MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca1b9b8c365e7329e540d4e84320f0bf61e50a4bab5be54460d0c3e2f320ce1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ca1b9b8c365e7329e540d4e84320f0bf61e50a4bab5be54460d0c3e2f320ce1
SHA3-384 hash: 688694d90f874542137122f1d90e9a59326a54f8412c1fdf7c81e99ac7a9e023a944055bfd7da48c8688fe6281ffee85
SHA1 hash: 197aa27eaa4b7de6bb9fcd9db21497c4718a41b4
MD5 hash: 9fa245ed793dbe29f2668e3571d959ff
humanhash: violet-eight-wolfram-michigan
File name:9fa245ed793dbe29f2668e3571d959ff.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:780'288 bytes
First seen:2022-02-09 16:15:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:ni+yU8HHKdfjHPnOUxv0IMD9Xl0Se40QhLqEF/n5AAo+ItfDg+Sea9gtGG:nis2KBT5xMLD9XXeLWNF/n5FDea9sGG
Threatray 4'632 similar samples on MalwareBazaar
TLSH T165F4BE2F087E113AC5BCDBB19984CD2FB992CDA63533991D199239D916327F231D222F
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239716/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.25375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6203e8d09c257bc16263cf5b/reports/cc2d040d-30bc-4f84-943d-a8b1cf28fb61/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e244c7e-090a-49a3-aa35-003553e5914e
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937080
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ca1b9b8c365e7329e540d4e84320f0bf61e50a4bab5be54460d0c3e2f320ce1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 15:02:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0b431cf6333540f01631a85c7756c003b8f11440e78ded3d26324a26aafe1bc3
AZORult
4bad8439535e56ae799bb4222a3e6f1dab00d1404338932aa80dc8d57653b187
AZORult
5896ab6180021d7a1bad370dd224ef00e660c22aa7f92c928a7d1f2c44a8bf50
AZORult
6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929
AZORult
7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd
AZORult
a52f51511be77831be36bbb9eda43155c57ea2fb1653dfb25fb31972e2250e44
AZORult
e21841343a1c7c4fef6fdb074428316618b2a42b8b6f0bd0f3ab2bb6ad5c0055
AZORult
e325188649a8eef76951cc308fd75f0d0101887f482dc45a4a6f2a920c71d3c6
AZORult
+ 4'622 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220209-tqthmsbagp/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M2
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
http://australiadish.bar/kendrick/index.php
Unpacked files
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/a6c17c9f-c3a0-47d8-9552-f61413de7e99/
SH256 hash:
7c67ee1284eef5c53df6a02fad118d1f7b57ec0bd650e24ef5724770bdc5f366
MD5 hash:
0f6a8cd6daf97bc0eb2335ed29534cab
SHA1 hash:
9c7d08a448e26a8cf0bbee7bb969f74c640fb038
Link:
https://www.unpac.me/results/a6c17c9f-c3a0-47d8-9552-f61413de7e99/
SH256 hash:
658c80f34df29800e29a4112d11cda1f861c5622cff223d43c026ee191473fc0
MD5 hash:
024c4790ae1fee2b1280f5b26da2bc6b
SHA1 hash:
e9e34165a3ffaad39aaec159387b333f3cff378a
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/a6c17c9f-c3a0-47d8-9552-f61413de7e99/
Parent samples :
3ca1b9b8c365e7329e540d4e84320f0bf61e50a4bab5be54460d0c3e2f320ce1
fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e
10fed6bb7e0d98d4c39fecce52838efecad2e6d836ceabaf40b438e6790e8abf
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9
f188d2c47c9f395e6063a2fe69edf5830c4d520e11f21421a1814d3202503c45
85e16c4fe21b79d748d246527b80cacb62c90b75f331e774d7cef90d3f3764f5
5c52d01a13034d617c28365f534c392ec264c3d755dc36ff188082081af05688
SH256 hash:
3ca1b9b8c365e7329e540d4e84320f0bf61e50a4bab5be54460d0c3e2f320ce1
MD5 hash:
9fa245ed793dbe29f2668e3571d959ff
SHA1 hash:
197aa27eaa4b7de6bb9fcd9db21497c4718a41b4
Link:
https://www.unpac.me/results/a6c17c9f-c3a0-47d8-9552-f61413de7e99/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3ca1b9b8c365/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 3ca1b9b8c365e7329e540d4e84320f0bf61e50a4bab5be54460d0c3e2f320ce1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2038758/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/239716/

Comments