MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6296905cf4a331aa9a278c3df71c8e6cb3c1e60b48402696264aac0f4d0df659. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	6296905cf4a331aa9a278c3df71c8e6cb3c1e60b48402696264aac0f4d0df659
SHA3-384 hash:	59d1b8aeb7f99c299d4a375ef8019da886fe1ce2b959419efba09db56aee6f0fe4761514263f8bdbcdd3c7174abe217c
SHA1 hash:	711f35a83681fd73b23fd2f2193fa08ad953a546
MD5 hash:	2e947f5ead2f5d58124c9923e1e2849c
humanhash:	white-angel-coffee-cardinal
File name:	OPEN01929291000_2021-03-15_07-28.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	331'776 bytes
First seen:	2021-03-16 11:24:45 UTC
Last seen:	2021-03-16 13:59:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6540c12e2e2c0b7741803a1b0f2f06ab (1 x AZORult, 1 x Smoke Loader)
ssdeep	6144:9mO9ueehDC7PkPOhbJT06esz6q0s5hxe1JDH5GbhjyVRcUQ6+Og0b:9d9+hDkPkPOJT0DsVMPDH54kR9+Ov
Threatray	732 similar samples on MalwareBazaar
TLSH	A8647C21A7A1C034F5F305B546B282B8A5397E71573C80EB63D02BDA9A386E5ED31F53
Reporter	TeamDreier
Tags:	AZORult

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

OPEN01929291000_2021-03-15_07-28.exe

Verdict:

Malicious activity

Analysis date:

2021-03-16 11:34:17 UTC

Tags:

trojan rat azorult stealer

Link:

https://app.any.run/tasks/7ce6c933-75c5-4b5a-add6-2fe0ca717caf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Steam.19038.31311.872.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Creating a file

Deleting a recently created file

Reading critical registry keys

Sending a UDP request

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/990c9e15-a1fb-423e-afb2-0e046c951978

Result

Threat name:

AZORult

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/640644

Signature

Binary contains a suspicious time stamp

Detected AZORult Info Stealer

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/6296905cf4a331aa9a278c3df71c8e6cb3c1e60b48402696264aac0f4d0df659/

Threat name:

Win32.Trojan.ArkeiStealer

Status:

Malicious

First seen:

2021-03-15 05:14:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mkljaxhuumy2vgrhrq67oheonsz4dzqljbacnfrgjkwa6tin6zmq._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer spyware stealer trojan

Link:

https://tria.ge/reports/210316-rm5zexknvx/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://45.85.90.188/az1/wuvc/index.php

Unpacked files

SH256 hash:

ff0d34be0f4510bb9857bbc43e6f8bb6f65f998653077d34f0cd94acba63007d

MD5 hash:

11b46a3ae79dd7864598cf4114e129b6

SHA1 hash:

fa7db64edf0bd436edbcfc41b687707942fa049c

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/62a18422-0b6e-4308-89db-dfe16a6bc8ee/

SH256 hash:

6296905cf4a331aa9a278c3df71c8e6cb3c1e60b48402696264aac0f4d0df659

MD5 hash:

2e947f5ead2f5d58124c9923e1e2849c

SHA1 hash:

711f35a83681fd73b23fd2f2193fa08ad953a546

Link:

https://www.unpac.me/results/62a18422-0b6e-4308-89db-dfe16a6bc8ee/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6296905cf4a331aa9a278c3df71c8e6cb3c1e60b48402696264aac0f4d0df659

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample