MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
SHA3-384 hash: d2d9d785f08f0e3bb0f0ebd5b8da00f2f3f7ab99ab69fc9d87f6cfb42329779738d6d837b58a086c002cff20ee748834
SHA1 hash: 0e3928f6de38d4b2d0badb245d1516721712b330
MD5 hash: b6841e1bdebcb206e38123af2ba3254c
humanhash: orange-video-zulu-delta
File name:b6841e1bdebcb206e38123af2ba3254c.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:3'046'912 bytes
First seen:2021-10-08 11:25:49 UTC
Last seen:2021-10-08 12:12:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:gMZ5UDugtnTvPGUGz364fbSsH795n+UANwbIw5AcGDcGxoG5lVecve8v1t0o3V09:9Q4bf+Q7fswdGDcoBh3vbP0o3+
Threatray 4'951 similar samples on MalwareBazaar
TLSH T1A0E533B02A8ACCE4E679D07AD531D57507E11C099C4BDEF5CAD0B86A443A3ABCB78173
File icon (PE):PE icon
dhash icon e09a676060678ee0 (14 x AsyncRAT, 5 x ValleyRAT, 4 x Formbook)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://scarsa.ac.ug/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://scarsa.ac.ug/ https://threatfox.abuse.ch/ioc/231805/

Intelligence

File Origin
# of uploads :
2
# of downloads :
440
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6841e1bdebcb206e38123af2ba3254c.exe
Verdict:
Malicious activity
Analysis date:
2021-10-08 11:27:12 UTC
Tags:
trojan stealer raccoon loader rat azorult vidar
Link:
https://app.any.run/tasks/83a00ecc-f0b7-436a-aebf-28247195d945

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196113/
Detection(s):
SecuriteInfo.com.ArtemisB6841E1BDEBC.2503.1570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint obfuscated packed stealer
Link:
https://www.filescan.io/uploads/61602ad0b95458900cdf35af/reports/ae239590-3ab4-41a7-9aaf-5cb0b18f1f65/overview
Result
Threat name:
Azorult DBatLoader IPack Miner Raccoon
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867017
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Yara detected DBatLoader
Yara detected IPack Miner
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 499445 Sample: mUlwg5WgCk.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 77 scarsa.ac.ug 2->77 79 cdn.discordapp.com 2->79 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for URL or domain 2->105 107 10 other signatures 2->107 10 mUlwg5WgCk.exe 3 6 2->10         started        signatures3 process4 file5 65 C:\Users\user\AppData\...\mUlwg5WgCk.exe, PE32 10->65 dropped 67 Hclmqamnjemzssxdod...mdaconsoleapp14.exe, PE32 10->67 dropped 69 C:\Users\...\mUlwg5WgCk.exe:Zone.Identifier, ASCII 10->69 dropped 71 2 other malicious files 10->71 dropped 119 Writes to foreign memory regions 10->119 121 Allocates memory in foreign processes 10->121 123 Injects a PE file into a foreign processes 10->123 14 wscript.exe 1 10->14         started        16 mUlwg5WgCk.exe 85 10->16         started        signatures6 process7 dnsIp8 21 Hclmqamnjemzssxdodpuesmdaconsoleapp14.exe 4 14->21         started        73 91.219.236.103, 49714, 80 SERVERASTRA-ASHU Hungary 16->73 75 teletop.top 104.21.17.146, 49713, 80 CLOUDFLARENETUS United States 16->75 51 C:\Users\user\AppData\...\0BvBFynSTb.exe, PE32+ 16->51 dropped 53 C:\Users\user\AppData\...\lnD7N1KiwF.exe, PE32 16->53 dropped 55 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 16->55 dropped 57 58 other files (none is malicious) 16->57 dropped 95 Tries to steal Mail credentials (via file access) 16->95 97 Self deletion via cmd delete 16->97 99 Contains functionality to steal Internet Explorer form passwords 16->99 25 0BvBFynSTb.exe 16->25         started        27 cmd.exe 16->27         started        29 lnD7N1KiwF.exe 16->29         started        file9 signatures10 process11 file12 59 C:\Users\user\...\Xzegdxbuoconsoleapp3.exe, PE32 21->59 dropped 109 Injects a PE file into a foreign processes 21->109 31 Hclmqamnjemzssxdodpuesmdaconsoleapp14.exe 21->31         started        36 wscript.exe 1 21->36         started        61 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32+ 25->61 dropped 63 C:\Users\user\AppData\Roaming\winda.exe, PE32+ 25->63 dropped 111 Writes to foreign memory regions 25->111 113 Allocates memory in foreign processes 25->113 115 Modifies the context of a thread in another process (thread injection) 25->115 38 conhost.exe 27->38         started        signatures13 process14 dnsIp15 81 scarsa.ac.ug 185.215.113.77, 49716, 49721, 49765 WHOLESALECONNECTIONSNL Portugal 31->81 83 192.168.2.1 unknown unknown 31->83 85 milsom.ac.ug 31->85 43 C:\Users\user\AppData\Local\Temp\pm.exe, PE32+ 31->43 dropped 45 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 31->45 dropped 47 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->47 dropped 49 47 other files (none is malicious) 31->49 dropped 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->87 89 Tries to steal Instant Messenger accounts or passwords 31->89 91 Tries to steal Mail credentials (via file access) 31->91 93 4 other signatures 31->93 40 Xzegdxbuoconsoleapp3.exe 36->40         started        file16 signatures17 process18 signatures19 117 Injects a PE file into a foreign processes 40->117
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 11:26:09 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgghr67wpuaucn2hbkj4jflre4xho56ojgvtdtf7i7wbc4467ara._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
trickbot
Create hunting rule
Similar samples:
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
AZORult
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
AZORult
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
AZORult
4d265a1ee6dd0bdccd7e31fce027ccd42f1e19c09a92e911fba7db7696698b4d
AZORult
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
AZORult
906c931107ffb66c345dae2afa253b71ff21ae420348cc44f36de0bbe3921386
AZORult
c9c5b4b76ac69632d5f5931198adb5d21d214c72d8524ffc60d7d6bbcd44cf03
AZORult
db127ccf5ea69c0bc3888efe5ae2a532c5f5590a2f589f049139fcf63f5e8062
AZORult
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
AZORult
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
AZORult
+ 4'941 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:728e62b0300799f2a8741c39a71a1543c6759e8d collection discovery infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211008-njvjgaeahk/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
scarsa.ac.ug
Unpacked files
SH256 hash:
6b496ab097a31e2adb5e33e8fb86908aad060249e760e24deb3594976ff1ac36
MD5 hash:
135b817fe351fd15bfc89e0b46d4a4eb
SHA1 hash:
83dd80152fa28d67c8714fd7fc98a3ee0d1c5d1f
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
Parent samples :
618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec
SH256 hash:
bbc945e2e6dc6a9dac62077a82ce31e3dc882643bb3a4236a1a50b6106f404ab
MD5 hash:
4feabb9ddecae0a7ac955cd1f8487aaf
SHA1 hash:
5d27ccefc79e7d9a1c16e07fe0d0ef36df30c30a
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
SH256 hash:
fcedb0a8ee23374891cd8dfd35b5ac9921c31f982dc1b90857409f12e39dbe73
MD5 hash:
67d19c0ad692de998981fcc01c0ed92e
SHA1 hash:
355c135973208152bb1ca5f7472c70e82866b69b
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
SH256 hash:
30228231d8f875703d32fc45cfe0ca8831f665431adea4d7f2ef7ce925adfa6b
MD5 hash:
de40fa09f17a705a748309fef7b3cd86
SHA1 hash:
91906919d18de95aacc1e6b9c80243cf8f70bcfb
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
SH256 hash:
7ebbd92f07d9c8fe82dc72c0a875085dca39ff438533736b769c3eedbe1637bf
MD5 hash:
b037454773691bf226efd218ab16d4c3
SHA1 hash:
6ed5a3d4187696d97e317565d94cd0f445f43cb3
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
SH256 hash:
39fd91c7936b8fb49fd858c444b6fa5d51300bc67f061393ea3e936fe184d4e4
MD5 hash:
7bc22f39513bed23a48540507e35b0b6
SHA1 hash:
25d4e9f1dc36d0a6389163ed3790f62bcc80579d
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
Parent samples :
618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
1748b08304d248899ba482858932847ed7b07258edc30ade300a021a622b10be
SH256 hash:
85629d2c53dbd0cf8e72b36d90699cb49558a0adae1be144a02ca58c9bcebac0
MD5 hash:
1e21ed9b80f167f3505dfa1caf4c0f69
SHA1 hash:
090914654876cd72290ff49d1084a18164103782
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
SH256 hash:
269a2f4225a2a0556c2131d1705cad523edb3e76fa17de473eeb52a3803d7713
MD5 hash:
e043489021390303770a0ca8b6f59940
SHA1 hash:
7bce11f995503da6ab3adf75cdcf6f6bb22fc91e
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
SH256 hash:
618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
MD5 hash:
b6841e1bdebcb206e38123af2ba3254c
SHA1 hash:
0e3928f6de38d4b2d0badb245d1516721712b330
Link:
https://www.unpac.me/results/c12c4b6b-5d95-4b3a-a3f1-0c9e6ec6d96c/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/618c78fbf67d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.89
Link:
https://yomi.yoroi.company/submissions/618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
Cape
Cape
https://www.capesandbox.com/analysis/196113/

Comments