MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 462f4e639cead04d64436b603d4e0a62816fcaa0b03c6390d6f2c6ff366da6c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	462f4e639cead04d64436b603d4e0a62816fcaa0b03c6390d6f2c6ff366da6c7
SHA3-384 hash:	799d1cbb76129217ab811a778743a71e78d9dda61c4f5a02ead9e94ca9931eebb8957bda2137d99cda0942e2fa63fcbd
SHA1 hash:	3c7259b2d9d56ed1cac3e497ecb6d4e376d29e24
MD5 hash:	f4c0f47027ea961b2c3276fe4e2f2ede
humanhash:	pip-earth-xray-coffee
File name:	Halkbank_Ekstre_20210601_074208_513701.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	846'155 bytes
First seen:	2021-07-26 13:01:02 UTC
Last seen:	2021-07-26 13:51:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	31ca2ab0a9e3ab3d4b0118b3d0bba429 (4 x Loki, 1 x AgentTesla, 1 x AZORult)
ssdeep	24576:VvYmJL6v/dJDaqNgODku1Rs5ZsMa5nKqy:uNgqkcRe6L3y
Threatray	1'969 similar samples on MalwareBazaar
TLSH	T15205BF253A44CC27D3A2267849E0F778563C6FA03D1A8247EBE13EAF7E34BC96C14556
dhash icon	e0f080c4d8723818 (1 x AZORult)
Reporter	James_inthe_box
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Halkbank_Ekstre_20210601_074208_513701.exe

Verdict:

Malicious activity

Analysis date:

2021-07-26 14:34:41 UTC

Tags:

trojan rat azorult

Link:

https://app.any.run/tasks/acccd508-fadd-4281-98d6-61857461f4ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/174120/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.1391.10164.13586.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

DNS request

Connection attempt

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f2e50f33-a505-40c0-8245-a3c4e456429e

Result

Threat name:

Azorult

Detection:

malicious

Classification:

troj.spyw

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/821771

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2021-07-26 03:40:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iyxu4y445lie2zcdnnqd2tqkmkaw7svawa6ghegw6ldp6ntnu3dq._file

Verdict:

malicious

Label(s):

azorult

AZORult

62bcad1a08b9645f0b2bd969e31e3beda41ce828387eb60ce07b0749deee4c59

AZORult

65d873e82fc6d0e63a224589cdee5551f2d98c313e19adbc9799ef17ae493a8f

AZORult

6e4da46962c65c24ebe731eba3468420a3a0a28cdc923e82396f1b8cedd05da1

AZORult

dec7973b7b46dc29aed45c6eb5919f31abe3b5efe17f73c01f506faf06e80e00

AZORult

e3fe60d8a1026a8919ef0dc81ad619db81d992a7f653a1996689f8e35b320c9a

AZORult

eb7c92906b19491e5e670801cbcf189cf105f8e46a0e20c2bc8c7ab14cc1b9c7

AZORult

ec61c46fdd4c22a18e41331c3b4553e385c6229b2d37c5ae4050b10e0cc27572

AZORult

f1ab8e352e53ee2d4aa8625e789682ca1a5ef4adaba22b1ba7ce3d68664bcb2e

AZORult

+ 1'959 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer spyware stealer suricata trojan

Link:

https://tria.ge/reports/210726-t7ghteksla/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

suricata: ET MALWARE AZORult v3.3 Server Response M2

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3

Malware Config

C2 Extraction:

http://37.0.8.80/index.php

Unpacked files

SH256 hash:

f099e59f2de4d990dc2bb3a09c639aa346b57bbb309b81589cb330e9e55bf1dd

MD5 hash:

aa7e87ea0a9e452ed924ed889fbb76d1

SHA1 hash:

41591ae4cafb2d761e1706ab46d7739673c209bc

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/22286f53-18f9-4155-b32f-c4565151d949/

Parent samples :

462f4e639cead04d64436b603d4e0a62816fcaa0b03c6390d6f2c6ff366da6c7
aae9e232abe6255663d52d2db42079a395e3e50f712b8a39f269116ed419f8c6
120fcd098c502894515feb3814bd6edc34ceb13648dcfae2a22c4f4e2166ace2

SH256 hash:

462f4e639cead04d64436b603d4e0a62816fcaa0b03c6390d6f2c6ff366da6c7

MD5 hash:

f4c0f47027ea961b2c3276fe4e2f2ede

SHA1 hash:

3c7259b2d9d56ed1cac3e497ecb6d4e376d29e24

Link:

https://www.unpac.me/results/22286f53-18f9-4155-b32f-c4565151d949/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/462f4e639cead04d64436b603d4e0a62816fcaa0b03c6390d6f2c6ff366da6c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/174120/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample