MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 8b9beb53ca6c1cc99f56029c5c66c28c53f57d14079acc0c7cd35ca009e58021. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AZORult
Vendor detections: 9
| SHA256 hash: | 8b9beb53ca6c1cc99f56029c5c66c28c53f57d14079acc0c7cd35ca009e58021 |
|---|---|
| SHA3-384 hash: | 1267e2779235d9e2caa1bd5288d54e4c1fe6913879d3ec96f14b382f5e4ed143ec83f23b1190beff7a05e2e17c0fd0c9 |
| SHA1 hash: | acd7c5d073e52d5897e45f6dfd51a04bc1a8970b |
| MD5 hash: | f18c574ef4ad6839eab6738cada4eb31 |
| humanhash: | tennessee-cat-montana-california |
| File name: | SecuriteInfo.com.Trojan.Packed2.42698.22812.20106 |
| Download: | download sample |
| Signature | AZORult |
| File size: | 399'360 bytes |
| First seen: | 2020-12-01 20:52:39 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 6144:Wgl4EJmVpMh0yJoyIYVi7WB7gdfDO4ngPYkXXJ0XROkSmL2xGJP9wcBWVSSzutbJ:W2QyFJPIpq1krUJ0XogGQVANzutbi |
| TLSH | 7F84F19CB75871EFC823D475CF685C65E76094FB932B8213A05356EEAA4C69BCF100E2 |
| Reporter |  SecuriteInfoCom |
| Tags: | AZORult |
Intelligence
File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AZORult
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Signature
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Status:
Malicious
First seen:
2020-12-01 02:28:01 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
unknown
Result
Malware family:
azorult
Score:
10/10
Tags:
family:azorult discovery infostealer spyware trojan
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://52.58.209.130/index.php
Unpacked files
SH256 hash:
8b9beb53ca6c1cc99f56029c5c66c28c53f57d14079acc0c7cd35ca009e58021
MD5 hash:
f18c574ef4ad6839eab6738cada4eb31
SHA1 hash:
acd7c5d073e52d5897e45f6dfd51a04bc1a8970b
SH256 hash:
28cf703540807dd8200c6e37ce631ae2df989e6f18b588b7a4b0d6ef8345242c
MD5 hash:
51537a2419be94e5479548bfa88c1ade
SHA1 hash:
817662b8f549cd1dc974197f5065574168c8407d
Detections:
win_azorult_g1
win_azorult_auto
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
SH256 hash:
289cb283b05dc3710ad00ba19ceabdca7e7b51fa805675c71aa578bcd3f36d50
MD5 hash:
843554f14f1ca0d966385ece19437491
SHA1 hash:
cccbde6a9e1033ec727e56fb4bf3f0c2e0c0ddc2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.