MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 672fea64c92edc4d937d3132577b65813738bfddeab6a6b3ef35e6fa4b987009. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 672fea64c92edc4d937d3132577b65813738bfddeab6a6b3ef35e6fa4b987009
SHA3-384 hash: 30bc260dd8acc299f36b77a349324f2835e21ca3f5c0beeaa8b94a015bf6825eaa86d5afc94308237f3edb1f4c5074f7
SHA1 hash: 223cfb523ff8b64b339a34db3808dc6a386752a4
MD5 hash: c3f533c47a2f995cd4b5d16653698609
humanhash: pizza-charlie-ceiling-juliet
File name:c3f533c47a2f995cd4b5d16653698609.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'187'840 bytes
First seen:2022-05-28 14:20:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6715d450ebf6ee95bf798a46601f6874 (2 x RecordBreaker, 1 x AZORult, 1 x Formbook)
ssdeep 24576:n9Gs50M+jSxjTv9/CPPpTv94s50MsjSxjTv9/CaV/1SoOpOQlS1P8Op1QlS1P7:ws59vkPPss53vkW0f81Pfi81P7
Threatray 15'591 similar samples on MalwareBazaar
TLSH T13045228429AB9933F25AD2714BD9E5D807FD3D37B102981FB74D3D1807BAA011AA13B7
TrID 63.5% (.EXE) Win32 Executable MS Visual C++ 5.0 (60687/85)
11.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://underdohg.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://underdohg.ac.ug/index.php https://threatfox.abuse.ch/ioc/643051/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
c3f533c47a2f995cd4b5d16653698609.exe
Verdict:
Malicious activity
Analysis date:
2022-05-28 14:23:06 UTC
Tags:
loader arkei stealer trojan vidar rat azorult
Link:
https://app.any.run/tasks/bce4a50c-7b91-42ec-9e03-e5c2e0612cf7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275149/
Detection(s):
SecuriteInfo.com.MICROSOFTVISUALBASIC5.0.7857.30544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm control.exe greyware hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/62922fd1945ebb7eb17fef35/reports/68d79f6d-6f20-4769-9e59-908dbb0f3a95/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6f6f040-02f5-4607-ba74-88872084e4e0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003173
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635667 Sample: pH7vO7Dkr2.exe Startdate: 29/05/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Antivirus detection for URL or domain 2->65 67 8 other signatures 2->67 10 pH7vO7Dkr2.exe 15 2->10         started        process3 file4 53 C:\Users\user\AppData\Local\...\dhgerme.exe, PE32 10->53 dropped 75 Maps a DLL or memory area into another process 10->75 14 dhgerme.exe 4 10->14         started        17 pH7vO7Dkr2.exe 24 10->17         started        signatures5 process6 dnsIp7 77 Antivirus detection for dropped file 14->77 79 Detected unpacking (creates a PE file in dynamic memory) 14->79 81 Found evasive API chain (may stop execution after checking mutex) 14->81 87 5 other signatures 14->87 21 dhgerme.exe 77 14->21         started        55 94.158.247.24, 49750, 80 MIVOCLOUDMD Moldova Republic of 17->55 57 192.248.184.34, 49749, 80 AS-CHOOPAUS France 17->57 41 C:\Users\user\AppData\...\vcruntime140.dll, PE32 17->41 dropped 43 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 17->43 dropped 45 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 17->45 dropped 47 4 other files (none is malicious) 17->47 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 17->83 85 Tries to steal Crypto Currency Wallets 17->85 file8 signatures9 process10 dnsIp11 59 underdohg.ug 185.215.113.89, 49747, 49765, 80 WHOLESALECONNECTIONSNL Portugal 21->59 49 C:\Users\user\AppData\Roaming\azne.exe, PE32 21->49 dropped 51 C:\Users\user\AppData\Local\...\azne[1].exe, PE32 21->51 dropped 69 Tries to harvest and steal browser information (history, passwords, etc) 21->69 71 Tries to steal Crypto Currency Wallets 21->71 26 azne.exe 1 21->26         started        29 cmd.exe 1 21->29         started        file12 signatures13 process14 signatures15 73 Machine Learning detection for dropped file 26->73 31 cmd.exe 1 26->31         started        33 conhost.exe 29->33         started        35 timeout.exe 1 29->35         started        process16 process17 37 conhost.exe 31->37         started        39 timeout.exe 1 31->39         started       
Gathering data
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-05-28 14:21:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m4x6uzgjf3oe3e35gezfo63fqe3trp655k3knm7pgxtpus4yoaeq._file
Verdict:
malicious
Similar samples:
034e8e297165eeb14372eea7a7e68756e561df39b84c5be924e542a36dee7418
AZORult
27c458a04be0086bfbb8c2a5e89e04e63ec7f0ad3b4f8c6efa1a19d00be70d14
AZORult
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9
AZORult
90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297
AZORult
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
AZORult
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
AZORult
b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9
AZORult
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AZORult
+ 15'581 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:azorult botnet:default discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220528-rnzkrschb2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Arkei
Azorult
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
4f017f2d29c79dabdc5c6c922e1358cc4abe1217da5dda883bbf4c730342dcc6
MD5 hash:
60d2571aeff44d909326aba878883d9d
SHA1 hash:
a3926b97ec07bd9b4650de3886f644220112ab2a
Link:
https://www.unpac.me/results/61f37924-19ee-406e-84d9-6f43aa3dcb2a/
SH256 hash:
f96820c949bba74d4d28c2f933abdb1d96412c4571719acb8b7357af6637f025
MD5 hash:
6bda79a8d37c0bf0f6f02242923302b2
SHA1 hash:
9958c8233b36ff1c8601fecfa8d23472b308a91d
Link:
https://www.unpac.me/results/61f37924-19ee-406e-84d9-6f43aa3dcb2a/
SH256 hash:
cf53ff0d37aebe460b5e77775661bb8d06fb53cdf8f7fbdbcf07a70d001cbf7f
MD5 hash:
d4f747512304bc1c3d295c831e29ff95
SHA1 hash:
fc0e14877893ab7b27c72773a0b1a60eeb09ec3a
Link:
https://www.unpac.me/results/61f37924-19ee-406e-84d9-6f43aa3dcb2a/
SH256 hash:
672fea64c92edc4d937d3132577b65813738bfddeab6a6b3ef35e6fa4b987009
MD5 hash:
c3f533c47a2f995cd4b5d16653698609
SHA1 hash:
223cfb523ff8b64b339a34db3808dc6a386752a4
Link:
https://www.unpac.me/results/61f37924-19ee-406e-84d9-6f43aa3dcb2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/672fea64c92edc4d937d3132577b65813738bfddeab6a6b3ef35e6fa4b987009

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 672fea64c92edc4d937d3132577b65813738bfddeab6a6b3ef35e6fa4b987009

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2141169/
  
URLhaus
https://urlhaus.abuse.ch/url/2202207/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
Cape
Cape
https://www.capesandbox.com/analysis/275149/

Comments