MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 309122794db2c8fd2ffd82c9770988297860a56116ce184be08da75b64d361f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 309122794db2c8fd2ffd82c9770988297860a56116ce184be08da75b64d361f8
SHA3-384 hash: 07dbd8aeae9e49e3c9a0166371107170522403eb13aa3134d890018699dfa17ae58d39137178be7b08c84fb3dd27b4a7
SHA1 hash: ad73edc33406d2a5d080a5adfa967927c9c3f9df
MD5 hash: b23a4794f36589ad6ccdc7283013c8ae
humanhash: december-fish-grey-salami
File name:b23a4794f36589ad6ccdc7283013c8ae.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:146'432 bytes
First seen:2022-04-08 09:44:14 UTC
Last seen:2022-04-08 11:11:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:olGJlm/+X2th+TLEdCa8maQ7JcAn1iyieRhpC:oEJlmG0haEdCvjQVc01iyiej
Threatray 164 similar samples on MalwareBazaar
TLSH T16AE3021027DB955BC91A46398C43DF790B3482E82F21E397A95949FF6C783E80F627B4
File icon (PE):PE icon
dhash icon 8e1341c1a931038e (2 x AZORult)
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
819
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b23a4794f36589ad6ccdc7283013c8ae.exe
Verdict:
Suspicious activity
Analysis date:
2022-04-08 21:12:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9f7a1029-a3a6-484a-aad2-060972d75793

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262051/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.49283.427.13806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
Searching for synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint msbuild.exe obfuscated packed stealer
Link:
https://www.filescan.io/uploads/62500428d53a7479dad9d87f/reports/2120d841-2ab9-401c-91da-f8c71aeb448e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/748ef553-9656-4325-8cf9-46e98a409f42
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973136
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605627 Sample: c9SqvgW39a.exe Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 12 other signatures 2->45 8 c9SqvgW39a.exe 15 5 2->8         started        process3 dnsIp4 37 62.204.41.69, 49771, 49776, 49781 TNNET-ASTNNetOyMainnetworkFI United Kingdom 8->37 31 C:\Users\user\...\Hyqtgoxnlkxypzhmwvckvml.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\c9SqvgW39a.exe.log, ASCII 8->33 dropped 12 MSBuild.exe 77 8->12         started        15 Hyqtgoxnlkxypzhmwvckvml.exe 14 4 8->15         started        file5 process6 signatures7 51 Found evasive API chain (may stop execution after checking mutex) 12->51 53 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->53 55 Found evasive API chain (may stop execution after checking computer name) 12->55 65 4 other signatures 12->65 17 cmd.exe 1 12->17         started        57 Multi AV Scanner detection for dropped file 15->57 59 Machine Learning detection for dropped file 15->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->61 63 Encrypted powershell cmdline option found 15->63 19 Hyqtgoxnlkxypzhmwvckvml.exe 15->19         started        23 powershell.exe 25 15->23         started        process8 dnsIp9 25 conhost.exe 17->25         started        27 timeout.exe 1 17->27         started        35 62.204.41.166, 27688, 49794 TNNET-ASTNNetOyMainnetworkFI United Kingdom 19->35 47 Tries to harvest and steal browser information (history, passwords, etc) 19->47 49 Tries to steal Crypto Currency Wallets 19->49 29 conhost.exe 23->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/309122794db2c8fd2ffd82c9770988297860a56116ce184be08da75b64d361f8/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 19:41:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcise6knwlep2l75qlexocmiff4gbjlbc3hbqs7arwtvwzgtmh4a._file
Verdict:
malicious
Similar samples:
1e954bf224aa79d4eda4ae5438e8e2fbfb517299921fd8969cb892a7ac01b096
AZORult
3d3812027a1dfbebfb22a52b0b671d4237f38c44c3a40936dc63d4b6896ec5e1
AZORult
48ad69b7574d98c17d6f0c72dd30278f1063ea6bb4ac84d8b6a44b387967fd67
AZORult
71d250c884aaca7c11dec88378c49bd94c37b63ca0b6274b7046c1bc0d9bc134
AZORult
7d3d668171bc6da211cbdbcad1a01e8e23316b097e6e7102331f6ccc1cc11639
AZORult
a51e862ad7950b242cce5ec0cc8734124186c16f506870ddd8ba41057ec36041
AZORult
cff9152c285650c3e7ede2b8a6eb108c6743b6cf134ef64c49c5d5ed60b1649e
AZORult
f3898ca67fa60276c5c6ace2385d54120cd792943c98e865fbdeb020cb5d4ac9
AZORult
+ 154 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline botnet:04062022 botnet:default infostealer spyware stealer
Link:
https://tria.ge/reports/220408-lq2v1sbga4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Arkei
RedLine
RedLine Payload
Malware Config
C2 Extraction:
http://
http://62.204.41.69/p8jG9WvgbE.php
62.204.41.166:27688
Unpacked files
SH256 hash:
309122794db2c8fd2ffd82c9770988297860a56116ce184be08da75b64d361f8
MD5 hash:
b23a4794f36589ad6ccdc7283013c8ae
SHA1 hash:
ad73edc33406d2a5d080a5adfa967927c9c3f9df
Link:
https://www.unpac.me/results/8543086d-c5c7-45f1-93d6-e1e24e56de73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/309122794db2c8fd2ffd82c9770988297860a56116ce184be08da75b64d361f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 309122794db2c8fd2ffd82c9770988297860a56116ce184be08da75b64d361f8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/1746812/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/1746810/
Cape
Cape
https://www.capesandbox.com/analysis/262051/

Comments