MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
SHA3-384 hash: 7a745da9228265db036e31f3682d63808658517baaa34e8621fd5b569e573c330157278a555c4e476917aefa61c123ee
SHA1 hash: 38775ccd39a07b43c44bc594cbc8a82568344c42
MD5 hash: 7449e5bb4addcc1dd60911531bcf089f
humanhash: xray-grey-pluto-quiet
File name:7449e5bb4addcc1dd60911531bcf089f.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:987'136 bytes
First seen:2021-06-04 07:21:28 UTC
Last seen:2021-06-04 07:58:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6930eddef69ab61e6824340dff912310 (2 x AZORult, 2 x BitRAT, 1 x Amadey)
ssdeep 24576:Scni3Tkxhkd3wia5AJWMqJMC8aVchC4khshH22zNh4M:Scn22hkd/XJ1q18am4ghH22EM
Threatray 2'872 similar samples on MalwareBazaar
TLSH 5625E11F7BBA4572F0024AB81A865AD043FDB877775B590FE745A6283EF2F814890363
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
404
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7449e5bb4addcc1dd60911531bcf089f.exe
Verdict:
Malicious activity
Analysis date:
2021-06-04 07:29:05 UTC
Tags:
trojan stealer vidar rat azorult loader raccoon remcos
Link:
https://app.any.run/tasks/1f64df90-8d5a-40c2-b22d-0fb4d193886d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164558/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.1176.16654.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797160
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 429557 Sample: FIBsWFTVMw.exe Startdate: 04/06/2021 Architecture: WINDOWS Score: 100 107 brudfascaqezd.ac.ug 2->107 109 nothinglike.ac.ug 2->109 111 cdn.discordapp.com 2->111 133 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->133 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 11 other signatures 2->139 12 FIBsWFTVMw.exe 16 2->12         started        16 sqlcmd.exe 2->16         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\FDfsdgdvca.exe, PE32 12->87 dropped 89 C:\Users\user\AppData\...\FDdgrhfgdfx.exe, PE32 12->89 dropped 147 Contains functionality to steal Internet Explorer form passwords 12->147 149 Maps a DLL or memory area into another process 12->149 18 FDfsdgdvca.exe 4 12->18         started        21 FIBsWFTVMw.exe 88 12->21         started        25 FDdgrhfgdfx.exe 4 12->25         started        signatures6 process7 dnsIp8 129 Maps a DLL or memory area into another process 18->129 27 FDfsdgdvca.exe 72 18->27         started        113 tttttt.me 95.216.186.40, 443, 49736 HETZNER-ASDE Germany 21->113 115 34.88.140.135, 49737, 80 GOOGLEUS United States 21->115 77 C:\Users\user\AppData\...\cGshBgPift.exe, PE32 21->77 dropped 79 C:\Users\user\AppData\...\WGIqBKpmgK.exe, PE32 21->79 dropped 81 C:\Users\user\AppData\...\VVZ0VwdmJP.exe, PE32 21->81 dropped 83 61 other files (none is malicious) 21->83 dropped 131 Tries to steal Mail credentials (via file access) 21->131 32 BvxF5NTWW3.exe 21->32         started        34 VVZ0VwdmJP.exe 21->34         started        36 WGIqBKpmgK.exe 21->36         started        40 3 other processes 21->40 38 FDdgrhfgdfx.exe 188 25->38         started        file9 signatures10 process11 dnsIp12 121 veronika.ac.ug 27->121 123 192.168.2.1 unknown unknown 27->123 91 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 27->91 dropped 93 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 27->93 dropped 95 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 27->95 dropped 103 50 other files (none is malicious) 27->103 dropped 151 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->151 153 Tries to steal Instant Messenger accounts or passwords 27->153 155 Tries to steal Mail credentials (via file access) 27->155 159 3 other signatures 27->159 42 cc.exe 27->42         started        46 rc.exe 27->46         started        48 cmd.exe 27->48         started        52 3 other processes 27->52 125 cdn.discordapp.com 32->125 127 veronikaa.ac.ug 185.215.113.77, 49735, 49739, 49750 WHOLESALECONNECTIONSNL Portugal 38->127 97 C:\ProgramData\vcruntime140.dll, PE32 38->97 dropped 99 C:\ProgramData\sqlite3.dll, PE32 38->99 dropped 101 C:\ProgramData\softokn3.dll, PE32 38->101 dropped 105 4 other files (none is malicious) 38->105 dropped 157 Tries to steal Crypto Currency Wallets 38->157 50 cmd.exe 38->50         started        file13 signatures14 process15 dnsIp16 117 cdn.discordapp.com 162.159.130.233, 443, 49755, 49756 CLOUDFLARENETUS United States 42->117 141 Detected unpacking (overwrites its own PE header) 42->141 143 Uses schtasks.exe or at.exe to add and modify task schedules 42->143 145 Injects a PE file into a foreign processes 42->145 54 cc.exe 42->54         started        57 cmd.exe 42->57         started        119 162.159.133.233 CLOUDFLARENETUS United States 46->119 59 conhost.exe 48->59         started        61 timeout.exe 48->61         started        63 conhost.exe 50->63         started        65 taskkill.exe 50->65         started        signatures17 process18 file19 85 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 54->85 dropped 67 schtasks.exe 54->67         started        69 cmd.exe 57->69         started        71 conhost.exe 57->71         started        process20 process21 73 conhost.exe 67->73         started        75 conhost.exe 69->75         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-04 07:22:11 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljhxlqljjdvzaiilkcrk7ea5vvbruiy5ljcantsv3lim3fb5ltia._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
azorult
Create hunting rule
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
AZORult
3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9
AZORult
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
AZORult
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
AZORult
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
AZORult
a8fb61732f9696d24e02dda47d2f12abe0d8968e130f05d2381bb7b5a93f3ec0
AZORult
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
AZORult
ac8a0b325adca9cc88fc6ee32c912024adfe5228024712e1c757183c51260d16
AZORult
c9c5b4b76ac69632d5f5931198adb5d21d214c72d8524ffc60d7d6bbcd44cf03
AZORult
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
AZORult
+ 2'862 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:oski family:raccoon family:remcos botnet:67a1a4d96e0af06ab629d8d5c048c516a37dbc35 botnet:vvvvvvvvvv discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210604-pqgd11asje/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
Azorult
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Remcos
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
veronikaa.ac.ug
nothinglike.ac.ug:6969
brudfascaqezd.ac.ug:6969
icando.ug:6970
icacxndo.ac.ug:6970
Unpacked files
SH256 hash:
42d7ff7d320791f272c50898d2daa754126ab5489c1ab65ef7c333fa9261794f
MD5 hash:
7747706ae48a4d3548bf25d19a7cf10f
SHA1 hash:
0358f560b55ae305a0c0e6181d28b7473ffca8e7
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/ceb49015-5dd1-46b9-a447-b98f9cc228e2/
Parent samples :
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
9528962252a217d88d24e372be0b977639c7d00f6777687adec8054eb8480784
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
SH256 hash:
7afcfb19e1a6a6be6feda5f344aebfcf6c23ee8f54783a6f40d13910a331c5f2
MD5 hash:
f79fc28e4c6486587d3d4abfebece367
SHA1 hash:
3b353cf1f0ad0682361ddc58fdb4432bc3b441db
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/ceb49015-5dd1-46b9-a447-b98f9cc228e2/
SH256 hash:
2ad5379a644db2781fcde19cb154003292826c5d986515e93c85b2bd45e90f87
MD5 hash:
7ec211f329ca4ee2f3cff9979ab136d8
SHA1 hash:
0086c0f7b72c67291930551a0b999e9ad850df42
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/ceb49015-5dd1-46b9-a447-b98f9cc228e2/
SH256 hash:
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
MD5 hash:
7449e5bb4addcc1dd60911531bcf089f
SHA1 hash:
38775ccd39a07b43c44bc594cbc8a82568344c42
Link:
https://www.unpac.me/results/ceb49015-5dd1-46b9-a447-b98f9cc228e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/836469/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/791302/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/791257/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/584190/
Cape
Cape
https://www.capesandbox.com/analysis/164558/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/

Comments