MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f91871f4fb08ca2553a80a053d983d39fabf1efc619b2e4b87972bd0d9c0d80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f91871f4fb08ca2553a80a053d983d39fabf1efc619b2e4b87972bd0d9c0d80
SHA3-384 hash: e30b6b0374d1eef036bddde20acd97b2e977c47c52d1688b2518441af47bdf94251a849e50b94ef56ef0509771509e91
SHA1 hash: 36ad089001c90b717bf0e596c086a1fa2c383159
MD5 hash: 268b65efa4ac17d70eacac229fe8500e
humanhash: quiet-muppet-oklahoma-batman
File name:6F91871F4FB08CA2553A80A053D983D39FABF1EFC619B.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:26'624 bytes
First seen:2022-08-02 18:26:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d88d597200c0081784c27940d743ec5 (6 x AZORult, 3 x RaccoonStealer, 1 x MBRLocker)
ssdeep 384:cj2fME1xnb4bJC/vX4nX2fWuVzjAp6FtYFBcVlrqaeCaNJawcudoD7UrVOZ2X:cjS8wnXC2uuVzVsiVinbcuyD7UrVO
Threatray 5'122 similar samples on MalwareBazaar
TLSH T119C2C007C84589F5C02F40B71D4E2E0CA265811CB7E9276D7AEC947BDFA4B58DCA139B
TrID 29.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
28.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
17.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://193.106.191.146/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.106.191.146/ https://threatfox.abuse.ch/ioc/841157/
http://goldrushaw.ug/kanorgate.php https://threatfox.abuse.ch/ioc/841158/

Intelligence

File Origin
# of uploads :
1
# of downloads :
863
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
6F91871F4FB08CA2553A80A053D983D39FABF1EFC619B.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 05:55:01 UTC
Tags:
loader stealer arkei trojan vidar rat azorult remcos
Link:
https://app.any.run/tasks/338e6454-3989-43f3-ad31-e02ea0721201

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296008/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Malware.Valyria-9821662-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Sending a custom TCP request
Launching a file downloaded from the Internet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62e96c529ca9b9bfcbe58e19/reports/18879523-9185-4404-beb0-4cc94cec0628/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/385ee780-2deb-4c56-ad1a-d7e8b62b4d38
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1045115
Signature
Creates HTA files
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
VBScript found in memory of PE file
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 677609 Sample: 6F91871F4FB08CA2553A80A053D... Startdate: 02/08/2022 Architecture: WINDOWS Score: 84 57 wiwirdo.ac.ug 2->57 59 tuekisaa.ac.ug 2->59 61 9 other IPs or domains 2->61 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 3 other signatures 2->71 10 6F91871F4FB08CA2553A80A053D983D39FABF1EFC619B.exe 10 2->10         started        signatures3 process4 file5 49 C:\Users\user\AppData\Local\Temp\...\m1a.hta, HTML 10->49 dropped 51 C:\Users\user\AppData\Local\Temp\...\m1.hta, HTML 10->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\b2a.hta, HTML 10->53 dropped 55 3 other malicious files 10->55 dropped 73 Creates HTA files 10->73 14 cmd.exe 3 2 10->14         started        signatures6 process7 process8 16 mshta.exe 1 14->16         started        19 mshta.exe 1 14->19         started        21 mshta.exe 1 14->21         started        23 6 other processes 14->23 signatures9 63 Suspicious powershell command line found 16->63 25 powershell.exe 5 16->25         started        27 powershell.exe 19->27         started        29 powershell.exe 9 21->29         started        31 powershell.exe 23->31         started        33 powershell.exe 23->33         started        35 powershell.exe 23->35         started        process10 process11 37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 35->47         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f91871f4fb08ca2553a80a053d983d39fabf1efc619b2e4b87972bd0d9c0d80/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2019-09-21 01:52:00 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6iyoh2pwcgkevj2qcqfhwmd2op2x4ppyym3fzfypfzl2dm4bwaa._file
Verdict:
malicious
Similar samples:
03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0
AZORult
1d128ffc3927d02e3393da5e27d2557766f82df921b09d42603b08d5724e9e9a
AZORult
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74
AZORult
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0
AZORult
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
AZORult
6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547
AZORult
79352910f5e31ab1c843a5a7230d1f278dda20f721ad03243dd44f8d7806c2ed
AZORult
b0b3cf6d05e09c3e051e0a0b653f194c3cafdde345bfd85e6364b3e26a7b6f00
AZORult
e8e4a4c7c5c593136058722cabe2d42631feffde95d923f5fd7020b0c7286f22
AZORult
+ 5'112 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:azorult family:raccoon family:remcos botnet:06192022 botnet:8a4fd4b44997ba634230ba5c422ca9f2 botnet:default discovery infostealer persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/220802-w26y8abbbn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Arkei
Azorult
Raccoon
Raccoon Stealer payload
Remcos
Malware Config
C2 Extraction:
http://193.106.191.146/
http://185.215.113.89/
http://195.245.112.115/index.php
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
Dropper Extraction:
http://nicoslag.ru/asdfg.exe
Unpacked files
SH256 hash:
f3339cd0c072aa38e5cc07b2b4bb18b138e191ecfe377b12a28f801497580a8d
MD5 hash:
63a87c99219fb98d7877b81379597ffc
SHA1 hash:
317a7733f0316b9c33fbf4f01482505d0b0a2062
Link:
https://www.unpac.me/results/46eaac69-6a2d-4483-a639-f1e0fcb69a83/
SH256 hash:
6f91871f4fb08ca2553a80a053d983d39fabf1efc619b2e4b87972bd0d9c0d80
MD5 hash:
268b65efa4ac17d70eacac229fe8500e
SHA1 hash:
36ad089001c90b717bf0e596c086a1fa2c383159
Link:
https://www.unpac.me/results/46eaac69-6a2d-4483-a639-f1e0fcb69a83/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f91871f4fb08ca2553a80a053d983d39fabf1efc619b2e4b87972bd0d9c0d80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296008/

Comments