MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce
SHA3-384 hash: d8ecf60f821cd4e29d38c72682d1588f6574cfe0ca9d9b59e06a5366ce7a70bb15f4cafc0a1489b321f7f8d8def0a0a2
SHA1 hash: 4f3c0c1218e937db2d1c02b36e17aecfff08cbce
MD5 hash: 53119f69f357a070af352693323e9f33
humanhash: india-october-fillet-music
File name:3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce
Download: download sample
Signature AZORult
Create hunting rule
File size:3'669'530 bytes
First seen:2020-11-14 18:23:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 98304:iUAckh+/qD6NJIQmEvIAdwja7bOtOKeGk0DORXLD:iUB9/nLmtaHOtObGk8EXLD
Threatray 1 similar samples on MalwareBazaar
TLSH 140633927A5780F7CB722570359AE68715B6F722136C88DBB9C0CE0D5E85BC0AB7C943
Reporter seifreed
Tags:AZORult

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Azorult-9776568-0
Create hunting rule

PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Deleting a recently created file
Creating a file
Creating a file in the %AppData% directory
Running batch commands
DNS request
Sending an HTTP POST request
Delayed writing of the file
Launching the process to interact with network services
Launching the process to change the firewall settings
Sending a custom TCP request
Forced system process termination
Creating a file in the system32 directory
Creating a file in the Program Files subdirectories
Possible injection to a system process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535293
Signature
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
Contains functionality to hide user accounts
Contains functionality to register a low level keyboard hook
Detected AZORult Info Stealer
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Sigma detected: Suspicious Certutil Command
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses certutil -decode
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 316746 Sample: YOeg64zDX4 Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 77 teambrainworm.club 2->77 79 raw.githubusercontent.com 2->79 81 github.map.fastly.net 2->81 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Found malware configuration 2->95 97 12 other signatures 2->97 10 YOeg64zDX4.exe 10 2->10         started        14 wscript.exe 2->14         started        17 wscript.exe 2->17         started        signatures3 process4 dnsIp5 73 C:\Users\user\AppData\Local\Temp\...\scin.com, PE32 10->73 dropped 107 Uses certutil -decode 10->107 109 Drops PE files with a suspicious file extension 10->109 111 Contains functionality to register a low level keyboard hook 10->111 19 scin.com 10->19         started        22 scin.com 10->22         started        24 scin.com 10->24         started        28 3 other processes 10->28 85 github.map.fastly.net 151.101.0.133, 443, 49708, 49713 FASTLYUS United States 14->85 87 teambrainworm.club 104.31.69.7, 443, 49711 CLOUDFLARENETUS United States 14->87 89 5 other IPs or domains 14->89 75 C:\Program Files\RDP Wrapper\plink.exe, PE32 14->75 dropped 113 System process connects to network (likely due to code injection or exploit) 14->113 115 Benign windows process drops PE files 17->115 26 cmd.exe 17->26         started        file6 signatures7 process8 signatures9 99 Detected AZORult Info Stealer 19->99 101 Potential malicious VBS script found (suspicious strings) 19->101 103 Potential malicious VBS script found (has network functionality) 19->103 30 scin.com 19->30         started        105 Injects a PE file into a foreign processes 22->105 33 scin.com 1 13 22->33         started        35 scin.com 12 24->35         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started        42 conhost.exe 28->42         started        process10 dnsIp11 117 Tries to harvest and steal browser information (history, passwords, etc) 30->117 44 cmd.exe 33->44         started        46 cmd.exe 1 33->46         started        48 cmd.exe 1 33->48         started        50 2 other processes 33->50 83 430lodsposlok.monster 198.54.117.197, 49706, 80 NAMECHEAP-NETUS United States 35->83 signatures12 process13 process14 52 cscript.exe 44->52         started        55 conhost.exe 44->55         started        57 conhost.exe 46->57         started        59 schtasks.exe 46->59         started        69 2 other processes 46->69 61 cscript.exe 2 48->61         started        63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        67 schtasks.exe 50->67         started        file15 71 C:\Users\user\AppData\Roaming\Uoa.dll, XML 52->71 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:26:03 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2zexpq64prqjkmuq3iik77ryelakvcrhset7wheknfinh6popha._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
99ba4d5d99ff78d07193851a25935dbf32a98a86ab053c2a5d6c9a4ca8ca5075
AZORult
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult evasion infostealer persistence spyware trojan
Link:
https://tria.ge/reports/201114-2wt52jempe/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Modifies service
Suspicious use of SetThreadContext
Modifies WinLogon
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
Modifies RDP port number used by Windows
Modifies Windows Firewall
Sets DLL path for service in the registry
Grants admin privileges
Azorult
Malware Config
C2 Extraction:
http://430lodsposlok.monster/index.php
Unpacked files
SH256 hash:
3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce
MD5 hash:
53119f69f357a070af352693323e9f33
SHA1 hash:
4f3c0c1218e937db2d1c02b36e17aecfff08cbce
Link:
https://www.unpac.me/results/61ac59a2-8a31-44b2-919c-2ca0e0062bf6/
SH256 hash:
5725270ca86c31ed36c987d34d53671bb41230ad5030653deeb25ee366bbbb90
MD5 hash:
debcff47180328b8773546e773ec139e
SHA1 hash:
2bdc570298d0890dc08757b9cd4cc7101d085f7d
Link:
https://www.unpac.me/results/61ac59a2-8a31-44b2-919c-2ca0e0062bf6/
SH256 hash:
42c47dc87a68078f44e6f8393f73ca60ad624bad50b72a8e74d61b1daaf42e98
MD5 hash:
47e07454a8ea145cb13d2061dc1bd732
SHA1 hash:
569d4a0c3bd7296b0e8db66f095736219c770454
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/61ac59a2-8a31-44b2-919c-2ca0e0062bf6/
SH256 hash:
c9ec065b0b4603b9aba14f88ae4e5fa0bbebe7b215432b17a9603b91ed6a1889
MD5 hash:
574084758f649821c95159e5375d7164
SHA1 hash:
a67337ed6ab11ccadf38ba09ac26883990677add
Link:
https://www.unpac.me/results/61ac59a2-8a31-44b2-919c-2ca0e0062bf6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments