MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521
SHA3-384 hash: 3f33532096725e06c3f6da8a777f1e2d2f9b35d75299a07b3679069d39068762842d5ecd0ff42b6bd5f4edb2982a5fdf
SHA1 hash: 25e9d8e5a31913b28b9bcaf64574ef135e0fa3e9
MD5 hash: 5ce3b1bbcb5e6de79fdf2b4bbf9a8c65
humanhash: triple-sodium-emma-white
File name:Inkooporders voor factuur 28-09-22.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:439'127 bytes
First seen:2022-09-28 13:49:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 6144:uTouKrWBEu3/Z2lpGDHU3ykJF1Mai/nsSL2pNUn+/V6QcjX5P6uE:uToPWBv/cpGrU3ywtmnsSL6u+/Eg
Threatray 1'597 similar samples on MalwareBazaar
TLSH T10094D002BAC144B2D4631A325E35BB21A93DBD201FB58EDF67D0762DDE321C1D631BA6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00870d1848c4cc20 (27 x RemcosRAT, 6 x Formbook, 1 x NanoCore)
Reporter lowmal3
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
471
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314376/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP POST request
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39752/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6334510ec9e2f34354310df2/reports/7b46b0b1-08b3-4df2-abbd-ececf3f1333a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ca5d72be-8076-4822-a6f0-30e2603efdc8
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079267
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 711824 Sample: Inkooporders voor factuur 2... Startdate: 28/09/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 8 other signatures 2->53 9 Inkooporders voor factuur 28-09-22.exe 10 2->9         started        process3 file4 39 C:\Users\user\AppData\...\uwmldfjccru.exe, PE32 9->39 dropped 12 uwmldfjccru.exe 2 9->12         started        process5 file6 41 C:\Users\user\AppData\Local\Temp\FDAC.tmp, PE32 12->41 dropped 43 C:\Users\user\AppData\Local\Temp\742.tmp, PE32 12->43 dropped 63 Found hidden mapped module (file has been removed from disk) 12->63 65 Maps a DLL or memory area into another process 12->65 16 uwmldfjccru.exe 63 12->16         started        21 WerFault.exe 23 9 12->21         started        23 uwmldfjccru.exe 12->23         started        signatures7 process8 dnsIp9 45 gw1naz.shop 104.21.31.178, 49708, 49712, 80 CLOUDFLARENETUS United States 16->45 31 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 16->31 dropped 33 C:\Users\user\AppData\Local\...\nssdbm3.dll, PE32 16->33 dropped 35 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 16->35 dropped 37 45 other files (2 malicious) 16->37 dropped 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->55 57 Tries to steal Instant Messenger accounts or passwords 16->57 59 Tries to steal Mail credentials (via file / registry access) 16->59 61 4 other signatures 16->61 25 cmd.exe 1 16->25         started        file10 signatures11 process12 process13 27 conhost.exe 25->27         started        29 timeout.exe 1 25->29         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 13:50:13 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hef2twsgssi6gtnvbfjefe5qb7vsfn3iueoapewwpsjlc6ebuuqq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0c22e8ea0ba6fc4f77bd273a12dd319e991899499b4bea8422d146d447034505
AZORult
1a37f5980dfaccf82f357074e3d3013e6280e14ddb291ff49b539393daa9da6d
AZORult
301a3e665000c99ab655a74dbf9408de24875866528be4f6d28e83490c19305b
AZORult
339539d03ce22693c391b3141e6c20b2403da4efe6e25247c87c81a2e2fe1530
AZORult
432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239
AZORult
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e
AZORult
ce349034ea5373d13d5fa3adaf34a3ecffff799fe9044d4a2c98bd8a16f0e9ed
AZORult
f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4
AZORult
+ 1'587 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220928-q49v1ahbdq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/59c7af88-f74a-4669-9072-444b3a105e47
Unpacked files
SH256 hash:
b438ded132042bd35ad3063baa5a24130c2f980248985ec54450c644d207cd91
MD5 hash:
b5371db678c70b7b49e43d34a66c02d3
SHA1 hash:
7840ac400d639cf2f0c67f18afa0ff14a48851bd
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/f0d43757-d5ab-48d7-b608-d566154bccbe/
Parent samples :
390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521
d92c973ecc0a47bbb7d56fdec3471e90a88b49406b27b743f3f01433b0163ca8
SH256 hash:
a716abea7dd38dfd8150f206583f85f4f833dca2f1a6201af4205e3ed200e4c5
MD5 hash:
efe4c67831e6fe3a903b55ce9923c2a4
SHA1 hash:
6f07d8467637d4a521b845f080003c7fb171264a
Link:
https://www.unpac.me/results/f0d43757-d5ab-48d7-b608-d566154bccbe/
SH256 hash:
390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521
MD5 hash:
5ce3b1bbcb5e6de79fdf2b4bbf9a8c65
SHA1 hash:
25e9d8e5a31913b28b9bcaf64574ef135e0fa3e9
Link:
https://www.unpac.me/results/f0d43757-d5ab-48d7-b608-d566154bccbe/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/390ba9da4694/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe 390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314376/

Comments