MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e500591cc85d6182a86762c1961cc2fc54c5c9fa6fa05b212a4e85c574d86cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e500591cc85d6182a86762c1961cc2fc54c5c9fa6fa05b212a4e85c574d86cd
SHA3-384 hash: 4d81a4f6257e1af813a116f1bd9439df135b7aeb69a1680017b12f9df1b19eaf18a22c5a1945572b5f69c3a67d9e16c6
SHA1 hash: 8213b8485c40ae76e896da600cbe26a827f4d46d
MD5 hash: a82f88615f13b54d9c6bacf14ea5d716
humanhash: butter-july-october-georgia
File name:TRS-11-0221-020.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:190'680 bytes
First seen:2021-04-08 08:50:22 UTC
Last seen:2021-04-08 10:21:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 18bc6fa81e19f21156316b1ae696ed6b (51 x Formbook, 24 x Loki, 9 x SnakeKeylogger)
ssdeep 3072:xyewmN4skJSKgBrK0xx6hhzHp8DnuUGYTv+moWGIELH/wSgm7/RsXyIXtv:xdLrl6TlenuNJLfcUsxd
Threatray 974 similar samples on MalwareBazaar
TLSH 6114E163195CC8ABC6826D7B08D6E376D3F7BA8850F253021F91FB6FAB37442412E549
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hp0.308.orxo.cf
Sending IP: 165.232.175.69
From: Rhaul Sign <accounts@yamunamachine.com>
Subject: TT Payment USD $6200
Attachment: TRS-11-0221-020.r00 (contains "TRS-11-0221-020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TRS-11-0221-020.exe
Verdict:
Malicious activity
Analysis date:
2021-04-08 09:17:39 UTC
Tags:
installer trojan rat azorult
Link:
https://app.any.run/tasks/2370fb6f-0da2-4748-b88d-52c6a17eb297

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133134/
Detection(s):
SecuriteInfo.com.Troj.Agent-BGTI.15734.10148.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Launching a process
DNS request
Sending an HTTP POST request
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2811ce1d-3e6c-42c1-8ab6-9115fcef34bb
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669869
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e500591cc85d6182a86762c1961cc2fc54c5c9fa6fa05b212a4e85c574d86cd/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 08:51:07 UTC
AV detection:
8 of 48 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzialeomqxlbqkugoywbsyomf7cuyxe7u35almqsutufyv2nq3gq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
1d3d10e3a4a2060bcd6bdfb4249260d9ed72258ad93551ef64f0cba827b87147
AZORult
2d25d136b12c900209489988b87ec94520c0734f4f31d4497fa47dfefc551bb4
AZORult
3631857b05872e653e961bf5f6313b091860b76448c555cefa67741de18eaedc
AZORult
38806d8372f8465c4775009362b83b94024fc6a280e3c83c476dec3852bcd2e6
AZORult
5af2bcd6e1359e4f5ff0b1f0d91397edb7dfeb3b6e5fef9cb73fd0bbf907b161
AZORult
62bcad1a08b9645f0b2bd969e31e3beda41ce828387eb60ce07b0749deee4c59
AZORult
65d873e82fc6d0e63a224589cdee5551f2d98c313e19adbc9799ef17ae493a8f
AZORult
6cda1f1821f10cb19986a831c9bca0ea1cb432f44cc7201c732b0d7bdc056ab9
AZORult
dfc46489f05e64f62434a7af40d10b919c46fd133eb0f42e33ece6c327770470
AZORult
eb7c92906b19491e5e670801cbcf189cf105f8e46a0e20c2bc8c7ab14cc1b9c7
AZORult
+ 964 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210408-4kdbge4sxs/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads local data of messenger clients
Azorult
Malware Config
C2 Extraction:
http://bengalcement.com.bd/AxPu/index.php
Unpacked files
SH256 hash:
79a604374735aff54b3eeec8d7dd198d0379669f83b337a016c7c51ecf717c2b
MD5 hash:
ddaa2ca8c4dc181a904484e945f2b447
SHA1 hash:
7dcabe9a583f1f8a07e6df9f36aa138d0694c9b6
Link:
https://www.unpac.me/results/c6cf4ced-f638-4ca3-af68-678f6d28a06e/
SH256 hash:
5e500591cc85d6182a86762c1961cc2fc54c5c9fa6fa05b212a4e85c574d86cd
MD5 hash:
a82f88615f13b54d9c6bacf14ea5d716
SHA1 hash:
8213b8485c40ae76e896da600cbe26a827f4d46d
Link:
https://www.unpac.me/results/c6cf4ced-f638-4ca3-af68-678f6d28a06e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.57
Link:
https://yomi.yoroi.company/submissions/5e500591cc85d6182a86762c1961cc2fc54c5c9fa6fa05b212a4e85c574d86cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

r00 8fad2f41bd7c7be388391109487ddf568d04e000314443e19810459073043018

AZORult

Executable exe 5e500591cc85d6182a86762c1961cc2fc54c5c9fa6fa05b212a4e85c574d86cd

(this sample)

  
Dropped by
MD5 4d57af38e2ca411280eafd8b3dcf79f6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133134/
  
Dropped by
SHA256 8fad2f41bd7c7be388391109487ddf568d04e000314443e19810459073043018

Comments