MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 429968106fd270646e6c7b13c4c0376604f9346902618e0574c566044f3c1549. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 429968106fd270646e6c7b13c4c0376604f9346902618e0574c566044f3c1549
SHA3-384 hash: 5485e9fc82cdb15e6adf276addc4bc85c66165fcc44c836db19deb2a1e3f694994a04caada6482cefe51806dbb4ccdb9
SHA1 hash: eb05872d8612a3a2007685fe3a18ad1e91340663
MD5 hash: 74dc96185fa606bf5d5389962ace53a7
humanhash: artist-enemy-fix-yankee
File name:Proposal.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:602'112 bytes
First seen:2022-02-15 07:22:23 UTC
Last seen:2022-02-15 08:48:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:LCWwFyOUasVUnRmM1RekH19e8xqSMdpdMHPg7ybr/:WrdsqnRd1Ve8xnMRMYuH
Threatray 1'408 similar samples on MalwareBazaar
TLSH T16CD48B2642F3C8B1DD5B86FEE921C88C6F60EA2FB042FEFA8445D4BDD46C7904646563
Reporter GovCERT_CH
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
680
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241542/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.51722.11675.13566.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/620b54d8a2660f3bb9d80f47/reports/7db6a9ff-9111-45b0-a73b-1cca0b9d6e34/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4274b7ff-d836-4026-b10e-ff4ed0cfaa2f
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939922
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/429968106fd270646e6c7b13c4c0376604f9346902618e0574c566044f3c1549/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 07:23:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ikmwqedp2jygi3tmpmj4jqbxmycpsndjajqy4bluyvtaitz4cveq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
008e824dccee812bd491f58e3133eae9d557fd58e4feb60d30a766c0a283ae8b
AZORult
0a64c72dadf7b8dc0de59c9a26986e7ef924b6b718b417c0f237d9f3cd3e7afe
AZORult
30fc43816237740b3bc6bdde4229fd95ad82b55f983f8b43258fc73130163ef1
AZORult
6321c189d83bd48713f5a7b760d033082078e3104e148206d31c374532fbe07e
AZORult
675117bdc9843dd5bafb4626a913554f07dbbb9e4879cf63887349baefdd8f70
AZORult
6f30ba1b87c12bb850598aa99da4e34231c3dbd4b051d73ff5be11e1759506a5
AZORult
a4656422400c467bbcfae386ba6d18c8cd37368ce2f08b2a873675ee7ce59c40
AZORult
e752bd103a473a433040a6522226aac9cecf8b5a8e6ab59fe386d63a5566b63c
AZORult
+ 1'398 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer suricata trojan
Link:
https://tria.ge/reports/220215-h7tdesdfbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Azorult
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
http://vietchao-vn.cam/swi01/index.php
Unpacked files
SH256 hash:
42d94aba57908eddd4c576fc65fab237a9ed61b0d4e0a6cb1f3b844f22fe75c0
MD5 hash:
646d9c3134714a839731ad18363d1420
SHA1 hash:
dbc2de2c4f6846c623c1aa4e8d9c67645c8f3df8
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/7cb80a1b-6ae0-4d3b-87d8-b60093f60e3b/
Parent samples :
6f30ba1b87c12bb850598aa99da4e34231c3dbd4b051d73ff5be11e1759506a5
ec014f5560baaf0ad69c00962751220400f1984f70b0c17fcc9c132d1b856256
30fc43816237740b3bc6bdde4229fd95ad82b55f983f8b43258fc73130163ef1
45b53c5a2f012a3dadd5d0910121c536766ff07aa3e4256b8e5da1a72c107e6d
429968106fd270646e6c7b13c4c0376604f9346902618e0574c566044f3c1549
cac9e972aef1d5c829d6e5bf875672060ed7a5aa3d52cb237e74b4b397814bcd
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/7cb80a1b-6ae0-4d3b-87d8-b60093f60e3b/
SH256 hash:
11e24f8924049c5673e44188407afca359673beb9d072e5d153e2ff556f9e1d7
MD5 hash:
ddf2af9c809b0394062773091d8f025b
SHA1 hash:
0ab894ab740c456cdbea9860d9163a7c674b1620
Link:
https://www.unpac.me/results/7cb80a1b-6ae0-4d3b-87d8-b60093f60e3b/
SH256 hash:
429968106fd270646e6c7b13c4c0376604f9346902618e0574c566044f3c1549
MD5 hash:
74dc96185fa606bf5d5389962ace53a7
SHA1 hash:
eb05872d8612a3a2007685fe3a18ad1e91340663
Link:
https://www.unpac.me/results/7cb80a1b-6ae0-4d3b-87d8-b60093f60e3b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/429968106fd270646e6c7b13c4c0376604f9346902618e0574c566044f3c1549

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe 429968106fd270646e6c7b13c4c0376604f9346902618e0574c566044f3c1549

(this sample)

  
Dropped by
azorult
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241542/

Comments