MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77139402d8d38cfedb303222793713f82654f83e9b813f45630af29fed601076. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77139402d8d38cfedb303222793713f82654f83e9b813f45630af29fed601076
SHA3-384 hash: 80ec2af2b3f9947cc4a7d8b77d5fd152bbe9dfc5af57072645e5ddcd397d48cd860611a1adfcbde3c9c14bd81f203d79
SHA1 hash: ed4adcd7db3c9ca837abb379b9a29a6734320bb9
MD5 hash: 6f0964c3c582ac027aa42f0be2f978d6
humanhash: minnesota-hot-steak-violet
File name:swift.pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:432'873 bytes
First seen:2023-09-05 08:30:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 6144:uT4DtHOOUPy5MI1RhksWkohzakN+jjoPo3hcxrOx/SGI4HY0JCKtQzWXRqI8yEk4:uTeeZjN+HoA3h2r4SKQYhqI8dkg5
Threatray 1'014 similar samples on MalwareBazaar
TLSH T15494E0812B90DA3FE79E1B3484F5EB7842B8ACE07862860377953E9F7E15F8DD905250
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 61d4d4d4f8ec71b2 (4 x AZORult, 1 x GuLoader)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://lqr1.shop/LQ341/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
swift.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-09-05 08:33:24 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/6033c2d1-b417-4262-9734-64e5352b6523

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446269/
Detection(s):
SecuriteInfo.com.FileRepMalware.26218.19209.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64f6e749c95366b9efff5174/reports/3c61f2ca-5d6d-4cf7-af86-f46b57c94c31/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/77139402d8d38cfedb303222793713f82654f83e9b813f45630af29fed601076
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bc23f804-1324-4fdf-a43d-05e67af7e66b
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303373
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1303373 Sample: swift.pdf.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 34 lqr1.shop 2->34 36 cedyourspace.wpengine.com 2->36 42 Snort IDS alert for network traffic 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 9 swift.pdf.exe 5 32 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 9->24 dropped 50 Self deletion via cmd or bat file 9->50 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->52 54 Tries to detect Any.run 9->54 56 Maps a DLL or memory area into another process 9->56 13 swift.pdf.exe 63 9->13         started        signatures6 process7 dnsIp8 38 lqr1.shop 104.21.52.95, 49729, 49730, 80 CLOUDFLARENETUS United States 13->38 40 cedyourspace.wpengine.com 104.154.100.242, 443, 49728 GOOGLEUS United States 13->40 26 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->26 dropped 28 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->30 dropped 32 45 other files (none is malicious) 13->32 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->58 60 Tries to steal Instant Messenger accounts or passwords 13->60 62 Tries to steal Mail credentials (via file / registry access) 13->62 64 6 other signatures 13->64 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77139402d8d38cfedb303222793713f82654f83e9b813f45630af29fed601076/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-05 08:31:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4jziawy2ogp5wzqgirhsnyt7atfj6b6toat6rldblzj73lacb3a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1
AZORult
31c5ddd1fbe36e68985803eda63bfeaaccce58774389be0c0fc339d214ea1353
AZORult
3a6341209457442497117e5f32a2c7401328c5fbfe07a18d16411c724663de67
AZORult
62173847065d1aa1b93254e623844a1f223a4df4a06499f21b64fe82389fb327
AZORult
a800f3aefe262ccf51d647a154e8db7195ff6e4a360ec3f84586f763abff19fd
AZORult
b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288
AZORult
cb34bcf1043d10a15d4a823fe188296e161b88b630f090c8dc644de84b6105ae
AZORult
f5d0792248cb4a496cb1d59f94aa291e734b250760018e533290c9aa573276c0
AZORult
+ 1'004 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:guloader collection discovery downloader infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230905-kepwmseb9y/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Guloader,Cloudeye
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/ad97f7d9-5e80-4ccd-a8bf-5547afbea240/
SH256 hash:
77139402d8d38cfedb303222793713f82654f83e9b813f45630af29fed601076
MD5 hash:
6f0964c3c582ac027aa42f0be2f978d6
SHA1 hash:
ed4adcd7db3c9ca837abb379b9a29a6734320bb9
Link:
https://www.unpac.me/results/ad97f7d9-5e80-4ccd-a8bf-5547afbea240/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77139402d8d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/77139402d8d38cfedb303222793713f82654f83e9b813f45630af29fed601076

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:kevoreilly
Description:Azorult Payload
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Telegram_Links
Create hunting rule
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:Windows_Trojan_Azorult_38fce9ea
Create hunting rule
Author:Elastic Security
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446269/

Comments