MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aa6630f2551f50849fc18f793c16fce8095c0d415816735442342c2e69634f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	7aa6630f2551f50849fc18f793c16fce8095c0d415816735442342c2e69634f9
SHA3-384 hash:	78e6e605727bd26c4f58e9c2ca15f99da4c3a5c3791fc0879a68c3b6ae9fbd7b6427ffa682a39f2e6337180ecff37547
SHA1 hash:	5fe6b5c8ebee164bf50d2218e6feb6b62e9ba1a7
MD5 hash:	dfa027e1489af0c314f2138899ea4795
humanhash:	echo-oven-sink-harry
File name:	MTIR20283256_2101013335_2020050000219.PDF.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	245'248 bytes
First seen:	2020-05-11 08:50:16 UTC
Last seen:	2020-05-11 09:58:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:EK2cZDQu3IjpSXdTilqVqjT1XGuZRYkO2VBjwfZmnyKsknQ2VKnpB9E2IXNT1TGf:EKzr3kKG1d2B7JR+K2Gk1TTtZJWaT62
Threatray	54 similar samples on MalwareBazaar
TLSH	9A34012BBF9CFF63CD38457B94A6422C9BA043A96716D3A39C4918D60DE2384470767F
Reporter	abuse_ch
Tags:	AZORult exe KBank

abuse_ch

Malspam distributing AZORult:

HELO: server.avrasyarulman.com
Sending IP: 185.239.237.91
From: tradefinance@kasikornbank.com <tradefinance@kasikornbank.com>
Subject: Credit Advice from KBank
Attachment: MTIR20283256_2101013335_2020050000219.PDF.IMG (contains "MTIR20283256_2101013335_2020050000219.PDF.exe")

AZORult C2:
http://say-mak.com/ad/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Inject3.39816.27781.19052.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-11 09:27:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pktggdzfkh2qqsp4dd3zhqlpz2ajlqgucwawonkeenbmfzuwgt4q._file

Verdict:

malicious

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer persistence trojan

Link:

https://tria.ge/reports/201109-cp8mkfg4nx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Azorult

Malware Config

C2 Extraction:

http://say-mak.com/ad/index.php

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

img e8a779636958187247f4ccd48a3aa1daa2b114ffcd7a449fe04cb53a91d59dce

AZORult

exe 7aa6630f2551f50849fc18f793c16fce8095c0d415816735442342c2e69634f9

(this sample)

Dropped by

MD5 f0dfa54b13f7d258775b741bf5cef6fa

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 e8a779636958187247f4ccd48a3aa1daa2b114ffcd7a449fe04cb53a91d59dce

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample