MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
SHA3-384 hash: ba3e2de5b81e782df8bcf799e42eba94edb222b424ffe61d6362d7462355bad4f0b4c345dde5d4b65a2257012d3ef043
SHA1 hash: 99599a7c7620265b9e30dc1b7028b34ec274464c
MD5 hash: 186b119d39e666a41a602ff6c9605b70
humanhash: massachusetts-single-victor-mobile
File name:bgdwubmodm.xqg
Download: download sample
Signature AZORult
Create hunting rule
File size:10'830'336 bytes
First seen:2022-09-15 10:54:18 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c80bf2642dffa0ec0a5c1144e9b175c0 (1 x AZORult)
ssdeep 196608:z11cSFf1gPigUZNY4QBvM602Nrbjlhmmm+j8C7q44KoORtSDtYUcV5znDYsE18FO:p1jUMNDskkrFhmmHwCWOoOHSDtYUcVRe
Threatray 14'348 similar samples on MalwareBazaar
TLSH T15BB623B741807EC7E26593BA6C3789458C24FA729F422531F06F5AF5809A09DCFF4BA4
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
13.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
9.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:AZORult dll Mekotio spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310209/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62054929.29467.10742.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool mekotio packed shell32.dll virus
Link:
https://www.filescan.io/uploads/63230502ba7b8113dd6474e3/reports/ca952c31-3f79-40e6-9c2d-50945346debe/overview
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2e286ef9-261c-44ba-b427-026f037b395a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1070826
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 703368 Sample: bgdwubmodm.xqg.dll Startdate: 15/09/2022 Architecture: WINDOWS Score: 80 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 42 PE file contains section with special chars 2->42 8 loaddll32.exe 1 2->8         started        process3 signatures4 48 Query firmware table information (likely to detect VMs) 8->48 50 Hides threads from debuggers 8->50 52 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->52 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 5 other processes 8->18 process5 signatures6 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->54 56 Hides threads from debuggers 11->56 58 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->58 20 WerFault.exe 3 9 11->20         started        23 rundll32.exe 14->23         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 9 18->28         started        30 WerFault.exe 2 9 18->30         started        process7 dnsIp8 34 192.168.2.1 unknown unknown 20->34 44 Hides threads from debuggers 23->44 46 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->46 32 WerFault.exe 20 9 23->32         started        signatures9 process10
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-14 16:41:39 UTC
File Type:
PE (Dll)
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwqvw5mcvixdetl6rimmurqq7mqpngmfwcpryfeq42uz3tpg4mcq._file
Verdict:
malicious
Similar samples:
0e63b13097c8e9ed9f0fe06c7972be1beb8890e6e7640584be1afd5740276307
AZORult
2d29625e81eed2aaafbcedffe4e177ca78189c71be60c6526daf35b3dcb8fa05
AZORult
2f6957a17b9bc161dc74ac1bb60a20e75b1ce9f734baef833fbe6996f159078c
AZORult
3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
AZORult
42b10f1ff71839a9882ae5ac43aa18bb3e98319bc80a1db1162131353fc6e7d0
AZORult
48d531158fd3462c5760296fb78d808f103d7a619ee5a8e6200163d7aaf78de0
AZORult
7e0bd7043b674f37a6c086fcd8aa5ddb0ec4ba675e4860e30f88abe3cfe4b879
AZORult
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
AZORult
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
AZORult
+ 14'338 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/220915-mz4lmsgeek/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
39d8f49e81ae4d693ea99c8b023c1fc11d2df6dc7fb1c31b152f2972996f4066
MD5 hash:
2133a4afd7bee7cfcbb7a46890dd657e
SHA1 hash:
1117de5a67f62ae3d7c98e729064acea35d3373d
Link:
https://www.unpac.me/results/c90020f7-3da5-4f3d-b2a3-147869ab23eb/
SH256 hash:
3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305
MD5 hash:
186b119d39e666a41a602ff6c9605b70
SHA1 hash:
99599a7c7620265b9e30dc1b7028b34ec274464c
Link:
https://www.unpac.me/results/c90020f7-3da5-4f3d-b2a3-147869ab23eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/3da15b7582aa2e324d7e8a18ca4610fb20f69985b09f1c1490e6a99dcde6e305

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310209/

Comments