MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239
SHA3-384 hash: cacc58d923ad4f333a435bb1e4ae6e1560c385fd054604876c3eba05eb005aef758e3d06d26850db3f249998ac7f431f
SHA1 hash: 37608c2cf7feb3c74a193807ac445b6f4981b6c6
MD5 hash: 184c2d17475024dd60bd1eafab0c131c
humanhash: washington-potato-colorado-lemon
File name:Fw Ordine di acquisto n.129097.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:546'719 bytes
First seen:2022-09-28 10:58:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 12288:DToPWBv/cpGrU3yppoSw7omMO+aJlyv7wkk7:DTbBv5rUOpMom5JUv7wP
TLSH T1EFC4D002F6C188F2D46216729D36AF11653F7D301FB48E9F67993529DB332C29232A5B
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3319196121000008 (2 x AZORult, 1 x Formbook)
Reporter lowmal3
Tags:AZORult exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cihno.shop/PL341/index.php https://threatfox.abuse.ch/ioc/856331/

Intelligence

File Origin
# of uploads :
1
# of downloads :
432
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314319/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39714/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/633428f9d089a0c15dd28e63/reports/05a74a66-aaf6-4971-9054-795deec78980/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d608097a-503d-4cc6-93bc-f76873976cb0
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079152
Signature
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 711709 Sample: Fw Ordine di acquisto n.129... Startdate: 28/09/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 5 other signatures 2->61 9 Fw Ordine di acquisto n.129097.exe 10 2->9         started        process3 file4 41 C:\Users\user\AppData\...\hxaodobray.exe, PE32 9->41 dropped 12 hxaodobray.exe 4 9->12         started        process5 file6 43 C:\Users\user\AppData\Local\Temp\F8B3.tmp, PE32 12->43 dropped 45 C:\Users\user\AppData\Local\Temp\F268.tmp, PE32 12->45 dropped 47 C:\Users\user\AppData\Local\Temp\884.tmp, PE32 12->47 dropped 49 C:\Users\user\AppData\Local\Temp\1AD.tmp, PE32 12->49 dropped 71 Found hidden mapped module (file has been removed from disk) 12->71 73 Maps a DLL or memory area into another process 12->73 16 hxaodobray.exe 63 12->16         started        21 WerFault.exe 23 9 12->21         started        23 hxaodobray.exe 12->23         started        25 2 other processes 12->25 signatures7 process8 dnsIp9 51 cihno.shop 85.31.46.145, 49697, 49701, 80 CLOUDCOMPUTINGDE Germany 16->51 53 192.168.2.1 unknown unknown 16->53 33 C:\Users\user\AppData\...\vcruntime140.dll, PE32 16->33 dropped 35 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 16->35 dropped 37 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 16->37 dropped 39 45 other files (none is malicious) 16->39 dropped 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->63 65 Tries to steal Instant Messenger accounts or passwords 16->65 67 Tries to steal Mail credentials (via file / registry access) 16->67 69 4 other signatures 16->69 27 cmd.exe 1 16->27         started        file10 signatures11 process12 process13 29 conhost.exe 27->29         started        31 timeout.exe 1 27->31         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 09:11:55 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imwjtohrcchnbwklpmpgeczdb6hvlrd4uywa7toruox2zbki6i4q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220928-m3d56aggem/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/de840060-da52-4c21-ae41-de9e93187f2f
Unpacked files
SH256 hash:
9a25103a22adcdde6ceb9f6e1fe70af8da67aac4560607a5cb43886f1f304d40
MD5 hash:
fe9d6aea058349057d402cf32d763869
SHA1 hash:
4ad54afe6e0a15fcda9ebdd47e0eef2a8178ea91
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/04437406-33de-45de-b983-1c9cb2408df8/
SH256 hash:
05285a8444809aa33efbfc90e94c7c0248f72f28f235e919b0983de74f5993b4
MD5 hash:
f0f17abdc8433ab58a078bc5d79376d4
SHA1 hash:
1c96f84d236e3862aceaa7ea13a88801e6817b67
Link:
https://www.unpac.me/results/04437406-33de-45de-b983-1c9cb2408df8/
SH256 hash:
432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239
MD5 hash:
184c2d17475024dd60bd1eafab0c131c
SHA1 hash:
37608c2cf7feb3c74a193807ac445b6f4981b6c6
Link:
https://www.unpac.me/results/04437406-33de-45de-b983-1c9cb2408df8/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/432c99b8f110/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:kevoreilly
Description:Azorult Payload
Rule name:malware_Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe 432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314319/

Comments