MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452
SHA3-384 hash: 05f439163eda19cf6c63e7d834a5240c2c658d75b6c5dcb73d4a2ae5d580295930ca9c2476e47af36f788b456d56b719
SHA1 hash: ec3e5b9988da762df5797e6ba7e37321aaedc142
MD5 hash: 177be2c914b334bb9ae441b179c47ad3
humanhash: fillet-bacon-ack-bulldog
File name:177be2c914b334bb9ae441b179c47ad3.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:972'288 bytes
First seen:2023-03-12 13:55:21 UTC
Last seen:2023-03-12 15:29:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:HEX3jBVmNUfqBe4G/+69C9quC8s08jHJNXhInMvHE3iYusAf+1SWv5fs:+tYNUfqBpOc5CnpNx+MvH7YpH1SWvB
Threatray 675 similar samples on MalwareBazaar
TLSH T109259D956F196257EBC5A0B31804EBB6EFAC7D5C2427C0882EE13D8FB1B9D2C1111E6D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://171.22.30.164/standright/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
177be2c914b334bb9ae441b179c47ad3.exe
Verdict:
Malicious activity
Analysis date:
2023-03-12 13:57:41 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/4a581906-61b7-4e97-a666-af4c6e058bfa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373700/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/640dd9f4cb9bbbbcdcc71510/reports/cdd33973-2798-400c-84b0-9a639dc5e900/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/007a6871-5480-4a9f-b000-0849fb2baa54
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1191964
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 18:11:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g7knpj5yjzhw5ljosuf2euwch6rwbiyxn5erqskc3iyen6tjgrja._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76
AZORult
4a4a4c441355bbf90def9ab2aec89335f93237487e670df04b3d63c65b5be25a
AZORult
69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a
AZORult
722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088
AZORult
7f24773d411236705d09adba6b9b52a10b8f2f9d1963abb1b243d4eb72bfba9c
AZORult
8a43978a73d92e6cb41e74aae94482dfedec054c4ade4b717b249cfcdcc21844
AZORult
9742316e3734c943eed54ea0ab9d8fa857db256aca5c7f7cf5577a9cae79102b
AZORult
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
AZORult
+ 665 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230312-q8n44agb3t/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://171.22.30.164/standright/index.php
Unpacked files
SH256 hash:
7d958b3964c6689883f4fcbb7e02ef1a7036e5bca2cd16c1c4455955fcd64774
MD5 hash:
ba34aa6f520d3e6dcca947abfc8ae8ff
SHA1 hash:
eb56bc94087b3b6d46fee10eea2f3d54cd85b42b
Detections:
Azorult
Create hunting rule
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/fdb78b3c-3710-46e1-a1d8-f2e3b9c14912/
Parent samples :
37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452
d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a
1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564
a6f625e40e8b7523312b9a40ce6f3080b3475b9ff349e17785bdf7b6e0cd78c1
SH256 hash:
2d95028587515ef2d185100b75682fabfa0d21c4c40e2da760a970b0f888786e
MD5 hash:
db1b103927d9dd90adc99c8f0c5acd11
SHA1 hash:
d23dfdd5267077f68a1f24dc91ba86f3f2310dff
Link:
https://www.unpac.me/results/fdb78b3c-3710-46e1-a1d8-f2e3b9c14912/
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/fdb78b3c-3710-46e1-a1d8-f2e3b9c14912/
SH256 hash:
c1cdb1441464fd5a81786ebbbca6e5acc713d6be66065338e88ae8419e789f7d
MD5 hash:
0868573880dc345f116d1f3338393c2c
SHA1 hash:
4fda245c25563c1ba739e25b8ac8bb007cb73c1c
Link:
https://www.unpac.me/results/fdb78b3c-3710-46e1-a1d8-f2e3b9c14912/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/fdb78b3c-3710-46e1-a1d8-f2e3b9c14912/
SH256 hash:
37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452
MD5 hash:
177be2c914b334bb9ae441b179c47ad3
SHA1 hash:
ec3e5b9988da762df5797e6ba7e37321aaedc142
Link:
https://www.unpac.me/results/fdb78b3c-3710-46e1-a1d8-f2e3b9c14912/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37d4d7a7b84e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373700/

Comments