MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9
SHA3-384 hash: 55835b61e587ef5fd8eac45a2ff6ec21a04bd0bedfc25292d31d4e80ec888588b5cc78a2762934a379aa2c3f01cf776f
SHA1 hash: e74c35ed2272f2d9680f38d3976b472e60eea67f
MD5 hash: 0ada1491877f7fd980d8c06b6f05ba56
humanhash: jupiter-whiskey-shade-twenty
File name:e-dekont.pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:930'816 bytes
First seen:2020-10-12 14:51:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:c15i+5/lz7DRokeo8ZfKv1gMoqsyJP3902jjKZrgbKtd7KoyuwCaKiSvKw8b2aW0:A/lN1gRbzXWCdrIVC9++gKL/fo69
Threatray 319 similar samples on MalwareBazaar
TLSH 9C15600D677987E1DAB8F3BA0BA5B61813E2FCFB1791D64E1F0A76A40D730E1690D205
Reporter abuse_ch
Tags:AZORult exe geo TUR ZiraatBank


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: server.gmdsa.us
Sending IP: 31.214.245.90
From: ZİRAAT BANKASI <ziraat@ileti.ziraatbank.com.tr>
Subject: e-dekont
Attachment: e-dekont.pdf.img (contains "e-dekont.pdf.exe")

AZORult C2:
http://pilsans.com/mxnjs/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70141/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.36876.342.18931.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Creating a process from a recently created file
Launching a process
DNS request
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Replacing files
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488609
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9/
Threat name:
ByteCode-MSIL.Infostealer.Stimilina
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 11:20:58 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmn6opacrwjoqhoumqkq7oryyzaphis43n5ybkiedy4jehnfikuq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
02f2ef392aadd8b486f022e3cd6bad2e6d0a2b6d39d2371b7d528e9ea6607a00
AZORult
1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe
AZORult
12826d5302af642e1152b7b65718d7bcd1deca268630fa61444f131575795589
AZORult
41cdff6bc198b4e041d092b52663f0ea0dd06334e70c62b595710e214cb8e3d9
AZORult
a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0
AZORult
ccedefbb232fd22909bc7b342fe7d3c1e0551b149a0b2e392a23030ceef1814e
AZORult
e9a35c488c49d24c11d3d82d548c984f11f0987ba4ae47ac30409f2dc28508f7
AZORult
e9c42b737c586759102817b5922701598ec9c9256b36cf5fc28782fa09016ca4
AZORult
eef743fa3b72b1e9e71d02dd39db239cda0fd6e976ef0f8779501564b116de5d
AZORult
f7505d1a7254a1a38c4570f0abb3fe3a462d3c34efca6372841ac37876d2af05
AZORult
+ 309 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
spyware trojan infostealer family:azorult
Link:
https://tria.ge/reports/201012-crj4lf63te/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
JavaScript code in executable
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://pilsans.com/mxnjs/index.php

Unpacked files
SH256 hash:
5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9
MD5 hash:
0ada1491877f7fd980d8c06b6f05ba56
SHA1 hash:
e74c35ed2272f2d9680f38d3976b472e60eea67f
Link:
https://www.unpac.me/results/04e36ee9-f1b9-4051-b135-fb5f182a4549/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/04e36ee9-f1b9-4051-b135-fb5f182a4549/
SH256 hash:
5886dbc91ebc7a1e9d6b72794eb0bed7403d060a322aec65a9269f52deb4ff46
MD5 hash:
773658b99d7e72b3b75b404c4afc1dec
SHA1 hash:
3938e9d73cdedf65c4a2ee321d6b6a35f62ddb3a
Link:
https://www.unpac.me/results/04e36ee9-f1b9-4051-b135-fb5f182a4549/
SH256 hash:
1c91b0dfca665d00929f7496ef2be63ae24cf9b99494ce9ab77a5dab09abd0b1
MD5 hash:
4764cfc4b2e0b626ee0a6bf139c7e1f5
SHA1 hash:
c834ef2ab559f0d2b0ebbdd7232c48bae0b84592
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/04e36ee9-f1b9-4051-b135-fb5f182a4549/
Parent samples :
5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9
caf1aeb2835afd01b7ddc5218ab7b3bfeae4c21dffc0c37111fe3238228791ea
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/04e36ee9-f1b9-4051-b135-fb5f182a4549/
SH256 hash:
9790a6aa3d28d77d320c8f32938122c1212b7f6291daa7511f854a3fcd0fb037
MD5 hash:
6e53bc3c0364eefd1d448d25e026975d
SHA1 hash:
f11ea87b0638531f442b113feb19dbaae81ad518
Link:
https://www.unpac.me/results/04e36ee9-f1b9-4051-b135-fb5f182a4549/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_azorult_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

img 79933b3af05b8d2c21bbc93850ab5f7df7e399d8c11c7619e694a94eec2f5848

AZORult

Executable exe 5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9

(this sample)

  
Dropped by
MD5 72a762be85ef42f68e221fd83b3be1c2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70141/
  
Dropped by
SHA256 79933b3af05b8d2c21bbc93850ab5f7df7e399d8c11c7619e694a94eec2f5848

Comments