MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754
SHA3-384 hash: 139b8890e573e4c759e4904902b3ece1b4b8c1fd7a49fc8ccd482226581c88e4d1ce074f0ab274238a87b273d8dc74e4
SHA1 hash: 77543bde72105ae1a28cc71815d9ea89ea162052
MD5 hash: c40aead7a31d14e05b2ee4a11849eced
humanhash: lithium-lion-blossom-music
File name:New Order POA12990120 From Akweni Group.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:903'680 bytes
First seen:2020-10-19 09:54:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XxaJCK7NVuJfemYEV54zO26bb9A1GKZHNYPzodGCrJ:JJ4+4zkA1GUKzodGCr
Threatray 354 similar samples on MalwareBazaar
TLSH AA15491232F50F49F8BE97F9562810918777BA9E513ED24C7D8D30DE4BA2B010A67B27
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: host.noanfair.com
Sending IP: 69.64.34.145
From: akwenigroup@mweb.co.za
Subject: New Order PO/A129901/20 From Akweni Group
Attachment: New Order POA12990120 From Akweni Group.gz (contains "New Order POA12990120 From Akweni Group.exe")

AZORult C2:
http://185.239.242.174/owa/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72842/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.27839.30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495162
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300035 Sample: New Order POA12990120 From ... Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Detected AZORult Info Stealer 2->39 41 9 other signatures 2->41 8 New Order POA12990120 From Akweni Group.exe 3 2->8         started        process3 file4 23 New Order POA12990...kweni Group.exe.log, ASCII 8->23 dropped 43 Injects a PE file into a foreign processes 8->43 12 New Order POA12990120 From Akweni Group.exe 67 8->12         started        signatures5 process6 dnsIp7 33 185.239.242.174, 49718, 49731, 80 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 12->33 25 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->29 dropped 31 45 other files (none is malicious) 12->31 dropped 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->45 47 Tries to steal Instant Messenger accounts or passwords 12->47 49 Tries to steal Mail credentials (via file access) 12->49 51 4 other signatures 12->51 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 05:14:13 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxrmdp2yxtqj53ghar3hi7miujqwhq6wxmoyki24essvruprm5ka._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
4551d06a33be96c8808d2e180d6cf35c50cbf2dc114a51e90aa49bb4597e2936
AZORult
4639769fea49849bb1a85d41d7dc9f4975e0945b3e5b0622503a71b8a97faccf
AZORult
556078f7b9c9cc0472e000c38af7b5285ebc9e9e70282c5fa9e8b9063bcd16ac
AZORult
64f4cb67826d72ac5256bb0dd92604157d9e4a5e7603e6e68f3b262f8db041c1
AZORult
6dbc3fe357de91609d5f9364bb1e4498872d18582146558fb16dc9d4b3ba9f83
AZORult
7580b583ccf57526e5a5ca40651ec5a95abe64b77a7c223f037443e480fbe185
AZORult
c578d33e132ccbbc26a4a31e6054fea7f42591b391e9b8eb30eaf732ed119088
AZORult
d29ac350da06473f2b10f012951942d5b90e2df48693ab8e6691fa4cf657accd
AZORult
eb96ab93249a86be52aa53a58fb8667b4c54f6b6dbc899fd23ea56b12b52a001
AZORult
f158be721fb34c71dedeb65d051c18da565e0aa8e1e2bf1f86e585e93c22a739
AZORult
+ 344 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult spyware discovery
Link:
https://tria.ge/reports/201019-v5h9hvxwee/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://185.239.242.174/owa/index.php
Unpacked files
SH256 hash:
7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754
MD5 hash:
c40aead7a31d14e05b2ee4a11849eced
SHA1 hash:
77543bde72105ae1a28cc71815d9ea89ea162052
Link:
https://www.unpac.me/results/c6cad7cc-f354-4c93-b8e7-3e13e435bb32/
SH256 hash:
341f09c6fbcc5b749dee47af2e72dcee3ae399049fb8f8059a4c5311e19a6a93
MD5 hash:
3f888eb363dcaf2f014850d40a71e081
SHA1 hash:
2173796dbad1db14e6738d806ce8be7cbbf7c962
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6cad7cc-f354-4c93-b8e7-3e13e435bb32/
Parent samples :
72cdab689d7d8015c3c033cb824a95148664662ad100735ca09bdd0da5cf139d
39a2033a8ecbbf30857ce622d6366e363dcd9679814899b46dcabf99cf5c5fde
6dbc3fe357de91609d5f9364bb1e4498872d18582146558fb16dc9d4b3ba9f83
7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754
SH256 hash:
4f869eb5d9a49deb5192fa9346ead3a5311fa84cc901cd3ef83fcdc4bc7d9ac3
MD5 hash:
3b764d2758bde3ef9a7e3436b35428b7
SHA1 hash:
46d99dd17f600f8590fcadace8af87a06c984adf
Link:
https://www.unpac.me/results/c6cad7cc-f354-4c93-b8e7-3e13e435bb32/
SH256 hash:
a422b3f60537547ed3e01edb44f3ba7fbed612e16b51bb8658416b35dd34b9c0
MD5 hash:
03455acc48f46d7e7d06efabd6e99caf
SHA1 hash:
a993ff219de00504a775457e3813a579450f194f
Link:
https://www.unpac.me/results/c6cad7cc-f354-4c93-b8e7-3e13e435bb32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

gz 920f5880797ad30726cd5c3707fbba03f2e3e54de39a306a8903ce08b5301bdc

AZORult

Executable exe 7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754

(this sample)

  
Dropped by
MD5 6e11af9a2132859a07b369d52ce5ca69
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72842/
  
Dropped by
SHA256 920f5880797ad30726cd5c3707fbba03f2e3e54de39a306a8903ce08b5301bdc

Comments