MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 489a08f890366aa554ec45fdea5f51ef79728ef030c5e83b119ad65655c79749. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	489a08f890366aa554ec45fdea5f51ef79728ef030c5e83b119ad65655c79749
SHA3-384 hash:	aa70d8e66d5b1ef4489b53dde4cd93d570f0b864f8787565de088863916024614cee045964e74557cd5df80b224d4101
SHA1 hash:	fb8d4634d3e5db17c594dd210f8459d2f45c15a5
MD5 hash:	9a8ba26ff48ee22159d183e283208b5e
humanhash:	football-asparagus-georgia-five
File name:	9a8ba26ff48ee22159d183e283208b5e.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	744'448 bytes
First seen:	2022-07-29 14:45:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:e+14zs/Y50L3A62iNe30ZxgQk9e0+7wLO5qCU+nAywK/y77s2GMb6cuyI3wEk+Lu:e+yAF10EZxgQk9e58CDAp4spLu0V+Lx
TLSH	T155F4E07426689E5EEB6E537DE0905110EBF4AC63B043E35E6ED430692DB3352CE3A187
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	96e8f296ccf2e884 (8 x Formbook, 7 x AgentTesla, 4 x Loki)
Reporter	abuse_ch
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

793

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/295119/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

SecuriteInfo.com.Trojan.Olock.1.23605.21109.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file in the %temp% directory

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

keylogger packed

Link:

https://www.filescan.io/uploads/62e3f2d6bcf76fcb6cce51d2/reports/f89e6681-487d-4499-ab06-3a7fb843afdb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2ced2a0a-0102-495a-b2b0-3c8617b4428f

Result

Threat name:

Azorult

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1043210

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/489a08f890366aa554ec45fdea5f51ef79728ef030c5e83b119ad65655c79749/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-07-29 02:30:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jcnar6eqgzvkkvhmix66ux2r554xfdxqgdc6qoyrtllfmvohs5eq._file

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult collection discovery infostealer spyware stealer trojan

Link:

https://tria.ge/reports/220729-r5amzabcgp/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://208.67.105.161/kendrick/index.php

Unpacked files

SH256 hash:

fd4026fcb299120b1484775a4a10748b75c7907201812adcbaa1ef7102dca610

MD5 hash:

03eb836a997956877416b6d9d0f560e5

SHA1 hash:

f354c4a26d86b4b08e9efbea735847c39a91cf66

Link:

https://www.unpac.me/results/1152c3d5-74ef-4a05-a116-7ebbf04cc6bc/

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/1152c3d5-74ef-4a05-a116-7ebbf04cc6bc/

SH256 hash:

7733725d577b72dd0b4834a99a4fcf1f0021ce9442a4553e058c68907bf0780a

MD5 hash:

33bbd862745c5804939b30a65f91c2ad

SHA1 hash:

86bc66c590356f7d49354d303a46ac9530126b13

Link:

https://www.unpac.me/results/1152c3d5-74ef-4a05-a116-7ebbf04cc6bc/

SH256 hash:

13ca2f7a55b98e1890983122e67935c97e6d9df4429279d49a1324c6d56f0451

MD5 hash:

8b3a92a3409ae046bf3dc0753fcf8685

SHA1 hash:

4455c3efa2bf569f6d180063bb1e104a22581d61

Link:

https://www.unpac.me/results/1152c3d5-74ef-4a05-a116-7ebbf04cc6bc/

SH256 hash:

e44cd49ff7afa6f66cad4220efde83538494008c68158657925413cd03f11fdf

MD5 hash:

ec030c8f65a9d6bfe9507a4028232944

SHA1 hash:

2c36d3e00f0711966929e8f2c2195283b27cdcb2

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/1152c3d5-74ef-4a05-a116-7ebbf04cc6bc/

Parent samples :

8ebca92cff949147d2dc62e0848458e51dba3063d18e370fe6ec5f6e985b7565
345b8e5f00f4098adb7da24313f6ec5a5b62ef848a8174c179097a7129850f64
5beefafe5567bd6707eed0bd46ed653a71816ffe4491e4c205dd899bbf002849
222ea7dd246109361c6a6b95f412e89376a4511f648709edbfeab959626c82be
ac05aaf10b6b112f0279ef5b5671079ab2343637fa903d587bb04dc76c829fa0
018b6eeb6fe09ffa600b34fe28c54144db3660728df29ca36c1ecfe51efa5041
489a08f890366aa554ec45fdea5f51ef79728ef030c5e83b119ad65655c79749
9b26b242e62b7ed9f8bf214f0b752866e83f13981e11b9e7c70d5aeb0cbb0f5d
93ad84ccbfa42d17d6690e0e7f6babe73ab64a672f2a1b1ab68004830efc6c6d
c5f1d36f5b7f70ffab8b430c730ff5b4a20d21cef6218e751ebd4feadb896b87

SH256 hash:

489a08f890366aa554ec45fdea5f51ef79728ef030c5e83b119ad65655c79749

MD5 hash:

9a8ba26ff48ee22159d183e283208b5e

SHA1 hash:

fb8d4634d3e5db17c594dd210f8459d2f45c15a5

Link:

https://www.unpac.me/results/1152c3d5-74ef-4a05-a116-7ebbf04cc6bc/

Malware family:

AZORult v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/489a08f89036/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/489a08f890366aa554ec45fdea5f51ef79728ef030c5e83b119ad65655c79749

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

exe 489a08f890366aa554ec45fdea5f51ef79728ef030c5e83b119ad65655c79749

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2259767/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/295119/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample