MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37e292496f057cbbba45f28b7510c8e4b555dcb2ad4308e1df9f251c9980830d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37e292496f057cbbba45f28b7510c8e4b555dcb2ad4308e1df9f251c9980830d
SHA3-384 hash: 9e5a81152b29c6d44a5647fbdc5fbc85cfde7884411bc9e3baed10e709394964e1adbf48a37240a02f30ca87d789b027
SHA1 hash: c7d412bef31e46c9bb9facbe37eb6862ce38ea63
MD5 hash: b556526e3da710a1bdf1d8f27b75feaf
humanhash: oklahoma-south-michigan-video
File name:37E292496F057CBBBA45F28B7510C8E4B555DCB2AD430.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:198'144 bytes
First seen:2021-09-11 11:20:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d88d597200c0081784c27940d743ec5 (6 x AZORult, 3 x RaccoonStealer, 1 x MBRLocker)
ssdeep 6144:Ti2gMUk7PDUnsIVbk5ofoSM7NbjI0yZdBu4H:Ti20E4sIa4oSe5su4
Threatray 5'217 similar samples on MalwareBazaar
TLSH T17D1402A2A73C4DDEFA3D5530A9B7BC7143696CB499A40D4792E7B03B4837312AC1924F
dhash icon e8cc9ab3b39eece8 (1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://mazooyaar.ac.ug/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://mazooyaar.ac.ug/ https://threatfox.abuse.ch/ioc/220322/

Intelligence

File Origin
# of uploads :
1
# of downloads :
788
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Meteorite
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187055/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.VBGeneric-8264807-0
Create hunting rule

Win.Dropper.NetWire-8264833-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Deleting a recently created file
Creating a file
Creating a window
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Launching a process
Searching for the window
Creating a file in the Windows subdirectories
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7870734-00ed-45b1-a7fd-fd0248de64c6
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849141
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected BatToExe compiled binary
Yara detected Generic Patcher
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481572 Sample: 37E292496F057CBBBA45F28B751... Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 120 youtube-ui.l.google.com 2->120 122 www.youtube.com 2->122 124 www.google.com 2->124 144 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->144 146 Malicious sample detected (through community Yara rule) 2->146 148 Antivirus detection for URL or domain 2->148 150 12 other signatures 2->150 14 37E292496F057CBBBA45F28B7510C8E4B555DCB2AD430.exe 6 2->14         started        signatures3 process4 file5 110 C:\Users\user\AppData\Local\Temp\...\kgen.exe, PE32 14->110 dropped 112 C:\Users\user\AppData\Local\...\patch.exe, PE32 14->112 dropped 17 cmd.exe 1 14->17         started        19 conhost.exe 14->19         started        process6 process7 21 kgen.exe 13 17->21         started        24 patch.exe 1 3 17->24         started        file8 164 Creates HTML files with .exe extension (expired dropper behavior) 21->164 166 Maps a DLL or memory area into another process 21->166 27 kgen.exe 21 21->27         started        90 C:\Users\user\AppData\...\dup2patcher.dll, PE32 24->90 dropped 92 C:\Users\user\AppData\Local\...\bassmod.dll, PE32 24->92 dropped signatures9 process10 dnsIp11 136 mazoyer.ac.ug 185.215.113.77, 49762, 49763, 49764 WHOLESALECONNECTIONSNL Portugal 27->136 138 rebrand.ly 3.210.114.52, 49760, 49761, 80 AMAZON-AESUS United States 27->138 140 5 other IPs or domains 27->140 102 C:\Users\user\AppData\...\CcmfdgsaYsd.exe, PE32 27->102 dropped 104 C:\Users\user\AppData\...\CHmfdgaYsHsd.exe, PE32 27->104 dropped 106 C:\Users\user\AppData\Local\...\zxcvb[1].exe, PE32 27->106 dropped 108 C:\Users\user\AppData\Local\...\zxcv[1].EXE, PE32 27->108 dropped 174 Hides threads from debuggers 27->174 32 CcmfdgsaYsd.exe 7 27->32         started        36 CHmfdgaYsHsd.exe 3 27->36         started        file12 signatures13 process14 file15 70 C:\Users\user\AppData\Local\Temp\vcabnv.exe, PE32 32->70 dropped 72 C:\Users\user\AppData\Local\Temp\fdBas.exe, PE32 32->72 dropped 142 Maps a DLL or memory area into another process 32->142 38 vcabnv.exe 4 32->38         started        41 CcmfdgsaYsd.exe 32->41         started        45 fdBas.exe 4 32->45         started        47 powershell.exe 36->47         started        signatures16 process17 dnsIp18 168 Maps a DLL or memory area into another process 38->168 49 vcabnv.exe 67 38->49         started        126 5.181.156.77, 49772, 80 MIVOCLOUDMD Moldova Republic of 41->126 128 telete.in 195.201.225.248, 443, 49769, 49771 HETZNER-ASDE Germany 41->128 94 C:\Users\user\AppData\...\vcruntime140.dll, PE32 41->94 dropped 96 C:\Users\user\AppData\...\ucrtbase.dll, PE32 41->96 dropped 98 C:\Users\user\AppData\...\softokn3.dll, PE32 41->98 dropped 100 56 other files (none is malicious) 41->100 dropped 170 Tries to steal Mail credentials (via file access) 41->170 172 Tries to harvest and steal browser information (history, passwords, etc) 41->172 54 fdBas.exe 45->54         started        130 youtube-ui.l.google.com 47->130 132 www.youtube.com 47->132 134 www.google.com 47->134 56 conhost.exe 47->56         started        file19 signatures20 process21 dnsIp22 114 192.168.2.1 unknown unknown 49->114 116 mazoyer.ac.ug 49->116 74 C:\Users\user\AppData\...\vcruntime140.dll, PE32 49->74 dropped 76 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 49->76 dropped 78 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 49->78 dropped 86 45 other files (none is malicious) 49->86 dropped 152 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->152 154 Tries to steal Instant Messenger accounts or passwords 49->154 156 Tries to steal Mail credentials (via file access) 49->156 162 2 other signatures 49->162 58 cmd.exe 49->58         started        118 mazooyaar.ac.ug 54->118 80 C:\ProgramData\vcruntime140.dll, PE32 54->80 dropped 82 C:\ProgramData\sqlite3.dll, PE32 54->82 dropped 84 C:\ProgramData\softokn3.dll, PE32 54->84 dropped 88 4 other files (none is malicious) 54->88 dropped 158 Tries to harvest and steal browser information (history, passwords, etc) 54->158 160 Tries to steal Crypto Currency Wallets 54->160 60 cmd.exe 54->60         started        file23 signatures24 process25 process26 62 conhost.exe 58->62         started        64 timeout.exe 58->64         started        66 conhost.exe 60->66         started        68 taskkill.exe 60->68         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/37e292496f057cbbba45f28b7510c8e4b555dcb2ad4308e1df9f251c9980830d/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 23:22:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g7rjeslpav6lxosf6kfxkegi4s2vlxfsvvbqryo7t4srzgmaqmgq._file
Verdict:
malicious
Similar samples:
0290fd4f9c7240911d9051f76167a75dd78834e6a03faf6b09aeae21ff3094db
AZORult
1eb39c14abcac667ca35cf294bfda8ac6282b93028d830f1665afa2a87cff4ef
AZORult
4da160dc1a5e5f2f2e0dee7ab9ccd3a522e34bbef2d602f35525b788f3afee2a
AZORult
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
AZORult
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
AZORult
bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
AZORult
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
AZORult
+ 5'207 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski discovery infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/210911-nf1w3sbcg7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
mazooyaar.ac.ug
Unpacked files
SH256 hash:
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
MD5 hash:
780d14604d49e3c634200c523def8351
SHA1 hash:
e208ef6f421d2260070a9222f1f918f1de0a8eeb
Link:
https://www.unpac.me/results/68c5e171-5e55-444f-89b0-04a44d9db53a/
SH256 hash:
f69b502ad872ff87b4b43a1a28590a80a6addaa6fd5f257e6a6ea551b9a40be1
MD5 hash:
8e37b365f5df73d23e937720f932d922
SHA1 hash:
30c80c35157b1f4b50980209904ac3d97072db97
Link:
https://www.unpac.me/results/68c5e171-5e55-444f-89b0-04a44d9db53a/
SH256 hash:
04cf90592acf1f6033ba299b18ef8a7c8b1ab6f356d6bb9ff33b44743fe2c787
MD5 hash:
2898e4611e6b86fa578342cb15474b2a
SHA1 hash:
98357be30082787c709ca216000d0799973221d4
Link:
https://www.unpac.me/results/68c5e171-5e55-444f-89b0-04a44d9db53a/
SH256 hash:
e9d894c67307dd03484a477a15a636537d4385ce71b54f1ae5de6ae0f2bc5cbc
MD5 hash:
b0469db26865531b844c61580fe9d740
SHA1 hash:
52fa1fe0da9ed16e2dd12376dc68398f97fb3a59
Link:
https://www.unpac.me/results/68c5e171-5e55-444f-89b0-04a44d9db53a/
SH256 hash:
3d525dfe3f5980af448a2bd57a04a69fbc2418a364a6d41f955adc8cb9f40327
MD5 hash:
c9749a751a5ad3c7bca8dd6088cd3deb
SHA1 hash:
286e695370ac72839caf44a3ee71175ed7dc0695
Link:
https://www.unpac.me/results/68c5e171-5e55-444f-89b0-04a44d9db53a/
SH256 hash:
37e292496f057cbbba45f28b7510c8e4b555dcb2ad4308e1df9f251c9980830d
MD5 hash:
b556526e3da710a1bdf1d8f27b75feaf
SHA1 hash:
c7d412bef31e46c9bb9facbe37eb6862ce38ea63
Link:
https://www.unpac.me/results/68c5e171-5e55-444f-89b0-04a44d9db53a/
Malware family:
Mal/HTMLGen-A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/37e292496f05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37e292496f057cbbba45f28b7510c8e4b555dcb2ad4308e1df9f251c9980830d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187055/

Comments