MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50
SHA3-384 hash:	990e8a50b2824d0b054a9f18343bba4f1d5b39dadd987a45f8166f72273be915e6cd1045056336507082c7085bfd602c
SHA1 hash:	68674af1e9ca690a3e2f2c693b2b1b8601a86aa9
MD5 hash:	f99952ddfded19b9ee7c0fd893bc67c3
humanhash:	don-cold-skylark-massachusetts
File name:	Подтверждение оплаты.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	187'667 bytes
First seen:	2023-03-13 07:11:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	3072:GfY/TU9fE9PEtuMTSkvV0bM6/vS1RrSs3HT+1ze/8kP6uVeYxqJwTT7AbLPNZgVK:wYa60BAnSHrJy6RAJwTaYVK
Threatray	911 similar samples on MalwareBazaar
TLSH	T18A04F095B296C176ECE32A315A3B8F111AA7ED2639A51A1713407F9F3E33242D90F713
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter	adrian__luca
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

azorult

ID:

File name:

Подтверждение оплаты.exe

Verdict:

Malicious activity

Analysis date:

2023-03-13 07:11:47 UTC

Tags:

azorult

Link:

https://app.any.run/tasks/c5fbb401-f8f3-4b36-b0f7-8f0b0e1b6ba4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/373891/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.22112.976.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/72903/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo nemesis overlay packed remcos shell32.dll

Link:

https://www.filescan.io/uploads/640eccc708b02b266d16769d/reports/3f75d707-6fa2-4cb4-b7b3-9501e0ad002f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0de8a317-810d-47ae-89b9-f0bc31740727

Result

Threat name:

Azorult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1192241

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2023-03-07 09:49:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 39 (71.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gx2rmog3ph6ijysvvmqgf2n5eop26ur76fq4xtdbgfm5jw4kljia._file

Verdict:

malicious

Label(s):

azorult

AZORult

15eb9fe80c710f5b993b7906a00cf6d775ae0a6ea93c079ec56dffd95c1b04be

AZORult

17ea4ff28a39d36f7da5f9196231241b66fb10caf723a48dadc95121bb7bc9cf

AZORult

62eae1f670683a10909351d0dba4c6cbdadd53c056fe54d1c11198a7b9f967e5

AZORult

8764b673268c50c93a845e89b84fe3d7e420807c049106bad73250799f04d5ec

AZORult

8d706a559621c1ec74e346061820da982e2740ca365f152660cc302162073504

AZORult

93929bd2d140ca638594136ff62a34082c293ccd527a31b6fc34e1d2c1530f6f

AZORult

d3ba82618b3527724f29e835c333807e9d72e51839990c6e95e072825cf99150

AZORult

ec61c46fdd4c22a18e41331c3b4553e385c6229b2d37c5ae4050b10e0cc27572

AZORult

+ 901 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer trojan

Link:

https://tria.ge/reports/230313-h1h9waha66/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Azorult

Malware Config

C2 Extraction:

http://85.31.45.29/office/index.php

Unpacked files

SH256 hash:

f1b2e8b7dcbeceaf748f79a6b7a34ee22be9a03e8f9146bebad620c256e2df4d

MD5 hash:

69c9f5ace94c8d741beafa478d884501

SHA1 hash:

387a317cc0571ad287442357ed4bcf843418b077

Detections:

Azorult

win_azorult_auto

win_azorult_g1

Link:

https://www.unpac.me/results/8ddc3702-4472-4620-ac6a-8f1a0749ef8c/

SH256 hash:

0987f4308921f019192afe1cce11bea2b7d285f09ed34fcce46ab02555e2ca8d

MD5 hash:

9fd0b3fc69a8d59d3a0932c1541d4469

SHA1 hash:

59b867651d23e3cd27d7c9d00e8a255d6ab92893

Link:

https://www.unpac.me/results/8ddc3702-4472-4620-ac6a-8f1a0749ef8c/

SH256 hash:

35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50

MD5 hash:

f99952ddfded19b9ee7c0fd893bc67c3

SHA1 hash:

68674af1e9ca690a3e2f2c693b2b1b8601a86aa9

Link:

https://www.unpac.me/results/8ddc3702-4472-4620-ac6a-8f1a0749ef8c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Azorult Create hunting rule
Author:	kevoreilly
Description:	Azorult Payload

Rule name:	malware_Azorult Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Azorult in memory
Reference:	internal research

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Telegram_Links Create hunting rule

Rule name:	Windows_Trojan_Azorult_38fce9ea Create hunting rule
Author:	Elastic Security

Rule name:	win_azorult_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

exe 35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/373891/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample