MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 603ecc649a2beb1e7c9ae57e9ff5d67e97b827c2afccb7b6253ee0a2e0c81dd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 603ecc649a2beb1e7c9ae57e9ff5d67e97b827c2afccb7b6253ee0a2e0c81dd2
SHA3-384 hash: 6f1643d9f8b8bcfa604998c1fa1a2016eae71508dafc7a5c72a92830cd5a8f312255bb1c5dbd9b0fcf25b1b8e0ec7b18
SHA1 hash: a930c5c8dbb9c45e95ec3c7ab0bbb523d2d4f867
MD5 hash: 8b6df301a0606f2b891af5d626956803
humanhash: potato-salami-oscar-sad
File name:PO 1210.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:452'096 bytes
First seen:2021-09-10 11:20:42 UTC
Last seen:2021-09-10 12:20:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:KHtx8988xk4DbF53e0IUFLY02b+MMBDjoJluVg3IOl36S:lk+p2ut
Threatray 3'279 similar samples on MalwareBazaar
TLSH T1FDA49C243DEA5119F173EFB94EE4B4869B6FB7633A87E45D1041038A4623B40FE9163B
dhash icon 022c5b52a6a456a9 (8 x Formbook, 7 x AgentTesla, 3 x Loki)
Reporter GovCERT_CH
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
803
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 1210.exe
Verdict:
Malicious activity
Analysis date:
2021-09-10 11:22:45 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/79d582ba-384e-486e-9a3a-0149eab04b2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186862/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.2559.27559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Deleting a recently created file
Unauthorized injection to a recently created process
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Connection attempt
Sending an HTTP POST request
Reading critical registry keys
Running batch commands
Stealing user critical data
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02e997ab-0509-4cef-b83c-798d3ce6e0f6
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848741
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected AZORult Info Stealer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481172 Sample: PO 1210.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 15 other signatures 2->48 8 PO 1210.exe 7 2->8         started        process3 file4 26 C:\Users\user\AppData\Local\...\tmp3D9F.tmp, XML 8->26 dropped 28 C:\Users\user\AppData\...\PO 1210.exe.log, ASCII 8->28 dropped 30 C:\Users\user\AppData\Roaming\sqvgjgOI.exe, PE32 8->30 dropped 11 PO 1210.exe 67 8->11         started        16 schtasks.exe 1 8->16         started        process5 dnsIp6 40 smdglo.xyz 31.210.20.16, 49737, 49738, 80 PLUSSERVER-ASN1DE Netherlands 11->40 32 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 11->34 dropped 36 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 11->36 dropped 38 45 other files (none is malicious) 11->38 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->50 52 Tries to steal Instant Messenger accounts or passwords 11->52 54 Tries to steal Mail credentials (via file access) 11->54 56 5 other signatures 11->56 18 cmd.exe 1 11->18         started        20 conhost.exe 16->20         started        file7 signatures8 process9 process10 22 conhost.exe 18->22         started        24 timeout.exe 1 18->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/603ecc649a2beb1e7c9ae57e9ff5d67e97b827c2afccb7b6253ee0a2e0c81dd2/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 05:59:53 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ma7myze2fpvr47e24v7j75owp2l3qj6cv7glpnrfh3qkfygidxja._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
trickbot
Create hunting rule
Similar samples:
0978c6e9a1e62df2bf68b5cebd60dd4b8ac1ead3077c561bf420bfaf8d7be2ee
AZORult
25668bb8b209e29ad8ee4f1083283224271223d5de207449192b19ec07022418
AZORult
61adff4631db24263951338bc5d2fce316abad6def0f37bd27319875c7ce25f2
AZORult
68d578b9e811bf90bb6c88c092e033470e6ee439bfa9de02f9a36afad08895ff
AZORult
700c14171b4bc7eb9af680f74b9bf681da5988e07fa2f7ead4f3f71289d0a4c5
AZORult
737ff2b259449c91d68130a8508b51544310a6e6b50891fdc5682e7d242a79b4
AZORult
902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8
AZORult
d286ce0a72c3053c61909e492d314b3008ca872a80ea60e29b9d0ec728e6dc62
AZORult
f73579603fda08d484fd111ba5c0f00ea57d25c79365608995dedb0cd037c66b
AZORult
faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6
AZORult
+ 3'269 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210910-nfzzsadahn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult v3.2 Server Response M3
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M17
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M3
Malware Config
C2 Extraction:
http://smdglo.xyz/panel1/index.php
Unpacked files
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/6d6c87f8-4448-4509-bd20-154a0e280a1e/
SH256 hash:
85f05954f1a2d9ec58c33c29a1b592c8f6cbb13877e66767f94d105865bd0343
MD5 hash:
aec4ce532311ce7c7f00e4c708a2fffc
SHA1 hash:
7ee49e652611c1f48bfe087d1847c979d79d2f42
Link:
https://www.unpac.me/results/6d6c87f8-4448-4509-bd20-154a0e280a1e/
SH256 hash:
0e866009320de38f6646dd4849a4430b04648b4e8b3e37389ce3a1b9006c5978
MD5 hash:
725dcd14a2009274329c4a24ceeaa62e
SHA1 hash:
13e090efcbc578d62cc020dd9695ea08edb5b3d2
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/6d6c87f8-4448-4509-bd20-154a0e280a1e/
Parent samples :
faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6
603ecc649a2beb1e7c9ae57e9ff5d67e97b827c2afccb7b6253ee0a2e0c81dd2
baad4799f2c076b17cbfdbf41f430af17daaa4236d75115d6f54d72f21453e61
07c88db437007f63707266efdc16363c6ddc6def76cdef5e35674f3e9283e3df
SH256 hash:
603ecc649a2beb1e7c9ae57e9ff5d67e97b827c2afccb7b6253ee0a2e0c81dd2
MD5 hash:
8b6df301a0606f2b891af5d626956803
SHA1 hash:
a930c5c8dbb9c45e95ec3c7ab0bbb523d2d4f867
Link:
https://www.unpac.me/results/6d6c87f8-4448-4509-bd20-154a0e280a1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/603ecc649a2beb1e7c9ae57e9ff5d67e97b827c2afccb7b6253ee0a2e0c81dd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:kevoreilly
Description:Azorult Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe 603ecc649a2beb1e7c9ae57e9ff5d67e97b827c2afccb7b6253ee0a2e0c81dd2

(this sample)

  
Dropped by
azorult
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/186862/

Comments