MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57ba6e0a9c0804c9a3d239dc6fb2a6742f3a91b762741772dd3571e1cbec45f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57ba6e0a9c0804c9a3d239dc6fb2a6742f3a91b762741772dd3571e1cbec45f8
SHA3-384 hash: dac1a3ca3c32169632719bba2a675ef9aaec5b969d346903798f68dc813e6098c81eb2e4cc5a9ebbc63159155310a5ec
SHA1 hash: 72c210f8b80c755a6f5198ca6dea509872dee98a
MD5 hash: 50d9ad764597d6970f0480b58c4cf88e
humanhash: spaghetti-nine-equal-twelve
File name:bin-cr.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:2'196'992 bytes
First seen:2023-04-13 06:37:23 UTC
Last seen:2023-04-13 09:32:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:opwU6X5VuMFwg1SkQpRzFabsmVnR/ChijkYHGo5ExFNIprhIw0cNN4CJP6SSTzny:owVuMF5rbNWijJmA0cP42Jr
Threatray 435 similar samples on MalwareBazaar
TLSH T123A5D0B202D9BDC8E3FA1DF9E49315000ED86C77623CD3697CCA349A25B9654ED52EB0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8d8888898a898b8 (3 x AZORult, 2 x AgentTesla, 1 x DarkCloud)
Reporter JAMESWT_WT
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
doc220689990507.xlsm
Verdict:
Malicious activity
Analysis date:
2023-04-13 06:16:51 UTC
Tags:
macros macros-on-open loader trojan
Link:
https://app.any.run/tasks/b1ee636a-9ee5-4d25-b4a9-ce22ceea5b5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/381953/
Detection(s):
PUA.Win.Packer.Medvedev-6482674-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending an HTTP POST request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Running batch commands
Sending an HTTP GET request
Setting a keyboard event handler
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
unsafe
Link:
https://www.filescan.io/uploads/6437a34b0c9f1744b585e867/reports/584acd71-833e-45bc-8391-4dab1c2eb393/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/57ba6e0a9c0804c9a3d239dc6fb2a6742f3a91b762741772dd3571e1cbec45f8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8db61e9c-40da-401b-8a08-a413682fdc3e
Result
Threat name:
Azorult, Quasar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213049
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Downloader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845965 Sample: bin-cr.exe Startdate: 13/04/2023 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic 2->97 99 Multi AV Scanner detection for domain / URL 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 12 other signatures 2->103 9 bin-cr.exe 1 5 2->9         started        13 Gykujii.exe 2 2->13         started        15 Gykujii.exe 2->15         started        process3 file4 81 C:\Users\user\AppData\Roaming\...behaviorgraphykujii.exe, PE32 9->81 dropped 83 C:\Users\user\...behaviorgraphykujii.exe:Zone.Identifier, ASCII 9->83 dropped 85 C:\Users\user\AppData\...\bin-cr.exe.log, ASCII 9->85 dropped 119 Encrypted powershell cmdline option found 9->119 121 Injects a PE file into a foreign processes 9->121 17 bin-cr.exe 1 5 9->17         started        20 powershell.exe 16 9->20         started        123 Multi AV Scanner detection for dropped file 13->123 22 Gykujii.exe 13->22         started        24 powershell.exe 13->24         started        26 Gykujii.exe 13->26         started        28 Gykujii.exe 15->28         started        30 powershell.exe 15->30         started        32 Gykujii.exe 15->32         started        signatures5 process6 file7 61 C:\Users\user\AppData\...\FB_2ED7.tmp.exe, PE32 17->61 dropped 63 C:\Users\user\AppData\...\FB_2AEE.tmp.exe, PE32 17->63 dropped 34 FB_2AEE.tmp.exe 63 17->34         started        39 FB_2ED7.tmp.exe 15 4 17->39         started        41 conhost.exe 20->41         started        65 C:\Users\user\AppData\...\FB_F3DD.tmp.exe, PE32 22->65 dropped 67 C:\Users\user\AppData\...\FB_EEFA.tmp.exe, PE32 22->67 dropped 43 FB_EEFA.tmp.exe 22->43         started        45 FB_F3DD.tmp.exe 22->45         started        47 conhost.exe 24->47         started        69 C:\Users\user\AppData\...\FB_1698.tmp.exe, PE32 28->69 dropped 71 C:\Users\user\AppData\...\FB_11B5.tmp.exe, PE32 28->71 dropped 49 FB_11B5.tmp.exe 28->49         started        51 FB_1698.tmp.exe 28->51         started        53 conhost.exe 30->53         started        process8 dnsIp9 87 dblg023.shop 188.114.96.7, 49684, 49687, 49689 CLOUDFLARENETUS European Union 34->87 73 C:\Users\user\AppData\...\vcruntime140.dll, PE32 34->73 dropped 75 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 34->75 dropped 77 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 34->77 dropped 79 45 other files (none is malicious) 34->79 dropped 105 Multi AV Scanner detection for dropped file 34->105 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->107 109 Tries to steal Instant Messenger accounts or passwords 34->109 117 5 other signatures 34->117 55 cmd.exe 34->55         started        89 19ap22.duckdns.org 185.246.220.65, 100 LVLT-10753US Germany 39->89 91 ip-api.com 208.95.112.1, 49685, 80 TUT-ASUS United States 39->91 111 May check the online IP address of the machine 39->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->113 115 Installs a global keyboard hook 39->115 93 192.168.2.1 unknown unknown 43->93 95 188.114.97.7, 49690, 80 CLOUDFLARENETUS European Union 49->95 file10 signatures11 process12 process13 57 conhost.exe 55->57         started        59 timeout.exe 55->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57ba6e0a9c0804c9a3d239dc6fb2a6742f3a91b762741772dd3571e1cbec45f8/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 00:07:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k65g4cu4bacmti6shhog7mvgoqxtvenxmj2bo4w5gvy6ds7mix4a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
4fafe7319dc4a4277a09863f72cbd14328e1607cdee608bc9f65945ec8055848
AZORult
5c395df95b067f10c115f92e193d7f61bc6ce05eefb20bfc86aac86f278e0600
AZORult
672d98cad4d5aab1bea0ab262b4f154bb877844a61e742416ac73ed723f1cb99
AZORult
7431f9ba6aec04eac9673c804378df129f167a06927649ec7aca9872fb15f14b
AZORult
7734febb4536d9beba17dd873a7c244a70bb37fd6bf6e3e66ebe703f5edba3de
AZORult
a98fb020ed1b1b79495423933331d152b65d0db7947e403bdebe41f999540e6d
AZORult
f2833315c599f86d9a2f1d020ae68f39329c8b43401b8e03eecca32c5bf014ea
AZORult
+ 425 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:quasar botnet:apr collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/230413-hd2spshh29/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
http://dblg023.shop/bill1/index.php
19ap22.duckdns.org:100
Unpacked files
SH256 hash:
57ba6e0a9c0804c9a3d239dc6fb2a6742f3a91b762741772dd3571e1cbec45f8
MD5 hash:
50d9ad764597d6970f0480b58c4cf88e
SHA1 hash:
72c210f8b80c755a6f5198ca6dea509872dee98a
Link:
https://www.unpac.me/results/488e77aa-a81f-43ae-89df-3d51df2adac2/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57ba6e0a9c08/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/57ba6e0a9c0804c9a3d239dc6fb2a6742f3a91b762741772dd3571e1cbec45f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 57ba6e0a9c0804c9a3d239dc6fb2a6742f3a91b762741772dd3571e1cbec45f8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2608085/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/381953/

Comments