MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c777c0ffb0097d517ed08dee3c306d7fddc7687bcb0349d5eed0a6b5c82f93a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c777c0ffb0097d517ed08dee3c306d7fddc7687bcb0349d5eed0a6b5c82f93a
SHA3-384 hash: bc24fe9a2221d399d5bb898d08f12649197c97bd55143e76d82990035b99f6e89c38fe303072d47c86a8314246c7194e
SHA1 hash: 5f9b595f5776bd675b88cad0f797cf01950055e3
MD5 hash: 922af74d1c297ab5078bef3cf8c7cbc6
humanhash: delaware-texas-lake-south
File name:eInvoicing_pdf.bat
Download: download sample
Signature AZORult
Create hunting rule
File size:940'040 bytes
First seen:2020-09-15 08:43:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f9ecf1924a5c41830100b931ca2dc54 (1 x AZORult)
ssdeep 24576:ZK5hBlSW8pFD6iDIe62p5c2bSO9vWVa1o:ZK58W8f62Px8x
Threatray 55 similar samples on MalwareBazaar
TLSH EB15BF23F2B08C76D0632A795E0B6F559D28BF403A24A4867BE41E0E5FF8741F419E97
Reporter cocaman
Tags:bat

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60239/
Detection(s):
PUA.Win.Trojan.Generic-6629273-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/466293
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c777c0ffb0097d517ed08dee3c306d7fddc7687bcb0349d5eed0a6b5c82f93a/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-09-15 08:30:58 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rr3xyd73acl5kf7nbdpohqyg2765y5uhxsydjhk65ufgwxec7e5a._file
Verdict:
suspicious
Similar samples:
0561429ee93b0bc545689257b6cda0d43025317f9c890acb219c51d0f6e721e8
AZORult
21cef6da04f726523131dbde12855b6d1d6d65cc9b0075d05b90b7636b56c8da
AZORult
433624fb71d727ee48760f7dbcf08e4d043913cf3ebaefc813adff118d2eda4b
AZORult
45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf
AZORult
57f4246d683336ab606ba5831ce88a0ff47a42de652f72795fe76169195821e1
AZORult
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
AZORult
86d0178097eebb5010e24650ce79f80f19567ad2872f0f0b7325761a01cf67f5
AZORult
a07250cca55cec7ac1519d47af79edb65d306aa077fb2fa5b41eab48c33fb091
AZORult
b58c0db88d6026043bc0db1b5072cd2be7b0ceabf750a9d7275794d69fc04fe1
AZORult
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
AZORult
+ 45 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan family:modiloader infostealer family:azorult spyware
Link:
https://tria.ge/reports/200915-5qtwaq9kc2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader First Stage
ModiLoader Second Stage
Azorult
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/8c777c0ffb0097d517ed08dee3c306d7fddc7687bcb0349d5eed0a6b5c82f93a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

xz fead81a27ebd2a53f2b7b986afd89279125859406c892c71b2527c793d80b615

AZORult

Executable exe 8c777c0ffb0097d517ed08dee3c306d7fddc7687bcb0349d5eed0a6b5c82f93a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fead81a27ebd2a53f2b7b986afd89279125859406c892c71b2527c793d80b615
Cape
Cape
https://www.capesandbox.com/analysis/60239/

Comments