MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
SHA3-384 hash: f04fc0286d9b6d8bd8a81317840c341c34bc585a93ba021a99300e32fcc898b1803e6e2af4ffaab88a42ef831ffdee32
SHA1 hash: b3419edba9585c0b5a9a3ece82592cb9893ae17e
MD5 hash: 2eaf147e46a106eaf7a6c8e618060e2f
humanhash: venus-fifteen-jersey-blossom
File name:2eaf147e46a106eaf7a6c8e618060e2f.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:836'608 bytes
First seen:2021-07-23 11:36:25 UTC
Last seen:2021-07-23 12:52:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:pzayI+jftjwYPEhUbNi5rKoFcK8pq7Bde5cIAws8KvVXbhlpNAyerFb04w2EaLo:pz035dVGqm5XAimXbbsLV04
Threatray 2'203 similar samples on MalwareBazaar
TLSH T137051294BA50E69FC02E8FB6C9942C60677074B76717E343AC8716DC988F79E8E061D3
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://185.234.247.50/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.234.247.50/ https://threatfox.abuse.ch/ioc/162348/
http://danielmi.ac.ug/index.php https://threatfox.abuse.ch/ioc/162379/

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2eaf147e46a106eaf7a6c8e618060e2f.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 11:41:53 UTC
Tags:
loader trojan stealer raccoon rat azorult vidar
Link:
https://app.any.run/tasks/59091886-85d6-497c-a82c-deb8e6600af2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173606/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.949.6620.21982.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8dde314-d8d7-4dc5-a341-2c40307c342d
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820726
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453136 Sample: B9yl2xkAiv.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 9 other signatures 2->73 8 B9yl2xkAiv.exe 15 5 2->8         started        process3 dnsIp4 61 danielmi.ac.ug 185.215.113.77, 49740, 49756, 49758 WHOLESALECONNECTIONSNL Portugal 8->61 43 C:\Users\user\AppData\Local\...\asxcjhgfd.exe, PE32 8->43 dropped 45 C:\Users\user\AppData\...\B9yl2xkAiv.exe.log, ASCII 8->45 dropped 75 Injects a PE file into a foreign processes 8->75 13 B9yl2xkAiv.exe 88 8->13         started        18 asxcjhgfd.exe 14 5 8->18         started        20 B9yl2xkAiv.exe 8->20         started        file5 signatures6 process7 dnsIp8 63 185.234.247.50, 49752, 49757, 80 INTERKONEKT-ASPL Russian Federation 13->63 65 telete.in 195.201.225.248, 443, 49751 HETZNER-ASDE Germany 13->65 47 C:\Users\user\AppData\...\qAZ3Z0xH2h.exe, PE32 13->47 dropped 49 C:\Users\user\AppData\...\dRh16Dp6ZU.exe, PE32 13->49 dropped 51 C:\Users\user\AppData\...\Tlo47eEIuC.exe, PE32 13->51 dropped 55 61 other files (none is malicious) 13->55 dropped 77 Tries to steal Mail credentials (via file access) 13->77 79 Tries to harvest and steal browser information (history, passwords, etc) 13->79 22 qAZ3Z0xH2h.exe 13->22         started        25 4eDIvOVVK1.exe 13->25         started        27 cmd.exe 13->27         started        37 3 other processes 13->37 53 C:\Users\user\AppData\Local\...\osxcjhgfd.exe, PE32 18->53 dropped 81 Injects a PE file into a foreign processes 18->81 29 asxcjhgfd.exe 18->29         started        31 osxcjhgfd.exe 18->31         started        33 asxcjhgfd.exe 18->33         started        35 asxcjhgfd.exe 18->35         started        file9 signatures10 process11 dnsIp12 57 cdn.discordapp.com 162.159.130.233, 443, 49762, 49763 CLOUDFLARENETUS United States 22->57 39 conhost.exe 27->39         started        41 timeout.exe 27->41         started        59 danielmi.ac.ug 29->59 process13
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 11:37:16 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gz75qwcl4wibzgzgff22wxsxadqogainnf7rcynwvl5lzr7qpudq._file
Verdict:
malicious
Similar samples:
16a3f8b4cef745530b89e1c3200cac6521909adaf28d46d288c91560dad6e6a6
AZORult
445d66bf5ba2df185287c3cb77ca459c45819d53d808a48981f3e8396f1c9658
AZORult
55dae3a9ea2e8108b1c8552f9605f2a8f8ce7116b055d96cf1c827989ac0efd5
AZORult
824b934ef0962b68f3fa0fa48bf269e8ab08699bd88cc8fd9c22a4e4eb4a8f88
AZORult
991cd470e36b51d3640eb6a1a40b6dbd54d2f82d6543fe38a46404bfc0a6bc76
AZORult
c2789581cd578f5d0d40e0d774ace1ac3ce93793b20d12eca3136a83e1d67ce2
AZORult
fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e
AZORult
+ 2'193 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:bitrat family:oski discovery evasion infostealer persistence rat spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210723-qeg3f76lkx/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Async RAT payload
AsyncRat
Azorult
BitRAT
BitRAT Payload
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
omomom.ac.ug:6970
omkarusdajvc.ac.ug:6970
danielmax.ac.ug
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/efe90239-3fa2-4d33-9398-5ffda6c9578a/
SH256 hash:
fd44b28e19d090d703a45656ee384f2ef00aa92a8e44e36b505af04b4f4e117d
MD5 hash:
197a535c5668356a7d05fe75ebbbcfde
SHA1 hash:
7baff23cfac487f418d6fd41025dc07eb8e4e434
Link:
https://www.unpac.me/results/efe90239-3fa2-4d33-9398-5ffda6c9578a/
SH256 hash:
388a69072f1a0e871d4812d7b8421f975099f7a613ce8ab10101e32ce1b88bbf
MD5 hash:
b03a7fe96bf1c43ce9eb194d3dba3301
SHA1 hash:
0111aea6ca0cd839b4aef0b9dcf67c9db5d924d9
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/efe90239-3fa2-4d33-9398-5ffda6c9578a/
Parent samples :
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
SH256 hash:
367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
MD5 hash:
2eaf147e46a106eaf7a6c8e618060e2f
SHA1 hash:
b3419edba9585c0b5a9a3ece82592cb9893ae17e
Link:
https://www.unpac.me/results/efe90239-3fa2-4d33-9398-5ffda6c9578a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
Cape
Cape
https://www.capesandbox.com/analysis/173606/

Comments