MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda
SHA3-384 hash: e72e03fd5779ef195b61d215d1546168cd96c706b4497440c58074e66a82d50e5eaecfd7b3e9b1a33afe4af6a4d750f3
SHA1 hash: 871366f3573c3349e9dc7b67fef1ef575815c154
MD5 hash: 0a7b32e75a01764ef5389a1d9e72ed63
humanhash: london-louisiana-football-alaska
File name:0a7b32e75a01764ef5389a1d9e72ed63.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:40'960 bytes
First seen:2022-05-28 14:11:01 UTC
Last seen:2022-05-28 14:38:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 768:+iIW6bBmlnvHesHklOd13qUfqtXhHsGPrNYHOj64/0+Q9y+vp:3IW6bBmxvHesElOd5qfTPGi6Q0+TKp
Threatray 5'731 similar samples on MalwareBazaar
TLSH T103037C6077507627C96A0A71B0230F00C539EB6578BC7F767A878C5F2FEA385E492762
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon cc33a86955c403c4 (3 x AZORult, 2 x AsyncRAT, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://underdohg.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://underdohg.ac.ug/index.php https://threatfox.abuse.ch/ioc/643051/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
0a7b32e75a01764ef5389a1d9e72ed63.exe
Verdict:
Malicious activity
Analysis date:
2022-05-28 14:14:05 UTC
Tags:
loader stealer arkei trojan rat azorult vidar
Link:
https://app.any.run/tasks/d96527ad-84ce-41f0-a17b-e398e4f8c999

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275147/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.19950.28107.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Changing a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint obfuscated packed stealer
Link:
https://www.filescan.io/uploads/62922db26eb3ff32633888f5/reports/cf39c32a-9790-47aa-99b1-470977c8103c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c78c5df5-eda6-42e1-bee4-706e19df8ff7
Result
Threat name:
Azorult, Remcos, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003175
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635669 Sample: xZPhFJvfZh.exe Startdate: 29/05/2022 Architecture: WINDOWS Score: 100 78 underdohg.ac.ug 2->78 80 tuekisaa.ac.ug 2->80 82 3 other IPs or domains 2->82 104 Snort IDS alert for network traffic 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 10 other signatures 2->110 10 xZPhFJvfZh.exe 15 5 2->10         started        signatures3 process4 dnsIp5 86 underdohg.ac.ug 185.215.113.89, 49771, 49787, 49790 WHOLESALECONNECTIONSNL Portugal 10->86 74 C:\Users\...\Iioozcrscrdqdprjojgormars2.exe, PE32 10->74 dropped 76 C:\Users\user\AppData\...\xZPhFJvfZh.exe.log, ASCII 10->76 dropped 124 Injects a PE file into a foreign processes 10->124 15 xZPhFJvfZh.exe 30 10->15         started        20 Iioozcrscrdqdprjojgormars2.exe 14 4 10->20         started        22 cmd.exe 1 10->22         started        24 2 other processes 10->24 file6 signatures7 process8 dnsIp9 88 94.158.247.24, 49775, 80 MIVOCLOUDMD Moldova Republic of 15->88 90 192.248.184.34, 49774, 80 AS-CHOOPAUS France 15->90 66 C:\Users\user\AppData\Local\...\heEb03ta.exe, PE32 15->66 dropped 68 C:\Users\user\AppData\Local\...\MRzUfk41.exe, PE32+ 15->68 dropped 70 C:\Users\user\AppData\Local\...\MM5QiUp3.exe, PE32 15->70 dropped 72 8 other files (1 malicious) 15->72 dropped 92 Tries to harvest and steal browser information (history, passwords, etc) 15->92 94 Tries to steal Crypto Currency Wallets 15->94 26 heEb03ta.exe 15->26         started        29 MM5QiUp3.exe 15->29         started        31 4W06p98e.exe 15->31         started        33 MRzUfk41.exe 15->33         started        96 Detected unpacking (creates a PE file in dynamic memory) 20->96 98 Found evasive API chain (may stop execution after checking mutex) 20->98 100 Machine Learning detection for dropped file 20->100 102 4 other signatures 20->102 35 Iioozcrscrdqdprjojgormars2.exe 75 20->35         started        38 cmd.exe 1 20->38         started        40 conhost.exe 22->40         started        42 timeout.exe 1 22->42         started        file10 signatures11 process12 dnsIp13 112 Machine Learning detection for dropped file 26->112 114 Injects a PE file into a foreign processes 26->114 44 cmd.exe 26->44         started        116 Antivirus detection for dropped file 29->116 118 Multi AV Scanner detection for dropped file 31->118 46 cmd.exe 33->46         started        84 underdohg.ug 35->84 120 Tries to harvest and steal browser information (history, passwords, etc) 35->120 122 Tries to steal Crypto Currency Wallets 35->122 48 cmd.exe 35->48         started        50 conhost.exe 38->50         started        52 timeout.exe 1 38->52         started        signatures14 process15 process16 54 conhost.exe 44->54         started        56 timeout.exe 44->56         started        58 conhost.exe 46->58         started        60 timeout.exe 46->60         started        62 conhost.exe 48->62         started        64 timeout.exe 48->64         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-05-28 14:12:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gs5celxznhyj5tffkbwlvwt4grsgtklknlym3uqri3kegumw33na._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
1a2bc82de6e0c26030a3600c836329329dbcf1d4d84e031a90dd7df5355ed612
AZORult
27223530f9da259a9f2318b525399a30f5656ca4d2951d76af8039484d8f3e74
AZORult
41257a21d27bcb773bb43e7b23c918d5ea4135a868b915d0fb738cd5c19af256
AZORult
4def4ad12c7aab38e6248c20e211272f1c920a0295c8beda6228543e58c2129c
AZORult
6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e
AZORult
739c117bf4f36301346c45dedccdccfef781bcf4863f4e200691f4b89641bf11
AZORult
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AZORult
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
AZORult
e3cf84cf7f8d85d334d107e4fda6a98b021a8d004ef88708957629d0f10be5fe
AZORult
+ 5'721 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:azorult family:remcos botnet:05282022 botnet:default discovery infostealer persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220528-rg9gdsghfl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Arkei
Azorult
Remcos
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
Unpacked files
SH256 hash:
34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda
MD5 hash:
0a7b32e75a01764ef5389a1d9e72ed63
SHA1 hash:
871366f3573c3349e9dc7b67fef1ef575815c154
Link:
https://www.unpac.me/results/55220da2-3858-407d-9539-061e39ba20b6/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34ba222ef969/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/1797727/
Cape
Cape
https://www.capesandbox.com/analysis/275147/

Comments