MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ffc376dde04db8dbfb25037a897f9b8bf571810b7f4b0f5ce0077326f04664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51ffc376dde04db8dbfb25037a897f9b8bf571810b7f4b0f5ce0077326f04664
SHA3-384 hash: e5b44210b5cdb6d252aebff565c01a91a0515cbf678c8fb2fa6736483c0ec2a58b0b8d9163cacdc4c653f407245d62a1
SHA1 hash: 29b927fa14e59c86cc3524fba290aafc411d7068
MD5 hash: b8cee04bfc5f94eb52a2da1eb7176372
humanhash: stairway-bakerloo-sad-eighteen
File name:Kredi karti bildirisi.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:416'739 bytes
First seen:2021-07-05 06:50:45 UTC
Last seen:2021-07-05 07:54:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 12288:QFBZWt/iZ18EyNy9lpWyGZGGgkWV64yYD:KUiZ18/Ny9lp99IWVAYD
Threatray 1'765 similar samples on MalwareBazaar
TLSH 8194F146FB56CD17C2112AB009B5CA3DA67ADE842825C30B6BD6BFBF7E357D26C05042
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://2.56.59.45/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://2.56.59.45/index.php https://threatfox.abuse.ch/ioc/157584/

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Kredi karti bildirisi.exe
Verdict:
Malicious activity
Analysis date:
2021-07-05 06:51:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5b0d1355-066c-4731-96a1-b6a87c4d286f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169692/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.2548.2426.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2ab85fc-ec75-45f3-967c-c76537d1b759
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811729
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51ffc376dde04db8dbfb25037a897f9b8bf571810b7f4b0f5ce0077326f04664/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 02:44:42 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kh74g5w54bg3rw73eubxvcl7tof7k4mbbn7uwd244adxgjxqizsa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
00abb153d9c1ca15ef57d38ae6934fc36a94ec98f26e233fcf71fb32def57d44
AZORult
25bff5f2080e1071fa169deb5b4d12c40c56567d479dc81f86d79d4f3e5f9a90
AZORult
35430ac0f0f05a4072adaee7a3f5d5ff2ca6ee5eaeb04eca6cc969be7098d908
AZORult
58b8457797f88443a07f9c033039776fa7c5834eeee4d4b5af353ab159bd85e8
AZORult
5af2bcd6e1359e4f5ff0b1f0d91397edb7dfeb3b6e5fef9cb73fd0bbf907b161
AZORult
624e5509cedfb8121623c45d583c18e8fc351bf881aafb5c2de521fccba60240
AZORult
65d873e82fc6d0e63a224589cdee5551f2d98c313e19adbc9799ef17ae493a8f
AZORult
6e4da46962c65c24ebe731eba3468420a3a0a28cdc923e82396f1b8cedd05da1
AZORult
dec7973b7b46dc29aed45c6eb5919f31abe3b5efe17f73c01f506faf06e80e00
AZORult
e3fe60d8a1026a8919ef0dc81ad619db81d992a7f653a1996689f8e35b320c9a
AZORult
+ 1'755 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210705-l2tkn32xzs/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Unpacked files
SH256 hash:
a6ab0d8a33141674c691a47b6c2d56f2acb63face074a35de1e26b2bdb808579
MD5 hash:
181c0a0369908d2fb3f6272eb8c77bf3
SHA1 hash:
4badf1db2943057f2ef7c76b8200e4d9e3b06c1a
Link:
https://www.unpac.me/results/e8a64256-e99c-4c40-9acc-f38c97d99a2b/
SH256 hash:
a89fff5ddc788eb1758b6f403cc6c69ced460bbdb21e971bde9e20d450b9e8a1
MD5 hash:
62a25fcb4c47bd131328a97662ff9d5b
SHA1 hash:
1967ac24784ca61fcca836bee74528d946c616f7
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/e8a64256-e99c-4c40-9acc-f38c97d99a2b/
Parent samples :
00abb153d9c1ca15ef57d38ae6934fc36a94ec98f26e233fcf71fb32def57d44
51ffc376dde04db8dbfb25037a897f9b8bf571810b7f4b0f5ce0077326f04664
a800f3aefe262ccf51d647a154e8db7195ff6e4a360ec3f84586f763abff19fd
3237df10a8553e3e68910681cd522310e4f8155775531adc6f5804e50e7192de
SH256 hash:
51ffc376dde04db8dbfb25037a897f9b8bf571810b7f4b0f5ce0077326f04664
MD5 hash:
b8cee04bfc5f94eb52a2da1eb7176372
SHA1 hash:
29b927fa14e59c86cc3524fba290aafc411d7068
Link:
https://www.unpac.me/results/e8a64256-e99c-4c40-9acc-f38c97d99a2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/51ffc376dde04db8dbfb25037a897f9b8bf571810b7f4b0f5ce0077326f04664

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169692/

Comments