MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327
SHA3-384 hash: 669c7acc9a17d1be6940bdf43a2ecdd65411633b87c0f98c517fbdfd47b3422f3fe4f4c983d4253476276e2ae5e1f7c6
SHA1 hash: c746419307c55d44f9b7341efcaaa4ac1ee6e7dc
MD5 hash: 3b753f760f97b526392a2d7cd2f034b8
humanhash: early-sixteen-zebra-kilo
File name:3b753f760f97b526392a2d7cd2f034b8.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:723'456 bytes
First seen:2022-03-16 09:06:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:9IuwOEFgJGj51HzsH5AM3QJdZeSueVH++7kCL7tki:6uwOQvXxTeSuEHMQh9
Threatray 6'048 similar samples on MalwareBazaar
TLSH T163F4F1EA318C8B53EC25D3BDAABA951607B5BD659126E20A5CC63CC730B6FCD1409F07
File icon (PE):PE icon
dhash icon 68686cdcc6a6d2e1 (13 x AgentTesla, 5 x Formbook, 4 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://85.202.169.121/mann/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://85.202.169.121/mann/index.php https://threatfox.abuse.ch/ioc/395233/

Intelligence

File Origin
# of uploads :
1
# of downloads :
932
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251307/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed strictor
Link:
https://www.filescan.io/uploads/6231a8abb94fb38cb48d33af/reports/890a1d9f-e081-4181-af0b-a954a2790542/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1644ed4-59fe-476b-8bc2-f27831b0929c
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957775
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327/
Threat name:
ByteCode-MSIL.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 22:00:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7irwsqj3mwcoe7nxyf3ou3ealt6ppyckxwxxagg3rgzgsjy4mtq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0137ce15b0136cb1f74d883c86d99837ae3e5e5b51b0d4ab955e4270175ef724
AZORult
10fed6bb7e0d98d4c39fecce52838efecad2e6d836ceabaf40b438e6790e8abf
AZORult
3208b7940ca3be4d50228edd4d1d2b0f4a21df9d2e84d25a41c75ac074936215
AZORult
3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76
AZORult
7f24773d411236705d09adba6b9b52a10b8f2f9d1963abb1b243d4eb72bfba9c
AZORult
afa9c8dfed5854fb55279a38fe6dcf64c0c3f8617107dbc672960d94ccca409c
AZORult
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
AZORult
+ 6'038 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220316-k2sk2shhfj/
Behaviour
Modifies data under HKEY_USERS
Drops file in System32 directory
Unpacked files
SH256 hash:
1dc8b52abd042f1d020099060548be9e50c0c365d1a9975ef273426af548eff0
MD5 hash:
34859d7e76bdb8f9734c9b4617af273d
SHA1 hash:
e4c7f7bb88ba4ddf858fcbefca738e0482ba5512
Link:
https://www.unpac.me/results/40935f4c-9a4f-4b46-8ed3-5a0a8fe4d0ec/
SH256 hash:
64534f4bdb2072fd16fbf4b5ce22d15a8d158fc5d464029050b64042f9a28938
MD5 hash:
035a14f41a4dfa97f9e83c29083fa8db
SHA1 hash:
bf8b2e8d2e2b6613c2eaa17d78b2ecf68da81d9f
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/40935f4c-9a4f-4b46-8ed3-5a0a8fe4d0ec/
Parent samples :
6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327
7a9066bddd272c50102198fae4c4bade59f8a33e6c99a5f06330ec0025b2fcb4
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
Link:
https://www.unpac.me/results/40935f4c-9a4f-4b46-8ed3-5a0a8fe4d0ec/
SH256 hash:
59ba366426ec5f3ace8ad34753904775721cd877ef414d2e3e6792df15cdd8ec
MD5 hash:
813c47e685a1549c43744821bd46ec52
SHA1 hash:
7a7f992bf6abfd189d8c5d2ecfbbabd86e7c0a9f
Link:
https://www.unpac.me/results/40935f4c-9a4f-4b46-8ed3-5a0a8fe4d0ec/
SH256 hash:
6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327
MD5 hash:
3b753f760f97b526392a2d7cd2f034b8
SHA1 hash:
c746419307c55d44f9b7341efcaaa4ac1ee6e7dc
Link:
https://www.unpac.me/results/40935f4c-9a4f-4b46-8ed3-5a0a8fe4d0ec/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6fd11b4a09db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/251307/
  
URLhaus
https://urlhaus.abuse.ch/url/2097009/
  
Delivery method
Distributed via web download

Comments