MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d54fe014e47421a3dbb41e52aab07e514b709e7aeb7d8c23a0dbfc4da9fcebd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d54fe014e47421a3dbb41e52aab07e514b709e7aeb7d8c23a0dbfc4da9fcebd
SHA3-384 hash: 13cefc4a154a116c3e758271920420652f79955696bd513300fd50336ac480850d84f0eb137c5c0b04fc94717f30000c
SHA1 hash: b03e416f6291cbf0a72c6207c0b8b1b7f24375e1
MD5 hash: c67871a2108f12690226761db6f714b3
humanhash: sweet-failed-foxtrot-lion
File name:c67871a2108f12690226761db6f714b3.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:685'568 bytes
First seen:2022-05-31 01:51:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:dEl7rLJWBzB7GA6J5Qvf6auNuqn/HbNU+qTKWzsNbdJ86uEjYXkcbDFmPsLjTl:ertWr7GAi5USltb7Wzsxo65e9bRmPgB
Threatray 5'228 similar samples on MalwareBazaar
TLSH T157E4122677A4AB42D56D0171C8D3023103F6AAC7B632D66B3EC102D51EC2BE6DDD87CA
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://45.133.1.20/izu/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.133.1.20/izu/index.php https://threatfox.abuse.ch/ioc/643526/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
c67871a2108f12690226761db6f714b3.exe
Verdict:
Malicious activity
Analysis date:
2022-05-31 01:53:05 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/8cc6707d-3a8a-43b6-b738-d7dd092ea512

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275567/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe wacatac
Link:
https://www.filescan.io/uploads/629574c36eb3ff3263427a78/reports/26f0c48c-12e6-48a9-af28-dbea225a0122/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0188581-b4bc-4e3b-9f8e-b47f43cfc613
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003906
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d54fe014e47421a3dbb41e52aab07e514b709e7aeb7d8c23a0dbfc4da9fcebd/
Threat name:
Win32.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 19:15:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvkp4akoi5bbupn3ihssvkyh4uklocphv235rqr2bw74jwu7z26q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0c3fba20ee8cf67d24cb54dafdfe07ce6178431ee03ea9a6b231e1a7656cb808
AZORult
546af5248d01e7d2b994944e9dd69ce8de7259515b898f1b8d1f6d811c62b1cc
AZORult
60ad58a938752fff5d6e9442d529fe21b5ecca6166ba78f68ec5c810f6285649
AZORult
722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088
AZORult
7f24773d411236705d09adba6b9b52a10b8f2f9d1963abb1b243d4eb72bfba9c
AZORult
8a43978a73d92e6cb41e74aae94482dfedec054c4ade4b717b249cfcdcc21844
AZORult
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
AZORult
daf8cd6f6c9c7973e5a877510d38b7f71ed45fd41b408ee341e42281cf7419b1
AZORult
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
AZORult
fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a
AZORult
+ 5'218 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220531-cadzksafd2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M3
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M4
Malware Config
C2 Extraction:
http://45.133.1.20/izu/index.php
Unpacked files
SH256 hash:
2d54fe014e47421a3dbb41e52aab07e514b709e7aeb7d8c23a0dbfc4da9fcebd
MD5 hash:
c67871a2108f12690226761db6f714b3
SHA1 hash:
b03e416f6291cbf0a72c6207c0b8b1b7f24375e1
Link:
https://www.unpac.me/results/7e2dc0ec-1176-4ada-9c08-7134dd55c507/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d54fe014e47421a3dbb41e52aab07e514b709e7aeb7d8c23a0dbfc4da9fcebd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275567/

Comments