD5 hash:
e547776aa5e33032c3b8683252d83aa4
SHA1 hash:
ef2a9b9b8f4e00919fb5d09a43c216a34811be3b
Link:
https://www.unpac.me/results/ffc1e16f-46a2-41ee-9dfc-a530e9bbb8b8/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/ffc1e16f-46a2-41ee-9dfc-a530e9bbb8b8/
SH256 hash:
7ed1047900c00d402f7660ef3753bdd3dd6c43e0d1d3d6b94901c7bdeef1f7c6
MD5 hash:
0ab86b10c018a1e754e7befcbbbb6967
SHA1 hash:
a8cb9d7261c9b833109f443c7c4bb34241e70d41
Link:
https://www.unpac.me/results/ffc1e16f-46a2-41ee-9dfc-a530e9bbb8b8/
SH256 hash:
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0
MD5 hash:
63645a9e1f5e77ba3c75366f3a14ab87
SHA1 hash:
ed1497c47dc283118bbc57d49cd9f354785cf73d
Link:
https://www.unpac.me/results/ffc1e16f-46a2-41ee-9dfc-a530e9bbb8b8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ced9b36b931/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/281323/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
URLhaus
https://urlhaus.abuse.ch/url/2223030/
  
URLhaus
https://urlhaus.abuse.ch/url/1746812/
  
URLhaus
https://urlhaus.abuse.ch/url/1322751/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
URLhaus
https://urlhaus.abuse.ch/url/1797727/
  
URLhaus
https://urlhaus.abuse.ch/url/1746810/

Comments