MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66969ac84d6e89fc43c6204653ee0b6bf727fa115f802549e9469027a3dd847e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66969ac84d6e89fc43c6204653ee0b6bf727fa115f802549e9469027a3dd847e
SHA3-384 hash: 947deeec31d6ce5614aabf4713ae553af3f436a1db89f32bbcc28c8fb76f95944e818e239f679537b5dcf0d5322f1599
SHA1 hash: c9a6b936c28089bd779d3153056b1d7cbc9d0854
MD5 hash: cc280cbaa1cdde9b203348512a594a5d
humanhash: white-emma-mexico-nineteen
File name:TTCOPYpdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:143'224 bytes
First seen:2022-04-11 11:41:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:p1NjcVVnLpPuCv8bz2FQw2AYdJMaLrOpgsWjErahVDN63QIBLa:TNeZ2qK7NdW/gsWjErYzIta
Threatray 10'654 similar samples on MalwareBazaar
TLSH T14FE3F1186AA4C0B3E8B24A715D77AB775ABFB9161429972F03105B8A7E31780CF0F716
File icon (PE):PE icon
dhash icon 36c29292b2e88c82 (54 x AgentTesla, 33 x RedLineStealer, 11 x Formbook)
Reporter abuse_ch
Tags:AZORult exe signed

Code Signing Certificate

Organisation:Acharnement8
Issuer:Acharnement8
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-10T15:15:47Z
Valid to:2023-04-10T15:15:47Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 71b7ffbf6ef3315a9b9a284bbb0fcf0950416c0a34d72ac6712c9b369ef59635
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AZORult C2:
http://46.183.223.116/dublin/Panel/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://46.183.223.116/dublin/Panel/index.php https://threatfox.abuse.ch/ioc/518527/

Intelligence

File Origin
# of uploads :
1
# of downloads :
895
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TTCOPYpdf.exe
Verdict:
Malicious activity
Analysis date:
2022-04-12 04:12:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc55db79-e839-4d3a-be07-9166f96a67dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262669/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13460/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6254142204b81dabe28006c7/reports/db578917-766e-489b-ab5e-387df424676a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf0d15a3-6c22-49cc-ab2b-e8282fb0062a
Result
Threat name:
Azorult GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974539
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607023 Sample: TTCOPYpdf.exe Startdate: 11/04/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 7 other signatures 2->43 8 TTCOPYpdf.exe 19 2->8         started        process3 file4 23 C:\Users\user\AppData\Local\...\System.dll, PE32 8->23 dropped 45 Self deletion via cmd delete 8->45 47 Tries to detect Any.run 8->47 49 Hides threads from debuggers 8->49 12 TTCOPYpdf.exe 70 8->12         started        signatures5 process6 dnsIp7 33 46.183.223.116, 49751, 49752, 80 DATACLUBLV Latvia 12->33 35 84.38.132.43, 49750, 80 DATACLUBLV Latvia 12->35 25 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->29 dropped 31 45 other files (none is malicious) 12->31 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->51 53 Tries to steal Instant Messenger accounts or passwords 12->53 55 Tries to steal Mail credentials (via file / registry access) 12->55 57 7 other signatures 12->57 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66969ac84d6e89fc43c6204653ee0b6bf727fa115f802549e9469027a3dd847e/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 11:42:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 26 (65.38%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2ljvscnn2e7yq6gebdfh3qlnp3sp6qrl6ackspji2icpi65qr7a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
28106556ae6c11dd40bcdbc70a846eeb898637559c1b5e41447d1d80c266eece
AZORult
892ef7a1974f417377e4b50358b42c68248a4f4c1f393328421ad48e73861640
AZORult
99ec7c3d98449f130584d01f3dea7e8084df01abae8077ae18900695e2d941cb
AZORult
99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1
AZORult
ae971526492d43606efd2d0f37ac9b262618a28274887388a7c7f9f095942a81
AZORult
b57d7de33914f91073e29ac243cc026716b4b4a2ffd3ad9235e407c73fdb4be8
AZORult
+ 10'644 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:guloader collection discovery downloader infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220411-nt1hgahef2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Guloader,Cloudeye
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/b56fe611-7c05-42da-8279-b3fe442b6d7f/
SH256 hash:
66969ac84d6e89fc43c6204653ee0b6bf727fa115f802549e9469027a3dd847e
MD5 hash:
cc280cbaa1cdde9b203348512a594a5d
SHA1 hash:
c9a6b936c28089bd779d3153056b1d7cbc9d0854
Link:
https://www.unpac.me/results/b56fe611-7c05-42da-8279-b3fe442b6d7f/
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/66969ac84d6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66969ac84d6e89fc43c6204653ee0b6bf727fa115f802549e9469027a3dd847e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262669/

Comments