MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 523bf45e4e7511b39fc1b016741a8f34f7356e7786ea6078c7b96024dd1ba4e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 3
| SHA256 hash: | 523bf45e4e7511b39fc1b016741a8f34f7356e7786ea6078c7b96024dd1ba4e4 |
|---|---|
| SHA3-384 hash: | 72167945fac6d51e068263ac3874da1061b4746c8ed52e333cde4a431e8454a639df2e39995917046dac8e91d7445b05 |
| SHA1 hash: | 9f45948032792f3c2e6c1078cd33f076835ec690 |
| MD5 hash: | d4328584a7563adcb63e6ae0e3ca99c2 |
| humanhash: | harry-crazy-pip-romeo |
| File name: | FlashToolDriver.exe |
| Download: | download sample |
| File size: | 133'352 bytes |
| First seen: | 2020-04-06 23:41:44 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 0d7ce0d9a7e91e434ba43ea385abcc11 |
| ssdeep | 1536:nC81JMR4/xV0Obnc5jPHbHLCR8XDclxOMBNEL634Y0CiZKtnNTx+2MRe13aQUfK:C81JZV/+MwwrBNELLY0TctZxVaG |
| Threatray | 285 similar samples on MalwareBazaar |
| TLSH | 95D39D21B2A188B3D9635B30D0F195355F7BBC0237F0C9DB1798093A5FA1BC059A93BA |
| Reporter |  Jacob_Pimental |
Code Signing Certificate
| Organisation: | Martin Prikryl |
|---|---|
| Issuer: | DigiCert SHA2 Assured ID Code Signing CA |
| Algorithm: | sha256WithRSAEncryption |
| Valid from: | Nov 13 00:00:00 2019 GMT |
| Valid to: | Feb 10 12:00:00 2023 GMT |
| Serial number: | 01A2A8E4D5EE07A73160B522C6F95177 |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | 41A15A31CBDA4FABC9F1EFBB6358551E5A96C2A47CF80CD08B14F5CEDEDCCF0F |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Jacob_Pimental
Hosted on coronavirus-esri[.]com map. Loaded by malicious javascript aveflash.js, which pops up a fake flash update window.Intelligence
File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Gathering data
Threat name:
Win32.Trojan.Azorult
Status:
Malicious
First seen:
2020-04-07 00:35:37 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
24 of 31 (77.42%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 275 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Distributed via drive-by
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::OpenProcess |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::FlushConsoleInputBuffer KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::GetConsoleAliasesLengthW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::GetWindowsDirectoryW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.