MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44a553892af9e23cabd74bef11e9bc8fe08dd0f111a482248f90e8d2f54ae06e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44a553892af9e23cabd74bef11e9bc8fe08dd0f111a482248f90e8d2f54ae06e
SHA3-384 hash: 0583cda24ac85fd9e284802966c307443de53fa3c4288ec238d82d40248d4569d335da78a41b01ac26dd43266153a8b9
SHA1 hash: 5b89e3c5706647945eeb5d3d10b7bdf4a60bf264
MD5 hash: f07c300806da3a9c9a55bc7037db2bb7
humanhash: early-beer-hotel-berlin
File name:f07c3008_by_Libranalysis
Download: download sample
Signature AZORult
Create hunting rule
File size:952'832 bytes
First seen:2021-04-30 03:03:37 UTC
Last seen:2021-05-07 09:47:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:UFJoLApIFRYpWkSv5L5bepmlTHNMTMTisgKEyOy:qsXM6BleQTHuTagKEyOy
Threatray 1'761 similar samples on MalwareBazaar
TLSH DF157BEC751074EEC3078C2397CF1C1182202975A62BA50B972327BD9A2FD576F399DA
Reporter Libranalysis
Tags:AZORult


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
4
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147100/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.696-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/703812
Signature
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44a553892af9e23cabd74bef11e9bc8fe08dd0f111a482248f90e8d2f54ae06e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 15:41:10 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=issvhcjk7hrdzk6xjpxrd2n4r7qi3uhrcgsiejepsdunf5kk4bxa._file
Verdict:
malicious
Similar samples:
040343ed3920a4420938a8969fbb3bcebfe337f43aa4ec27477a9aad1ce4c885
AZORult
1fff9bc7af93cedafe6e4ae26e1e8bd1be11a11a193f05d3ec993a3c0332e864
AZORult
2c80f61e5c61bb87be9e2d60e69093bcb5082fc690fcd751be787dbd118d5e57
AZORult
4a3dbd9e76bdf61687afb04313b2cd9682985f1c55c62f54d9f39442c538bae4
AZORult
7248d0601627171f4663a14d2e7ca4d80dc8060cd8e126ff18b53d9139b5e423
AZORult
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
AZORult
bd53a8cc4f90dbe541f778176164e50279e6809495ed2fcb8cfc92570e16119e
AZORult
c4bb3e5a6f33dca9143ede298d37b20c1dd8ab6be22f2544987f53d468e0e815
AZORult
fafd08b980a830ba65a48aefe7bb5aebcd2c6ff85e2306aa1db16524e1e12bcb
AZORult
fe740b0963f4003fcffab9a6455b66c78b1844c5b48fe0e61a68804484620f65
AZORult
+ 1'751 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/210430-p9l1k2dtq2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Azorult
Malware Config
C2 Extraction:
http://31.210.20.121/index.php
Unpacked files
SH256 hash:
5827e6f10e43554968888233a6f73b73ddb0c6678f6ed52b453dc65f9b9ad682
MD5 hash:
633217d22c298731cd41c6578a26ced0
SHA1 hash:
f57ab37edb9c5e3bd4cc5a5160f6540c49c31f83
Link:
https://www.unpac.me/results/c2eff42a-43d5-445c-8a1c-23137c704d71/
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/c2eff42a-43d5-445c-8a1c-23137c704d71/
SH256 hash:
fbacc1e327da97f5933647cdcdfd9fd27336b1467e9e799c5e33472f55d7b554
MD5 hash:
b9cd5e67fb2bc5c034001339d32f92b6
SHA1 hash:
9ec7ec0b358f5b25ff5807b1c7715b672a468391
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/c2eff42a-43d5-445c-8a1c-23137c704d71/
Parent samples :
3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247
44a553892af9e23cabd74bef11e9bc8fe08dd0f111a482248f90e8d2f54ae06e
e72e42080f815a61e8e641bb3ebc9d2e0f0161604c55cbf76c5be1e16262b712
bfddf9b66d9ff554b0144c5a7b6ef13c7965ae4f53c6f52a67c5577fff9d9602
ceeda097c923c87e4477bb50a66414773be8bf57e643e0c6bf79e949a8648e1a
SH256 hash:
44a553892af9e23cabd74bef11e9bc8fe08dd0f111a482248f90e8d2f54ae06e
MD5 hash:
f07c300806da3a9c9a55bc7037db2bb7
SHA1 hash:
5b89e3c5706647945eeb5d3d10b7bdf4a60bf264
Link:
https://www.unpac.me/results/c2eff42a-43d5-445c-8a1c-23137c704d71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44a553892af9e23cabd74bef11e9bc8fe08dd0f111a482248f90e8d2f54ae06e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147100/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 04:06:01 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection