MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42d6ad70b55d487b04cb7681d6e1b6b7020a9ec18bd79fc02ee6844fb522f0d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42d6ad70b55d487b04cb7681d6e1b6b7020a9ec18bd79fc02ee6844fb522f0d9
SHA3-384 hash: aff1e0a258bc37f3d9e12c758c33bf7e6461c902ab9ce8ea91a9e3b6a1a667f717444c00a95b9d0a16b01f6ddcbcdec7
SHA1 hash: b148cc1aca9d48bff55daf27d4da3af27dae9187
MD5 hash: e92dfdc1e9f165803c56270f27328f5b
humanhash: montana-autumn-glucose-rugby
File name:Dekont.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:564'224 bytes
First seen:2022-05-05 09:31:24 UTC
Last seen:2022-05-05 13:50:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:f/oIpAAYywCu86cU+ICr9IzWlMp452HMQ58gYOMBOB5p/haak2L2I:XoImYIXcU+fr6zWlMp48sQ58gYvI5Bhh
Threatray 1'814 similar samples on MalwareBazaar
TLSH T11CC4222402E25337F6B437BAA5D046903BFA6E1DF6A1F6E93DA031ED0D5270E0925B47
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://5gw4d.xyz/PL341/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5gw4d.xyz/PL341/index.php https://threatfox.abuse.ch/ioc/548227/

Intelligence

File Origin
# of uploads :
3
# of downloads :
1'452
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
Dekont.exe
Verdict:
Malicious activity
Analysis date:
2022-05-05 09:36:09 UTC
Tags:
trojan rat azorult
Link:
https://app.any.run/tasks/d2d420a3-8743-425b-a81d-d650259784c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268836/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.906.6460.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627399a537afaeff09c43f8c/reports/be2c2cf3-cbcc-498c-9fbf-f6171af970ca/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5de06130-40b4-405d-b4ac-701ec5df4419
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988385
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42d6ad70b55d487b04cb7681d6e1b6b7020a9ec18bd79fc02ee6844fb522f0d9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-05 09:19:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=illk24fvlvehwbglo2a5nynww4bavhwbrplz7qbo42ce7njc6dmq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
17416d9c817712d2875bbadf958efd7e2935632cc949c40fd51b789c33e44929
AZORult
6b448fb67632a98df81c0dd29d39e9229f27f5a49c6020ec82e5ffe06b4d04b8
AZORult
b58097316a327e80f688626136db4ea53f45e0806a18614c466c75f122364de9
AZORult
c36ec3f847b81b6e59ee1e6d17544ee886a3a85105d1aa06646df073f8590838
AZORult
fbeb539a297e7d600d5dfdfd1df1a68dd530d4e525197fc6fdae840b5713d970
AZORult
fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a
AZORult
+ 1'804 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220505-lhlh3afff9/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M2
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
http://5gw4d.xyz/PL341/index.php
Unpacked files
SH256 hash:
feb961c6493e852562678e821eafc34dd6f26dc34265da90865b9bdcc5753ae6
MD5 hash:
b40a6ddb20543d5ba55b06190f743374
SHA1 hash:
f25e8ae8af0cf237725e5d4271b16fbcf3fa4a12
Link:
https://www.unpac.me/results/ae5f5c71-64fd-4ca4-bc54-a641446055b1/
SH256 hash:
ea08506711edf1e6171811d020e77bb3ced20a2c950eb1fea06aeb6e1e9ee339
MD5 hash:
7c5076d6e28d938a05cd1fab98e07f1e
SHA1 hash:
d37cc67fc5056a78ed0f3aea0026c395c7d58885
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae5f5c71-64fd-4ca4-bc54-a641446055b1/
Parent samples :
42d6ad70b55d487b04cb7681d6e1b6b7020a9ec18bd79fc02ee6844fb522f0d9
6b448fb67632a98df81c0dd29d39e9229f27f5a49c6020ec82e5ffe06b4d04b8
722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088
daf8cd6f6c9c7973e5a877510d38b7f71ed45fd41b408ee341e42281cf7419b1
9cbcdec6b8050a81720597c76e29fb7c89fc12dce7eb26a68ab8542235824aca
383f832947919f6fd9a512ffd689a03c8f7cef4a328398038fe8df6a6d2bc6b1
SH256 hash:
a0cf083ad83eb3b47521f9f4d0b644acdf9c824f3ba0ce413f90472f445d8648
MD5 hash:
c9bef7670386faa3efb84c2338e9a71e
SHA1 hash:
9786c36f8815b89596e9af56739d5dbdfa804e36
Link:
https://www.unpac.me/results/ae5f5c71-64fd-4ca4-bc54-a641446055b1/
SH256 hash:
044e6e22943ac21887eaef4daf70bc43b8d7b54b7160ecc2e0b6ff77a6832a99
MD5 hash:
0512fe61b5e75a5aa25f0c17882292cd
SHA1 hash:
3b05ecfbb15a15fd46a9d9b588620454b6361745
Link:
https://www.unpac.me/results/ae5f5c71-64fd-4ca4-bc54-a641446055b1/
SH256 hash:
42d6ad70b55d487b04cb7681d6e1b6b7020a9ec18bd79fc02ee6844fb522f0d9
MD5 hash:
e92dfdc1e9f165803c56270f27328f5b
SHA1 hash:
b148cc1aca9d48bff55daf27d4da3af27dae9187
Link:
https://www.unpac.me/results/ae5f5c71-64fd-4ca4-bc54-a641446055b1/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42d6ad70b55d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42d6ad70b55d487b04cb7681d6e1b6b7020a9ec18bd79fc02ee6844fb522f0d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268836/

Comments