MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ff7947479912de1b93ea3dc430d871993d1deec9e68c7ba52f1bfe2fac95562. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ff7947479912de1b93ea3dc430d871993d1deec9e68c7ba52f1bfe2fac95562
SHA3-384 hash: e3fb6a9aa278374b40906514017ef133010a06d6a278e707b56ffc82dd8d8e4d1350050be7bce49c4243c095c86ca538
SHA1 hash: 238d2ab0b15d58064f3cdc6ca5a57d103d4fad58
MD5 hash: b4a664cd81c1fccf3c416ae49d6f5b4d
humanhash: helium-cola-xray-wyoming
File name:Order Confirmation.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:754'688 bytes
First seen:2020-10-12 19:30:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:44ZOOxeala5FY1bihfCrhB3J9QAuzqyb41SuB9O91v1hV0blXNKT7kMBlhguipMa:7xr0atihfCrD5yiyVecbVs9KTQcle+9Y
Threatray 342 similar samples on MalwareBazaar
TLSH BCF4E0F9B2E84D8BC9AD3DF690124A8047F61A52347DE3C86DC651EE0DD5F4B4A102BB
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: singnet.com.sg
Sending IP: 64.137.176.41
From: Mattias Hallberg <percenna@singnet.com.sg>
Subject: Re: Order Confirmation
Attachment: Order Confirmation.z (contains "Order Confirmation.exe")

AZORult C2:
http://64.137.176.70/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70208/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.9241.4853.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Sending an HTTP POST request
Creating a file in the %temp% directory
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488904
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
DLL side loading technique detected
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296906 Sample: Order Confirmation.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Azorult 2->41 43 7 other signatures 2->43 8 Order Confirmation.exe 3 2->8         started        process3 file4 25 C:\Users\user\...\Order Confirmation.exe.log, ASCII 8->25 dropped 45 Writes to foreign memory regions 8->45 47 Injects a PE file into a foreign processes 8->47 12 RegSvcs.exe 67 8->12         started        17 backgroundTaskHost.exe 1 14 8->17         started        signatures5 process6 dnsIp7 35 64.137.176.70, 49717, 49722, 80 DATACITYCA Canada 12->35 27 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 12->29 dropped 31 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->31 dropped 33 45 other files (none is malicious) 12->33 dropped 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->49 51 Tries to steal Instant Messenger accounts or passwords 12->51 53 Tries to steal Mail credentials (via file access) 12->53 55 5 other signatures 12->55 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6ff7947479912de1b93ea3dc430d871993d1deec9e68c7ba52f1bfe2fac95562/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 14:57:51 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n73zi5dzsew6doj6upoegdmhdgj5dxxmtzumposs6g76f6wjkvra._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
4551d06a33be96c8808d2e180d6cf35c50cbf2dc114a51e90aa49bb4597e2936
AZORult
4639769fea49849bb1a85d41d7dc9f4975e0945b3e5b0622503a71b8a97faccf
AZORult
556078f7b9c9cc0472e000c38af7b5285ebc9e9e70282c5fa9e8b9063bcd16ac
AZORult
64f4cb67826d72ac5256bb0dd92604157d9e4a5e7603e6e68f3b262f8db041c1
AZORult
7580b583ccf57526e5a5ca40651ec5a95abe64b77a7c223f037443e480fbe185
AZORult
c578d33e132ccbbc26a4a31e6054fea7f42591b391e9b8eb30eaf732ed119088
AZORult
d29ac350da06473f2b10f012951942d5b90e2df48693ab8e6691fa4cf657accd
AZORult
eb96ab93249a86be52aa53a58fb8667b4c54f6b6dbc899fd23ea56b12b52a001
AZORult
f158be721fb34c71dedeb65d051c18da565e0aa8e1e2bf1f86e585e93c22a739
AZORult
f7505d1a7254a1a38c4570f0abb3fe3a462d3c34efca6372841ac37876d2af05
AZORult
+ 332 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult spyware
Link:
https://tria.ge/reports/201012-3b617lrfla/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://64.137.176.70/index.php
Unpacked files
SH256 hash:
6ff7947479912de1b93ea3dc430d871993d1deec9e68c7ba52f1bfe2fac95562
MD5 hash:
b4a664cd81c1fccf3c416ae49d6f5b4d
SHA1 hash:
238d2ab0b15d58064f3cdc6ca5a57d103d4fad58
Link:
https://www.unpac.me/results/2996910a-2e54-43b0-87e3-34faf8ccfd3e/
SH256 hash:
aa172b78794c614219f214748d4df26d7c409e5dd5fa9af57cb71e423f79d7a3
MD5 hash:
2040f28160e725bad4c27367ae110a5c
SHA1 hash:
6152f07c41294c5d0b5f1982e1b0556b2f8d3b7b
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/2996910a-2e54-43b0-87e3-34faf8ccfd3e/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/2996910a-2e54-43b0-87e3-34faf8ccfd3e/
SH256 hash:
5c9cac9c2df1a6cf8689c48c0ec849f5a6900d4555b2f6323b72eaef3c04c3e1
MD5 hash:
01e30639082ff4d84de06f300e60fa07
SHA1 hash:
a583ad9319bdc27c1227479ef203c81f3e480e95
Link:
https://www.unpac.me/results/2996910a-2e54-43b0-87e3-34faf8ccfd3e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ff7947479912de1b93ea3dc430d871993d1deec9e68c7ba52f1bfe2fac95562

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

z 7c1bbddf191b9565f4346b6b20aa39ad25f88a39977ecd07f0001c49d707c015

AZORult

Executable exe 6ff7947479912de1b93ea3dc430d871993d1deec9e68c7ba52f1bfe2fac95562

(this sample)

  
Dropped by
MD5 14abd7ad693d4b7d12f30cc6febe2d8f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70208/
  
Dropped by
SHA256 7c1bbddf191b9565f4346b6b20aa39ad25f88a39977ecd07f0001c49d707c015

Comments