MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d9f9ff984d156fc523502763a5829055eb82f17a819c0ef33d3a53e7c801ddd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d9f9ff984d156fc523502763a5829055eb82f17a819c0ef33d3a53e7c801ddd
SHA3-384 hash: eb9e26df90bd8b511af65f5240ecb24678a54dceb4c214d3f63c76321d0b248b4784a405b66da1e6be23f758e5b0c607
SHA1 hash: b024ba272a024bbce783d1001fbba1ace2b395e8
MD5 hash: b347b895c17430c07f771ad695abc8a0
humanhash: comet-high-equal-five
File name:DT-01063.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:680'248 bytes
First seen:2020-11-06 07:02:19 UTC
Last seen:2020-11-06 08:43:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:l5OaKNg0yUzYCo3eef3fJk1q/Ah4ay+jn4Q1eTpfO4L4mgYp:nOatJYYCKeevn/S4arT4QM5smgYp
Threatray 830 similar samples on MalwareBazaar
TLSH CBE428A59B1080D8CD254F3130764D93637B6EE13E7CE60DA82D76D5CB7318A722E6CA
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/522152
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310176 Sample: DT-01063.exe Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Azorult 2->54 56 Yara detected Azorult Info Stealer 2->56 58 3 other signatures 2->58 7 DT-01063.exe 7 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 30 C:\Users\user\ohsg.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->32 dropped 34 C:\Users\user\ohsg.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\...\DT-01063.exe.log, ASCII 7->36 dropped 60 Drops PE files to the user root directory 7->60 15 ohsg.exe 4 7->15         started        19 cmd.exe 1 7->19         started        21 ohsg.exe 3 11->21         started        signatures5 process6 file7 38 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 15->38 dropped 40 Writes to foreign memory regions 15->40 42 Allocates memory in foreign processes 15->42 44 Injects a PE file into a foreign processes 15->44 23 AddInProcess32.exe 15->23         started        25 reg.exe 1 1 19->25         started        28 conhost.exe 19->28         started        46 Multi AV Scanner detection for dropped file 21->46 48 Machine Learning detection for dropped file 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 signatures8 process9 signatures10 62 Creates an autostart registry key pointing to binary in C:\Windows 25->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d9f9ff984d156fc523502763a5829055eb82f17a819c0ef33d3a53e7c801ddd/
Threat name:
ByteCode-MSIL.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 20:25:15 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwpz76me2flpyurvaj3duwbjavplqlyxvam4b3zt2ost47eadxoq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
399ebb50cdbb6d080806a03d818a7ca38ffc3728bd37f24e0240f6290936766f
AZORult
6dbc3fe357de91609d5f9364bb1e4498872d18582146558fb16dc9d4b3ba9f83
AZORult
7862be8b6b58fc073c3b91badfeab7f5d939725074f2022be9430f89c594692d
AZORult
9d3df770b6dcd5beb650a097a597bb70c49dde306517bbc731812bf18a806719
AZORult
a4c035de8a4edb11a8cfaef2f2f8326d8909578cf9d5a5534edd4eb9d5a50680
AZORult
c22ee6c1ffbbc94db718846d0d68da507573c24eb66ab1122a1d2a177fa42e2f
AZORult
c578d33e132ccbbc26a4a31e6054fea7f42591b391e9b8eb30eaf732ed119088
AZORult
d29ac350da06473f2b10f012951942d5b90e2df48693ab8e6691fa4cf657accd
AZORult
e810c2a5864bd7fb672e7d760776cd2fcfae17328bac919fdb205018fb04ec64
AZORult
f7505d1a7254a1a38c4570f0abb3fe3a462d3c34efca6372841ac37876d2af05
AZORult
+ 820 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult agilenet discovery infostealer persistence spyware trojan
Link:
https://tria.ge/reports/201106-x1qv89wfwn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://209.141.54.122/vin/index.php
Unpacked files
SH256 hash:
21f0cb5625ba519b16112be3c2f8458731b32dbf1e56efcf48ac9d234f1e8448
MD5 hash:
f1220039fced3e32ca13725edc57700b
SHA1 hash:
25ffe8fc04868d8fb2bbef9addef5fef8d0f420d
Link:
https://www.unpac.me/results/17d322df-fd15-4197-a155-973c6d64a300/
SH256 hash:
45955522e52fc6fe4fe4b0a5d2111505ae1e83789126d550ed02c225b041a47e
MD5 hash:
94293b44a4ee8c7a7647078363e33959
SHA1 hash:
96d368c7efd3b74b3b89d482261c8d850ab8b966
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/17d322df-fd15-4197-a155-973c6d64a300/
Parent samples :
2d9f9ff984d156fc523502763a5829055eb82f17a819c0ef33d3a53e7c801ddd
b67d118b20beae833a870b617c8bf914c018be74c851bf04085c6804c7760555
e1f88b15a2797803e77716c9390803b259e206a98ab6bdcaa6fcd2a0ed5e6fff
a838a084b08d5a9e1eb2658e878c5215291a9a2cb04583d8363f45649a5ff8dc
SH256 hash:
077feb7ca84b551c70c1e5cea75b08a34fd48bac37b15cdf9e86b05b193bdfc8
MD5 hash:
89a3a95f1677e9c7aa723aa61f1241dc
SHA1 hash:
d189a337455f90c2b371af608b575e1179a8021d
Link:
https://www.unpac.me/results/17d322df-fd15-4197-a155-973c6d64a300/
SH256 hash:
c4c4e01e29bcb82a2943f8ae30b46326425200291c92fe8369aba8fa33e28558
MD5 hash:
1ed914b6bc67975cf01d6014e2971ad0
SHA1 hash:
5f80b092bc95410ce41fb577bb971a8df3f1d375
Link:
https://www.unpac.me/results/17d322df-fd15-4197-a155-973c6d64a300/
SH256 hash:
2d9f9ff984d156fc523502763a5829055eb82f17a819c0ef33d3a53e7c801ddd
MD5 hash:
b347b895c17430c07f771ad695abc8a0
SHA1 hash:
b024ba272a024bbce783d1001fbba1ace2b395e8
Link:
https://www.unpac.me/results/17d322df-fd15-4197-a155-973c6d64a300/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe 2d9f9ff984d156fc523502763a5829055eb82f17a819c0ef33d3a53e7c801ddd

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments