MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 868183d6e80d3a977ea679492ad7c869469d39504d2f4bc29b4a599577093fcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 868183d6e80d3a977ea679492ad7c869469d39504d2f4bc29b4a599577093fcd
SHA3-384 hash: b164709014240b5e4ef3034e5f6844c1447e22d90e51948df36e6b2ffc56b1653055ac7a8ea994d109be95e9b1ddf896
SHA1 hash: 40ac56982e7f10ef74388eda20b45386f7695eb7
MD5 hash: 1b5463ed198252ba4f9f43de889c710c
humanhash: bravo-purple-happy-monkey
File name:1b5463ed198252ba4f9f43de889c710c.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:4'551'168 bytes
First seen:2020-12-02 08:32:25 UTC
Last seen:2020-12-02 10:51:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cbbbd1f80ff1aaae8199044831514a9d (1 x AZORult)
ssdeep 49152:f53hmztUKasNiCk38FiIUcTPe6i1AbSm0dtq/MUkcQZfHaS58aC+Jn:f5lKE2MdtqkUkco8aJ
Threatray 1 similar samples on MalwareBazaar
TLSH 42268D00B7C7C435E2A3293306BAF325A6257E655BF386EB21543A3ED9713D36839325
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://31.184.194.180/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106343/
Detection(s):
SecuriteInfo.com.Variant.Zusy.350640.25316.2640.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Searching for the window
Sending a UDP request
Sending an HTTP GET request
Creating a file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Changing a file
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Sending an HTTP POST request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb8f47e5-57b9-496f-a320-ef9363f471d6
Result
Threat name:
Azorult Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/553330
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325762 Sample: 9cmxMWArc9.exe Startdate: 02/12/2020 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 9 other signatures 2->86 8 9cmxMWArc9.exe 12 2->8         started        process3 file4 34 C:\Users\user\AppData\Local\...\~Ma734D.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\...\MacroExpertIo.sys, PE32+ 8->36 dropped 38 C:\Users\user\...\gslib_ui_defresu.dll, PE32 8->38 dropped 40 3 other files (none is malicious) 8->40 dropped 88 Sample is not signed and drops a device driver 8->88 12 ~Ma734D.exe 3 27 8->12         started        signatures5 process6 dnsIp7 62 31.184.194.180, 49725, 8080 PINDC-ASRU Russian Federation 12->62 46 C:\ProgramData\min\Wrap.exe, PE32+ 12->46 dropped 48 C:\ProgramData\min\IntelConfigService.exe, PE32 12->48 dropped 50 C:\ProgramData\...\ApplicationsFrameHost.exe, PE32+ 12->50 dropped 52 2 other malicious files 12->52 dropped 90 Contains functionality to automate explorer (e.g. start an application) 12->90 92 Drops PE files with benign system names 12->92 94 Contains functionality to detect sleep reduction / modifications 12->94 17 wininit.exe 12 12->17         started        20 IntelConfigService.exe 12->20         started        22 wininit.exe 11 12->22         started        file8 signatures9 process10 signatures11 64 Detected unpacking (changes PE section rights) 17->64 66 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->68 78 3 other signatures 17->78 24 wininit.exe 2 5 17->24         started        28 wininit.exe 1 6 17->28         started        70 Antivirus detection for dropped file 20->70 72 Multi AV Scanner detection for dropped file 20->72 74 Machine Learning detection for dropped file 20->74 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->76 30 wininit.exe 1 1 22->30         started        32 wininit.exe 6 22->32         started        process12 dnsIp13 54 api.playanext.com 24->54 56 boot-01.net.anydesk.com 178.162.151.212 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 24->56 60 2 other IPs or domains 24->60 42 C:\Users\user\AppData\Local\Temp\gcapi.dll, PE32 24->42 dropped 58 api.playanext.com 30->58 44 C:\ProgramData\AnyDesk\gcapi.dll, PE32 30->44 dropped file14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/868183d6e80d3a977ea679492ad7c869469d39504d2f4bc29b4a599577093fcd/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 08:33:06 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2ayhvxibu5jo7vgpfesvv6infdj2okqjuxuxqu3jjmzk5yjh7gq._file
Verdict:
malicious
Similar samples:
4e14841c96a09f5850d1cf5fcb3526714c22d7174e3f75c8a309d8db36ecef93
AZORult
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/201202-g6ny4y7e1j/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
868183d6e80d3a977ea679492ad7c869469d39504d2f4bc29b4a599577093fcd
MD5 hash:
1b5463ed198252ba4f9f43de889c710c
SHA1 hash:
40ac56982e7f10ef74388eda20b45386f7695eb7
Link:
https://www.unpac.me/results/9dbb3f70-c501-4077-a23e-3774833d3a8d/
SH256 hash:
1f6a678dc85de6599a08efb3df64f1eca3477bfee5cd334e03a36a0aae61eb24
MD5 hash:
fd626cc9caf4762a88c42294d696f241
SHA1 hash:
71be338b9dc349439967eb5f749d31070b784dbc
Link:
https://www.unpac.me/results/9dbb3f70-c501-4077-a23e-3774833d3a8d/
SH256 hash:
f10cfa1016ac8c77871b8cd933b1405c95d7c9e854b1ca761c6fe545a7939609
MD5 hash:
3a712ad4b075ee080270f4cc7669f671
SHA1 hash:
721490f7f9d0f7bf72e372a40e602bd747f839e8
Link:
https://www.unpac.me/results/9dbb3f70-c501-4077-a23e-3774833d3a8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/868183d6e80d3a977ea679492ad7c869469d39504d2f4bc29b4a599577093fcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Datper
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Datper in memory
Reference:https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Rule name:IceID_Bank_trojan
Create hunting rule
Author:unixfreaxjp
Description:Detects IcedID..adjusted several times
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106343/

Comments