MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 313aeafc8c5a3e9e04b4ae04339fd3e827392bdad7897ca2d146ed0f17572cf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 313aeafc8c5a3e9e04b4ae04339fd3e827392bdad7897ca2d146ed0f17572cf1
SHA3-384 hash: 90a67e2351586fa52702540f9458cb90a67d85fdf75fc746d070748358d5a62b01dd87aaa666ba7bb2b7029ec1c409ce
SHA1 hash: 16f1c63a7f768f31395f3b6567dbe76a562ef9e4
MD5 hash: 5516ba90dc9a6978aaec99276ba4383c
humanhash: johnny-mississippi-kansas-uranus
File name:SecuriteInfo.com.Trojan.InjectNET.14.29094.19259
Download: download sample
Signature AZORult
Create hunting rule
File size:768'512 bytes
First seen:2020-11-05 22:50:26 UTC
Last seen:2020-11-07 12:50:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EaIYpI03Jq8HcD+jraw0wquEJHvFoTFwOvPeeDDiUfM7itt1DNhrSMxFbfDF0Y7t:bppB3Uuc6j+9D19oThPRdci5DNhdrbD7
TLSH 07F41230B4EA6F67C2A68FF712B5962667F2183B175AE648CFF572D08D427501780E23
Reporter SecuriteInfoCom
Tags:AZORult

Intelligence

File Origin
# of uploads :
3
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.29094.19259.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Deleting a recently created file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Stealing user critical data
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/313aeafc8c5a3e9e04b4ae04339fd3e827392bdad7897ca2d146ed0f17572cf1/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 03:02:32 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ge5ov7emli7j4bfuvycdhh6t5attsk6226exziwri3wq6f2xftyq._file
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski discovery infostealer spyware trojan
Link:
https://tria.ge/reports/201106-f54stmfmgs/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Oski
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 313aeafc8c5a3e9e04b4ae04339fd3e827392bdad7897ca2d146ed0f17572cf1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/790804/
  
Delivery method
Distributed via web download

Comments