MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5141cf1cc509f7a278f285513f053cd4ac8fb41a3f05d4da541ba23c778fb99f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	5141cf1cc509f7a278f285513f053cd4ac8fb41a3f05d4da541ba23c778fb99f
SHA3-384 hash:	412b46cf50adb94593c7d77559a3fc27f539a00de0ce7992054b76f7a22d3ca9976423e0be019b5765834bedd6f8deef
SHA1 hash:	a5042ca6ec915cd067a3e064086bed21e15f4f0f
MD5 hash:	b755b4b81b94a32ae90ab15d4b4346cd
humanhash:	harry-mirror-river-avocado
File name:	gunzipped
Download:	download sample
Signature	AZORult Create hunting rule
File size:	440'320 bytes
First seen:	2020-10-09 06:27:07 UTC
Last seen:	2020-10-09 08:02:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:uSi5Za+LXdkcmt21Ru6dT5WRYFGNB4WZxwRdNBKyYV:uSivlLmcmILdT5WC0D4WXw0ya
Threatray	467 similar samples on MalwareBazaar
TLSH	29948EB3BD46887EDD9A47B18C7649B0A46352CE3E63490F318F631C4A62713235B66F
Reporter	abuse_ch
Tags:	AZORult geo SARS ZAF

abuse_ch

Malspam distributing unidentified malware:

HELO: host.noanfair.com
Sending IP: 69.64.34.145
From: noreply@sars.gov.za
Subject: Notification from SARS: (You have been Listed as a DEFAULTER)
Attachment: Notification from SARS You have been Listed as a DEFAULTER.gz (contains "gunzipped")

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/69435/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

Azorult

Detection:

malicious

Classification:

spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/486336

Signature

.NET source code contains very large array initializations

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/5141cf1cc509f7a278f285513f053cd4ac8fb41a3f05d4da541ba23c778fb99f/

Threat name:

ByteCode-MSIL.Infostealer.Maslog

Status:

Malicious

First seen:

2020-10-08 17:07:31 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kfa46hgfbh32e6hsqvit6bj42swi7na2h4c5jwsudordy54pxgpq._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

trojan infostealer family:azorult

Link:

https://tria.ge/reports/201009-m6yc1yypce/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Azorult

Malware Config

C2 Extraction:

http://185.239.242.174/oew/index.php

Unpacked files

SH256 hash:

c0c377b1a36fda32f21d50bc4ac61f674b580b2eb9004b949a45251fa68604e7

MD5 hash:

8f79fa04023e87ba413f991d360aa5b2

SHA1 hash:

011144b8bf031d42bd7516ab27bbb926692af481

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/b9bca8c8-1182-4e60-901c-0e04d7b78e92/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/b9bca8c8-1182-4e60-901c-0e04d7b78e92/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/b9bca8c8-1182-4e60-901c-0e04d7b78e92/

SH256 hash:

e3f3f21f1da73f127615d0ce7f20b1159facd9b5015ef223de73dddbcdf1f59a

MD5 hash:

7a4f8f06291d4cff66c36c4963e2d0e6

SHA1 hash:

dfe8b19e175fb63bd891664e11e9f7fa646f4bf1

Link:

https://www.unpac.me/results/b9bca8c8-1182-4e60-901c-0e04d7b78e92/

SH256 hash:

5141cf1cc509f7a278f285513f053cd4ac8fb41a3f05d4da541ba23c778fb99f

MD5 hash:

b755b4b81b94a32ae90ab15d4b4346cd

SHA1 hash:

a5042ca6ec915cd067a3e064086bed21e15f4f0f

Link:

https://www.unpac.me/results/b9bca8c8-1182-4e60-901c-0e04d7b78e92/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5141cf1cc509f7a278f285513f053cd4ac8fb41a3f05d4da541ba23c778fb99f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

gz 3f5788531cd8948998d9a6f7021158f07862d0fea84810e81d4a38b016fb4d9a

AZORult

exe 5141cf1cc509f7a278f285513f053cd4ac8fb41a3f05d4da541ba23c778fb99f

(this sample)

Dropped by

MD5 b7dece466bd2be275f0304b7eba785ef

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/69435/

Dropped by

SHA256 3f5788531cd8948998d9a6f7021158f07862d0fea84810e81d4a38b016fb4d9a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample