MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a26599b107a7879da6585b091f04b458bef99d7f005daea37c8721ad8e7982b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	7a26599b107a7879da6585b091f04b458bef99d7f005daea37c8721ad8e7982b
SHA3-384 hash:	230629639d4546ed865f374537f91e8938ca780f9ea455d8cb7ab1f12aceaa1f2ec35d10be3f6b922191ea92d78a1a62
SHA1 hash:	ace54d33a85d55c3eac66898f84fc954c70ed8f9
MD5 hash:	7cc4697f636a065995a8ca4f944f307f
humanhash:	william-uncle-violet-bulldog
File name:	SecuriteInfo.com.Trojan.PackedNET.405.30786.16443
Download:	download sample
Signature	AZORult Create hunting rule
File size:	712'192 bytes
First seen:	2020-12-01 20:52:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:IzXz/bnv0g+ZXy9HRh8nCQrWGJBLgKUaXYvu0W73yYtnFO6dm+E5gE:IzXzjv0g+Z4a7rpLUaItM3yr6D
Threatray	463 similar samples on MalwareBazaar
TLSH	93E402738111BEA4FABE0F38A45035885C946A278735F24EFD88069B75EB118DED9DF0
Reporter	SecuriteInfoCom
Tags:	AZORult

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/106293/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.405.30786.16443.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Azorult

Detection:

malicious

Classification:

spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/552981

Signature

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a26599b107a7879da6585b091f04b458bef99d7f005daea37c8721ad8e7982b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-01 18:02:39 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pitftgyqpj4htwtfqwyjd4cliwf67gox6ac5v2rxzbzbvwhhtavq._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer spyware trojan

Link:

https://tria.ge/reports/201201-z5p1l5x95n/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://45.56.106.128/index.php

Unpacked files

SH256 hash:

7a26599b107a7879da6585b091f04b458bef99d7f005daea37c8721ad8e7982b

MD5 hash:

7cc4697f636a065995a8ca4f944f307f

SHA1 hash:

ace54d33a85d55c3eac66898f84fc954c70ed8f9

Link:

https://www.unpac.me/results/f2167d7c-28bc-4b24-a4ae-bf08048b5cb1/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/f2167d7c-28bc-4b24-a4ae-bf08048b5cb1/

SH256 hash:

be42a528806f4329472c384c64d8c7913a7c974535736392072949e62d5962c6

MD5 hash:

3fb863b6f60c4a24bf73420716d63750

SHA1 hash:

b3f4a91c2f1f7524acec9cce21071c7631ecae7b

Link:

https://www.unpac.me/results/f2167d7c-28bc-4b24-a4ae-bf08048b5cb1/

SH256 hash:

b06fea849dc504bf85d38ae76dc8ea0586bbfc10b6d742c09dfbeddfa63663eb

MD5 hash:

0d52c93044341b7a43969a26b6883cdc

SHA1 hash:

c380d67243572fcadbfed82ded4007ade938b85e

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/f2167d7c-28bc-4b24-a4ae-bf08048b5cb1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a26599b107a7879da6585b091f04b458bef99d7f005daea37c8721ad8e7982b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

exe 7a26599b107a7879da6585b091f04b458bef99d7f005daea37c8721ad8e7982b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/880133/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/106293/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample