MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46db525106701a4871ab4c890b7822426dfa9232002388f74fc504ac70626210. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46db525106701a4871ab4c890b7822426dfa9232002388f74fc504ac70626210
SHA3-384 hash: 4781913ad6c974633d36e5c51c45ec0915fba5e451844ae19ce9e9620e4920b4b1cb4cb2aa541c449bfa449f546849e1
SHA1 hash: 66702513fad88919812dfbabcffe20b668560b7a
MD5 hash: 69e0ef36c7e729dd57b7f7d6fc149e55
humanhash: robert-aspen-johnny-fanta
File name:http___wetransferdownloads.duckdns.org_ftp.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:385'024 bytes
First seen:2020-10-15 20:15:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:nr0Dx9dBuk7Rxpq8BSvMPIeQFIna2x9tEpzddSuhcqcLg4:ngD/3Jrpq+AKa2Pe5d9IM
Threatray 272 similar samples on MalwareBazaar
TLSH 3484D0B67D93587ECA6A077650A992C1FA3B3AC63F508B0D754E130C5E20A1BDB1770B
Reporter Racco42
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71609/
Detection(s):
SecuriteInfo.com.Artemis69E0EF36C7E7.4373.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Creating a process from a recently created file
DNS request
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492998
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/46db525106701a4871ab4c890b7822426dfa9232002388f74fc504ac70626210/
Threat name:
ByteCode-MSIL.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 20:17:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
05d567307393895ec32ac3ba2baade59a8a4bc95795fb15045c5c1b3569f95df
AZORult
205522a02f43a8477a1ed81ea1dff4f5b914afbc01f68ac082e5bf76d73fe8b2
AZORult
400c038450745568175dcd762403a0896ca44e3c0e4113ed08ea9fe9a992be0d
AZORult
5e18a7e53e246b740a583555514158a7ec3dfa0b36944b6d8b76fcbc9668ec91
AZORult
6534a7953482135c6b462c90fb9d33dcf7ed9094fd42704266debab1cc775524
AZORult
914712c702b94abb26e0d1edbd54712d62a2fdb6cfbc9bd41ac8bcb84296358f
AZORult
95c2f374fd9468f5a11b3df947216dfef2e5cc93215ed1b84231f99f7a844b56
AZORult
b24e43f00bbbd88fea2b129c08915d84b5a7643326ff630a0cf013cb2105749c
AZORult
d747f645084c779381f77d3ce8de9274a1b21947ab117b88b0b00d0f39af6e93
AZORult
e305b3819b013356d630aeae5f76be5ed4632bd99b237bf820905d16272c161e
AZORult
+ 262 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult
Link:
https://tria.ge/reports/201015-rdn47vhzw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Azorult
Unpacked files
SH256 hash:
46db525106701a4871ab4c890b7822426dfa9232002388f74fc504ac70626210
MD5 hash:
69e0ef36c7e729dd57b7f7d6fc149e55
SHA1 hash:
66702513fad88919812dfbabcffe20b668560b7a
Link:
https://www.unpac.me/results/2f5b2271-a927-46ba-a9c4-d4ba44888a7b/
SH256 hash:
0a72b8943f9bdabaa9947eb1942a557165bd6947009ba4c68ad6147670063a32
MD5 hash:
e750f83260df94c65a7255141618165e
SHA1 hash:
0652e2802c6d02b42c29b4f4ca8ac17835896c25
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f5b2271-a927-46ba-a9c4-d4ba44888a7b/
Parent samples :
46db525106701a4871ab4c890b7822426dfa9232002388f74fc504ac70626210
02f843c7f39f2272ca48f70f9dac4f617a70ea246c81951287943b3ad890f9da
SH256 hash:
a7ad9ba47e33118345d3c15508471774f5cac287f07466b7c25abaf6a528c52a
MD5 hash:
06a3b35d9e74e855a30cefa9fab9ae47
SHA1 hash:
8630450b642d42d5bdbaa6d93b1f18b382eed2e0
Link:
https://www.unpac.me/results/2f5b2271-a927-46ba-a9c4-d4ba44888a7b/
SH256 hash:
a668884a4981ff553a25a1a17ddbe39dd64bbacab0e2621637df58901508d659
MD5 hash:
be48456cad2303514143a2626f62210e
SHA1 hash:
a444eefc3a5eb63dc51aae925d5f9f802d67edbc
Link:
https://www.unpac.me/results/2f5b2271-a927-46ba-a9c4-d4ba44888a7b/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/2f5b2271-a927-46ba-a9c4-d4ba44888a7b/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd
MD5 hash:
a92da98ff6f5ae608503d074617bcc2a
SHA1 hash:
d3eafcccca011bb3a7a5ae52dd9704ceafcde472
Link:
https://www.unpac.me/results/2f5b2271-a927-46ba-a9c4-d4ba44888a7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46db525106701a4871ab4c890b7822426dfa9232002388f74fc504ac70626210

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_azorult_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/71609/
  
URLhaus
https://urlhaus.abuse.ch/url/699333/

Comments