MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e9ebe1cdcabac2e6820fa7a6a7702846adecdb18cd1e83700007e2dc745f5ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e9ebe1cdcabac2e6820fa7a6a7702846adecdb18cd1e83700007e2dc745f5ce
SHA3-384 hash: 07435d9c35431691ae00fd02049ccc56564903d8b32ace99d3f9778e646dce5049a8eb45f1697e275484be579c5f1fd7
SHA1 hash: d6259490bfde1a39b6d102939d04081cd31c6e78
MD5 hash: b441111cbeb43b967c31e5d4e3ebc59b
humanhash: five-georgia-florida-vegan
File name:Scan Docs_pdf.bat
Download: download sample
Signature AZORult
Create hunting rule
File size:715'264 bytes
First seen:2020-10-20 08:56:05 UTC
Last seen:2020-10-26 12:46:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 3072:10lcpI4krlkVltrCyZ75I8SQ8kyjAFJlrvLfnQl26imIsvdZk:10lc67KltRZ74Q
Threatray 356 similar samples on MalwareBazaar
TLSH 9DE4753DADD5263786BBD6B5CAF655CBF91174833122AC4E54D703820A03BA77EC212E
Reporter abuse_ch
Tags:AZORult bat Maersk


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: dbd0.311.mevvia.ml
Sending IP: 167.99.139.76
From: Maersk Line <worldwide@maerskline.com>
Subject: DHL CONSIGNMENT NOTIFICATION
Attachment: Scan Docs_pdf.r00 (contains "Scan Docs_pdf.bat")

AZORult C2:
http://45.137.22.58/udu/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73432/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497427
Signature
.NET source code contains very large strings
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e9ebe1cdcabac2e6820fa7a6a7702846adecdb18cd1e83700007e2dc745f5ce/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 08:05:41 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2pl4hg4vowc42ba7j5gu5ycqrvn5tnrrti6qnyaab7c3r2f6xha._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
masslogger
Create hunting rule
Similar samples:
151f57078e89aa2f81fcb307bf88fe23e9f2437a4df1e37def5d0b78797e12f8
AZORult
2082c4f394b08d4bb03367395ec711487ee88fc8eed4a7d0eff97f0ad8ea7cee
AZORult
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
AZORult
4f197c8bdfa89d2a0d041b47dabf307cba6c3deb639134357e0bfee3bf28645f
AZORult
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
AZORult
81337231c53d0927b5aaff1792d71b5f5270e268e1909267ad3bd79951e72642
AZORult
84f3302eec9aece2ec6d7e290e2f395131a22eb277323e91d4060b1c1637d950
AZORult
9e17a9c1b1d0db2c9cd8fdf42c475712f8faaa68cb08bbff910a2927b910d88f
AZORult
e539fe1b7096b7a1966ebbe10e2361c05fd90adf8ed312406f90efe13744e5af
AZORult
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
AZORult
+ 346 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult spyware discovery
Link:
https://tria.ge/reports/201020-lavrrg64z2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Unpacked files
SH256 hash:
0e5ab845de484a911d7bc9685c5c594de1fad0739a950b0eee27d4aedc38894b
MD5 hash:
9a1c8dde66ff2448cd14966312e2bff6
SHA1 hash:
0bbb2a929df98961b3014cc4f8e8efa8d7aee39a
Link:
https://www.unpac.me/results/2f4fa86f-dd02-42dc-9af7-2323465d45d0/
SH256 hash:
1d7983fad80ebcd649278374aa261096f7319433025258f07ce0031db2a28d0d
MD5 hash:
8fb513c6b5fec05577d8d92d54bc3975
SHA1 hash:
9e7c1dd40622a318e8a60fce1eeee58e6a7e0384
Link:
https://www.unpac.me/results/2f4fa86f-dd02-42dc-9af7-2323465d45d0/
SH256 hash:
8e9ebe1cdcabac2e6820fa7a6a7702846adecdb18cd1e83700007e2dc745f5ce
MD5 hash:
b441111cbeb43b967c31e5d4e3ebc59b
SHA1 hash:
d6259490bfde1a39b6d102939d04081cd31c6e78
Link:
https://www.unpac.me/results/2f4fa86f-dd02-42dc-9af7-2323465d45d0/
SH256 hash:
05054e7a82be6c347dab76c5fdc5a2afc0b343797c5554b635f7a21654c6a3b8
MD5 hash:
af225a2034e83e341a382d00ad21e4ff
SHA1 hash:
ad7ca2cfb338ac49b5d23a30055e653e4fc12b18
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f4fa86f-dd02-42dc-9af7-2323465d45d0/
Parent samples :
8e9ebe1cdcabac2e6820fa7a6a7702846adecdb18cd1e83700007e2dc745f5ce
d7aa1d8f05edf7ad03526c1038de354125fa7dda30ada3393a0c08b8f66e53d4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e9ebe1cdcabac2e6820fa7a6a7702846adecdb18cd1e83700007e2dc745f5ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

r00 f54f88aa96e5a78ba79357ff00df973e725276884b152336e56e55cc009c315a

AZORult

Executable exe 8e9ebe1cdcabac2e6820fa7a6a7702846adecdb18cd1e83700007e2dc745f5ce

(this sample)

  
Dropped by
MD5 56b60bc6c463156f692bb1f35aa4ef31
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73432/
  
Dropped by
SHA256 f54f88aa96e5a78ba79357ff00df973e725276884b152336e56e55cc009c315a

Comments