MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 574160cf91a41cea081212190b89a928a136c0861891f8e65ed9dcadfc8dc7f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	574160cf91a41cea081212190b89a928a136c0861891f8e65ed9dcadfc8dc7f7
SHA3-384 hash:	b1a7854474ea70db7830211d3ebd296ed99e2088b69447eaabefd4a583df51f57c0275ecc910c30bb4114d088d7c4217
SHA1 hash:	9dbe346f3a587a0cf9f00cc9d29bf1b672e7cbc4
MD5 hash:	1abb6d59e8b9a150b96c522ad2b846ab
humanhash:	lion-batman-fish-quiet
File name:	1abb6d59e8b9a150b96c522ad2b846ab.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	283'136 bytes
First seen:	2021-02-24 07:41:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:wd1ZByWI+69XQ3YsgHhQFrWTQ6g0I+O51+/98vu:irEr9XQ3Y9RkP0Hl
Threatray	667 similar samples on MalwareBazaar
TLSH	1854F10522E52716D9BE73F6B669B15827B574220536F72C4FD6A0F62363380C922F3B
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://66.175.232.221/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1abb6d59e8b9a150b96c522ad2b846ab.exe

Verdict:

Malicious activity

Analysis date:

2021-02-24 07:55:18 UTC

Tags:

trojan rat azorult stealer

Link:

https://app.any.run/tasks/bf6f98d2-0cec-43b5-a17c-da35a08807f6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/118897/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AZORult

Detection:

malicious

Classification:

spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/616330

Signature

Detected AZORult Info Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/574160cf91a41cea081212190b89a928a136c0861891f8e65ed9dcadfc8dc7f7/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-02-24 07:42:07 UTC

AV detection:

22 of 47 (46.81%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k5awbt4ruqooucascimqxcnjfcqtnqegdci7rzs63hok37eny73q._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer spyware trojan

Link:

https://tria.ge/reports/210224-a6vq37awx2/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://66.175.232.221/index.php

Unpacked files

SH256 hash:

dc62bfcdd20ab3011bf28d151648718a405f2a5982509283024452b8c1b7475a

MD5 hash:

d01f92392769d144125902359db98ef4

SHA1 hash:

94dbd9d0442289e505f9e0a8e9467945a0bd42f1

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/7cb84fcd-8e5d-4a98-972c-5ed1e92429e6/

Parent samples :

7a35b049c51fa00fae2d23989b2f7d750192b7273bca788b6f717d645dbf8061
574160cf91a41cea081212190b89a928a136c0861891f8e65ed9dcadfc8dc7f7

SH256 hash:

a9f05c9630cb0b78bdae90db045f4ee287ca630a4898e3bf475199454e0c9612

MD5 hash:

49a0a51f065a38c98fe8323039872949

SHA1 hash:

5691431ba92b446989a54a9641717191e894e6a7

Link:

https://www.unpac.me/results/7cb84fcd-8e5d-4a98-972c-5ed1e92429e6/

SH256 hash:

1bd8fb9df983cc585de8ac62f5dcc0022189025a503ed20396dd37daad60016b

MD5 hash:

b5065300b1a853668ff24e3228f07ef3

SHA1 hash:

38a27b43d9781e05521321df62180cdea37c6463

Link:

https://www.unpac.me/results/7cb84fcd-8e5d-4a98-972c-5ed1e92429e6/

SH256 hash:

574160cf91a41cea081212190b89a928a136c0861891f8e65ed9dcadfc8dc7f7

MD5 hash:

1abb6d59e8b9a150b96c522ad2b846ab

SHA1 hash:

9dbe346f3a587a0cf9f00cc9d29bf1b672e7cbc4

Link:

https://www.unpac.me/results/7cb84fcd-8e5d-4a98-972c-5ed1e92429e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

exe 574160cf91a41cea081212190b89a928a136c0861891f8e65ed9dcadfc8dc7f7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1023467/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/118897/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample