MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4166d0e0b5adc0558a58722e20f0e77bdecfe25097239dcb21c4757631d0f5b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4166d0e0b5adc0558a58722e20f0e77bdecfe25097239dcb21c4757631d0f5b9
SHA3-384 hash: b2c832c0d6209da5239045afbcb653d820b1ee4cffb44c3d47b754edf1ff559d849b8b3d2aae1ac5296c993de0768920
SHA1 hash: b48140c4534aee2ceeb3fa7bda06bf024e1dee37
MD5 hash: 30a13b555af375657675ecb0cb645725
humanhash: nevada-seven-failed-football
File name:30a13b555af375657675ecb0cb645725
Download: download sample
Signature AZORult
Create hunting rule
File size:401'920 bytes
First seen:2022-01-11 10:12:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:NiELI8sKkq8BeQFtzRV4Lxkj8u2pj98wASP9YHNz9X9+e0zaxpNAcrDUrFb:/I8s0Utj8uI8wzPWx9X9+e0u/NAcP
TLSH T1D184028B3BD28423C6398E795DB64025DA34E65638C0FBDF1C469AAE10B570DC681F7B
File icon (PE):PE icon
dhash icon 5839b16fed4d2335 (1 x AZORult)
Reporter zbetcheckin
Tags:32 AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB DEC2022 Waybill No. 6672955726.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-11 08:59:01 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan rat azorult stealer
Link:
https://app.any.run/tasks/7a1a0e3c-1fef-4608-9247-111087a790be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218158/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.22939.26439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe control.exe obfuscated packed replace.exe wacatac
Link:
https://www.filescan.io/uploads/61dd58311c0d769df9e1e3e2/reports/78070d94-5a7b-4c6a-b553-de26ed686724/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9dde5f7-aded-4a8f-8b3e-a2c323356de0
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/918243
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4166d0e0b5adc0558a58722e20f0e77bdecfe25097239dcb21c4757631d0f5b9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-11 10:13:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220111-l83j9sfdgq/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M3
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
http://rodavivanoticias.com.br/Bvt0/index.php
Unpacked files
SH256 hash:
6574103b5eb1664d12d27c2448b83d0fbeb0a4ce396d7089b8bf028a78602267
MD5 hash:
a60dd35de82317ecc37cc26611e89c61
SHA1 hash:
e6b94deb8048b4a2ebb26931c968df5550e8237b
Link:
https://www.unpac.me/results/aba7d410-e6be-469d-82b3-55f008865507/
SH256 hash:
9ecb3c903f8cc1bcf8674587372a63c5d96128758bf86efe78b22a524c96983b
MD5 hash:
cea81e9c274a995b80616bac7251cf2f
SHA1 hash:
ad0583db70ae5f6cadac2eed59d641b814f1ecbc
Link:
https://www.unpac.me/results/aba7d410-e6be-469d-82b3-55f008865507/
SH256 hash:
18c4d5acb07cdba85b966727204b2a47c076c4741c8bb84cbe7bd0f37a110447
MD5 hash:
71c2c5ad05e193a4e2a2c34275c0f8d4
SHA1 hash:
9f46d1255cde6713675cbce42f60b05b047e4720
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/aba7d410-e6be-469d-82b3-55f008865507/
SH256 hash:
4166d0e0b5adc0558a58722e20f0e77bdecfe25097239dcb21c4757631d0f5b9
MD5 hash:
30a13b555af375657675ecb0cb645725
SHA1 hash:
b48140c4534aee2ceeb3fa7bda06bf024e1dee37
Link:
https://www.unpac.me/results/aba7d410-e6be-469d-82b3-55f008865507/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4166d0e0b5ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4166d0e0b5adc0558a58722e20f0e77bdecfe25097239dcb21c4757631d0f5b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 4166d0e0b5adc0558a58722e20f0e77bdecfe25097239dcb21c4757631d0f5b9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1887398/
Cape
Cape
https://www.capesandbox.com/analysis/218158/

Comments


Avatar
zbet commented on 2022-01-11 10:12:57 UTC

url : hxxp://198.46.199.153/50098/VBA.exe