MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70d8d034297fe9822e7d37b5bf6114feea1ba13fe520e00f49824ff0f6035664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	70d8d034297fe9822e7d37b5bf6114feea1ba13fe520e00f49824ff0f6035664
SHA3-384 hash:	13342bfdfa46bca5bda599fb16c91d34723bd959e2ffb434e6beb4c9534fd6bc7fdd84c9ba64ceaf5aa93c05c9bd8484
SHA1 hash:	8b9bb06e16870888b13421ac12af69457805acbb
MD5 hash:	3b67152de2d900bb3b228479c9e66009
humanhash:	kilo-uncle-finch-princess
File name:	gunzipped.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	193'536 bytes
First seen:	2022-11-23 13:10:34 UTC
Last seen:	2022-12-08 12:44:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3b87bff067b5f9fe7695dea0b53d917d (5 x Smoke Loader, 2 x Amadey, 1 x AZORult)
ssdeep	3072:lqlogF7qLrrnfKWauO58EUiXlqeURsoR+0bc5aCkQFzi:UlILrrnfKxiPiVqeUxR+nk2
TLSH	T17314DF3276C0D072C96B0D708920DAA4EFBEB8305578865B7B981BBE9F703D16736356
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	25ac137039939b91 (15 x Smoke Loader, 12 x Amadey, 6 x RedLineStealer)
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://194.55.186.10/fredo/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

430

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

azorult

ID:

File name:

gunzipped.exe

Verdict:

Malicious activity

Analysis date:

2022-11-23 13:12:20 UTC

Tags:

trojan rat azorult stealer

Link:

https://app.any.run/tasks/bbec66d2-6ef9-4681-857e-bd7593641441

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/337611/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.15455.9411.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP POST request

Sending a custom TCP request

Creating a file in the %temp% subdirectories

Creating a file

Reading critical registry keys

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/637e1be700c584752ee1984e/reports/6c957b69-3516-4704-a2eb-ee25f1812793/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a7c20a8-47d0-4cf1-942a-81aa9d2beda4

Result

Threat name:

Azorult

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1119713

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70d8d034297fe9822e7d37b5bf6114feea1ba13fe520e00f49824ff0f6035664/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2022-11-23 13:11:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=odmnanbjp7uyelt5g6236yiu73vbxij74uqoad2jqjh7b5qdkzsa._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult collection discovery infostealer spyware stealer trojan

Link:

https://tria.ge/reports/221123-qext5sdg79/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://194.55.186.10/fredo/index.php

Unpacked files

SH256 hash:

daaef244bcedbc9996a3daa19b69f2e8e243d9760d570a1b80b279b883fe8863

MD5 hash:

e3fda561245ffa4cc34b4c27e69b07a2

SHA1 hash:

d8093b171fd09ec95d0c6ac325dd8b3914009f83

Detections:

Azorult

win_azorult_auto

win_azorult_g1

Link:

https://www.unpac.me/results/c251868a-b2ed-4585-8d4a-6d4da6c0a2c4/

Parent samples :

70d8d034297fe9822e7d37b5bf6114feea1ba13fe520e00f49824ff0f6035664
1b520e117dae79ccc96a3305ab1a96b0aadc516f0ba1711b32d8ae974312ac39

SH256 hash:

70d8d034297fe9822e7d37b5bf6114feea1ba13fe520e00f49824ff0f6035664

MD5 hash:

3b67152de2d900bb3b228479c9e66009

SHA1 hash:

8b9bb06e16870888b13421ac12af69457805acbb

Link:

https://www.unpac.me/results/c251868a-b2ed-4585-8d4a-6d4da6c0a2c4/

Malware family:

AZORult v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/70d8d034297f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/70d8d034297fe9822e7d37b5bf6114feea1ba13fe520e00f49824ff0f6035664

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/337611/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample