MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44c9345759f82e06403ff2312e21c4c487c7445707bc28e62046268d141afd16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	44c9345759f82e06403ff2312e21c4c487c7445707bc28e62046268d141afd16
SHA3-384 hash:	5a9ae48092f05943d4ccbad7008639d432a806a85c1efc0df5bde0b8844e1c272c72af08d6ab3f537471c214959f6fcb
SHA1 hash:	548482c7a53e20c4cec1f734a4659c69d844e0a2
MD5 hash:	a7f7739e1c97639361a5d88d5300d05a
humanhash:	island-princess-chicken-cola
File name:	a7f7739e1c97639361a5d88d5300d05a.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	611'328 bytes
First seen:	2020-07-19 11:21:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	335a7ffe81574e54c66fb8c5bf7dee3a (2 x AgentTesla, 1 x RemcosRAT, 1 x MassLogger)
ssdeep	12288:4JAmXIijOdiBbgCORh0WsmNg3PGGKsAX23cVmB:FmI/Kngb0PGV/2sVm
Threatray	417 similar samples on MalwareBazaar
TLSH	4ED49D26E6E34837D172DA3C9C1B57BC5836BE00292D59872BE45F4C5F39683386B293
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://165.22.238.167/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/27807/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.Herz.B.4738.10311.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Creating a file

Deleting a recently created file

Reading Telegram data

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a TCP request to an infection source

Stealing user critical data

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/44c9345759f82e06403ff2312e21c4c487c7445707bc28e62046268d141afd16/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-19 11:23:05 UTC

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=itetiv2z7axamqb76iys4ioeysd4orcxa66crzraiyti2fa27ula._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

trojan infostealer family:azorult

Link:

https://tria.ge/reports/200719-p9ypae5r5e/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Azorult

Malware Config

C2 Extraction:

http://165.22.238.167/index.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

0.46

Link:

https://yomi.yoroi.company/submissions/44c9345759f82e06403ff2312e21c4c487c7445707bc28e62046268d141afd16

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

exe 44c9345759f82e06403ff2312e21c4c487c7445707bc28e62046268d141afd16

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/413729/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/27807/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample