MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e3d344af8c112b08250ac66287871145be753315dae86e7b879747aa3e91fe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	6e3d344af8c112b08250ac66287871145be753315dae86e7b879747aa3e91fe9
SHA3-384 hash:	c8f1683c591fdf3b73e0427e00b980a32e906c6bb111bff9edf2a41068d950f871b91323c0b7b4dd9e3af091f2a019c9
SHA1 hash:	b594dfcdd7a687f096f3c716d7422a90cf38187a
MD5 hash:	e2364bf02a16273fd751186b596557de
humanhash:	queen-crazy-four-kitten
File name:	e2364bf02a16273fd751186b596557de.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	713'216 bytes
First seen:	2020-10-05 14:32:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	41cd3d95714b0df8060323fdc67b3eba (10 x AgentTesla, 6 x Loki, 1 x MassLogger)
ssdeep	12288:HcAt9L2fndhBK2w3p3z+iqiBZdMuWD9gP+8N4am2kBeJRBqOaoa:tHqhBFgBg6+2UIKHoa
Threatray	374 similar samples on MalwareBazaar
TLSH	60E49D22B2F14833D16716399FDB6774DC29BE503D28AB4A2FE4DC4C9F396817819293
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://ciuj.ir/nwama/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/68266/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Creating a file

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Result

Threat name:

Azorult

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/481664

Signature

Binary contains a suspicious time stamp

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e3d344af8c112b08250ac66287871145be753315dae86e7b879747aa3e91fe9/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-10-05 12:44:03 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ny6tisxyyejlbasqvrtcq6drcrn6ouzrlwxinz5ypf2hvi7jd7uq._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

trojan infostealer family:azorult spyware discovery

Link:

https://tria.ge/reports/201005-ywx1ceegka/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Unpacked files

SH256 hash:

ead4819f43d7ef521945b3be7ab585629b837ef4ce53a60fa7fc45bba00129b9

MD5 hash:

e51331f4c05e2951f93459d43c7a702e

SHA1 hash:

d4ed3ce3d49d7da0e8865783fa74ebdab8d8cf8d

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/5f82aeb4-cbe8-4e82-b17f-a8ac90c91129/

SH256 hash:

6e3d344af8c112b08250ac66287871145be753315dae86e7b879747aa3e91fe9

MD5 hash:

e2364bf02a16273fd751186b596557de

SHA1 hash:

b594dfcdd7a687f096f3c716d7422a90cf38187a

Link:

https://www.unpac.me/results/5f82aeb4-cbe8-4e82-b17f-a8ac90c91129/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e3d344af8c112b08250ac66287871145be753315dae86e7b879747aa3e91fe9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

exe 6e3d344af8c112b08250ac66287871145be753315dae86e7b879747aa3e91fe9

(this sample)

Cape

https://www.capesandbox.com/analysis/68266/

URLhaus

https://urlhaus.abuse.ch/url/596088/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample