MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71b1f56e4cb3057bd942df693c5e4fc85430867949e1b903341a64782cb7fb96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71b1f56e4cb3057bd942df693c5e4fc85430867949e1b903341a64782cb7fb96
SHA3-384 hash: 89832a267f3b60a8c46e7bdf3ef1d710adbb62ba8b77725806ffa48a571fe87858e01f741574b1c508ef49b74a0f01c6
SHA1 hash: 2a43e1498bdedd2275aa1d9c432f974c160067ba
MD5 hash: f425a74a9f8e2f4e27897019fe62b5e8
humanhash: ten-six-michigan-shade
File name:gunzipped.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:785'569 bytes
First seen:2023-06-08 14:16:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (285 x GuLoader, 40 x RemcosRAT, 28 x VIPKeylogger)
ssdeep 12288:dgQ44tKEnhKAwhaSGKxtLXHRwiLRCH/ppnJML+Is4mKvGs:d0CKvAwhZttzHtLkCLcdKV
Threatray 361 similar samples on MalwareBazaar
TLSH T18AF4AFA2F400808EEE25183FF576765C2AA56FED958B76E11351B7C71C72A42C38F60B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f2a286869e98f070 (4 x GuLoader, 3 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://bllsl4.shop/DBO3/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gunzipped.exe
Verdict:
Malicious activity
Analysis date:
2023-06-08 14:18:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a8957232-63cb-4610-9abb-00f79b8dd085

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397002/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.20620.6672.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6481e2e142643c8ff4effcb6/reports/d18f9200-f652-4ce2-96c5-aeddd9089f96/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/71b1f56e4cb3057bd942df693c5e4fc85430867949e1b903341a64782cb7fb96
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a45b3e8c-cea1-4028-aa8a-a07e4333b642
Result
Threat name:
GuLoader, Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251226
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 884244 Sample: gunzipped.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 36 bllsl4.shop 2->36 38 wy6jla.ch.files.1drv.com 2->38 40 3 other IPs or domains 2->40 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected GuLoader 2->48 50 3 other signatures 2->50 9 gunzipped.exe 7 49 2->9         started        signatures3 process4 file5 24 C:\Users\...\CLI_Wrapper_ScenarioProfile.dll, PE32+ 9->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 9->26 dropped 52 Self deletion via cmd or bat file 9->52 54 Tries to detect Any.run 9->54 13 gunzipped.exe 63 9->13         started        signatures6 process7 dnsIp8 42 bllsl4.shop 172.67.218.132, 49898, 49901, 80 CLOUDFLARENETUS United States 13->42 28 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->30 dropped 32 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->32 dropped 34 45 other files (none is malicious) 13->34 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->56 58 Tries to steal Instant Messenger accounts or passwords 13->58 60 Tries to steal Mail credentials (via file / registry access) 13->60 62 6 other signatures 13->62 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71b1f56e4cb3057bd942df693c5e4fc85430867949e1b903341a64782cb7fb96/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-08 11:14:19 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogy7k3smwmcxxwkc35utyxspzbkdbbtzjhq3sazudjshqlfx7ola._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
AZORult
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
AZORult
2e6a8bb2fcfef5cdc29aa03bfe22b01ebe7b3f71e09ad302dec93d672d1c3141
AZORult
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
AZORult
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
AZORult
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
AZORult
c2882a42e9ad87ef5260d3299307dae39af71853c75b44441c0dec497bc5c175
AZORult
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
AZORult
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
AZORult
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
AZORult
+ 351 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:guloader collection discovery downloader infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230608-rlpb1sgf9t/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Guloader,Cloudeye
Malware Config
C2 Extraction:
http://bllsl4.shop/DBO3/index.php
Unpacked files
SH256 hash:
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
MD5 hash:
8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 hash:
223bef1f19e644a610a0877d01eadc9e28299509
Link:
https://www.unpac.me/results/ee436efc-aaef-4c2a-ada2-81449fe3ef99/
SH256 hash:
71b1f56e4cb3057bd942df693c5e4fc85430867949e1b903341a64782cb7fb96
MD5 hash:
f425a74a9f8e2f4e27897019fe62b5e8
SHA1 hash:
2a43e1498bdedd2275aa1d9c432f974c160067ba
Link:
https://www.unpac.me/results/ee436efc-aaef-4c2a-ada2-81449fe3ef99/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71b1f56e4cb3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71b1f56e4cb3057bd942df693c5e4fc85430867949e1b903341a64782cb7fb96

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/397002/

Comments