MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57f0ed548834dae8947ee1e4ef77b1780cf929af0aa406dcf2b4e06298607809. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57f0ed548834dae8947ee1e4ef77b1780cf929af0aa406dcf2b4e06298607809
SHA3-384 hash: 1831ad6e6eb9e58d2a3626e27204f126c64c617804c68ad8dc0510c061e16cba88f6b3b52898ec4d82ec966856d7d738
SHA1 hash: 58a0f69a9c743639e2a901b76e97edda4a154226
MD5 hash: 30252d98648e426c70287bb4f0f4b8fb
humanhash: mockingbird-sad-april-fourteen
File name:RECEIPT_pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:8'192 bytes
First seen:2021-08-05 05:45:45 UTC
Last seen:2021-08-05 07:21:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 96:Rn227jpP06Dm53Xr9Zsr5+XzYeoTbWqTxx7ic53pAfdtDG1zNt:R5jBy537bsr5uYLTbWqTZ5yfd5c
Threatray 2'116 similar samples on MalwareBazaar
TLSH T1A4F10912B7DCC332D9790E365C6652400775EB4ACC6B9B6E988C212BAF6730146E3BB1
Reporter cocaman
Tags:AZORult DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
521
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RECEIPT_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 05:49:21 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/d565a1b4-b009-4fb3-b5df-8cc84151ed0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176513/
Detection(s):
SecuriteInfo.com.generic.ml.1386.3158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/720e5589-ffd5-41ed-aa48-fab4785b0679
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827882
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460311 Sample: RECEIPT_pdf.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 7 RECEIPT_pdf.exe 15 4 2->7         started        process3 dnsIp4 29 us-east-1.route-1.000webhost.awex.io 145.14.144.71, 443, 49715 AWEXUS Netherlands 7->29 31 gjgjfxfghghkfffgdh.000webhostapp.com 7->31 19 C:\Users\user\AppData\Local\Temp\tfdf.exe, PE32 7->19 dropped 11 tfdf.exe 1 7->11         started        file5 process6 signatures7 51 Writes to foreign memory regions 11->51 53 Allocates memory in foreign processes 11->53 55 Injects a PE file into a foreign processes 11->55 14 aspnet_compiler.exe 66 11->14         started        process8 dnsIp9 33 37.0.10.99, 49716, 49717, 80 WKD-ASIE Netherlands 14->33 21 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 14->21 dropped 23 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 14->23 dropped 25 C:\Users\user\AppData\...\vcruntime140.dll, PE32 14->25 dropped 27 45 other files (none is malicious) 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Instant Messenger accounts or passwords 14->37 39 Tries to steal Mail credentials (via file access) 14->39 41 5 other signatures 14->41 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57f0ed548834dae8947ee1e4ef77b1780cf929af0aa406dcf2b4e06298607809/
Threat name:
ByteCode-MSIL.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-05 05:33:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7yo2veigtnorfd64hso655rpagpsknpbksanxhswtqgfgdapaeq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0aa073f803751232d5a4157156ff58c220898cdf2c729a55fd611ba95bffdb00
AZORult
83fb67804fa25e791c7871712005a006909d679d6846dffade6f02470c8a849d
AZORult
96ef205b273f3f89847c788c9b63797a5fcf899c4b25106f7a21ab57311e4c2a
AZORult
b0831c1f23202cd936470a346b97d37f39a27a364db9a15f3d2d5d33bb53de13
AZORult
b09035766d93ad0b6e6c4565c7ef9eafc3d8506c29f6a0c3b9103aa2e8527463
AZORult
b6f4d4c251aae9d522dc8f82d6f640eefc0d909e0213f0feb4a9d1f062367748
AZORult
c48be028ebc8c3168adaa7df28c47543872fda1f4ab507c9197ea295bf848e6b
AZORult
cff2f4cae0440ebd4c4e57589210b0198dc604006e0fb70c127add914c5be655
AZORult
+ 2'106 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210805-vsgmgh6wje/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads local data of messenger clients
Downloads MZ/PE file
Executes dropped EXE
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M2
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
Malware Config
C2 Extraction:
http://37.0.10.99/PL341/index.php
Unpacked files
SH256 hash:
57f0ed548834dae8947ee1e4ef77b1780cf929af0aa406dcf2b4e06298607809
MD5 hash:
30252d98648e426c70287bb4f0f4b8fb
SHA1 hash:
58a0f69a9c743639e2a901b76e97edda4a154226
Link:
https://www.unpac.me/results/0e582925-b8d2-47b4-8852-693ea7277339/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/57f0ed548834dae8947ee1e4ef77b1780cf929af0aa406dcf2b4e06298607809

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar c881770186468637dd024971988c9147593f437833e767e6ca252be27b7ca82b

AZORult

Executable exe 57f0ed548834dae8947ee1e4ef77b1780cf929af0aa406dcf2b4e06298607809

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c881770186468637dd024971988c9147593f437833e767e6ca252be27b7ca82b
Cape
Cape
https://www.capesandbox.com/analysis/176513/

Comments