MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8
SHA3-384 hash: db4067488e5c534edc954a8eef1412555966f217b204ecbc34d28683aeb73c2e0c89ee5d982519962cef8ca95455e5ef
SHA1 hash: bdffc6c6bd6aff8bb80b411f73d03bde1cd336ed
MD5 hash: 78403b3c4175178c7984db73cc7945d5
humanhash: yankee-georgia-muppet-aspen
File name:Damages.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:326'656 bytes
First seen:2021-08-31 08:22:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:gxtvJ/xaqBuFUc6ANnxoT9jqjATdz6j+qlYcs4OxM4vbPf4J:gjFxa3t6jT56KRRzv
Threatray 2'952 similar samples on MalwareBazaar
TLSH T1A16402A6367526A2C6680FB0FA31C61007BDFDDA5867F83EAF41788510B77411784FAB
dhash icon 3d494d5d59754d51 (2 x SnakeKeylogger, 1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'063
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Damages.exe
Verdict:
Malicious activity
Analysis date:
2021-08-31 08:24:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ca5de7be-8f97-4303-9e92-b37c80752bfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184064/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.48544.13759.4147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Stealing user critical data
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/308df6e7-1302-4a44-8ad7-d42078d327e6
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842454
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 01:23:45 UTC
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=saurk42ugncqcuqutun6gbj7jiyk2y3udgongsm4ejzoldspbtua._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0978c6e9a1e62df2bf68b5cebd60dd4b8ac1ead3077c561bf420bfaf8d7be2ee
AZORult
25668bb8b209e29ad8ee4f1083283224271223d5de207449192b19ec07022418
AZORult
61adff4631db24263951338bc5d2fce316abad6def0f37bd27319875c7ce25f2
AZORult
68d578b9e811bf90bb6c88c092e033470e6ee439bfa9de02f9a36afad08895ff
AZORult
700c14171b4bc7eb9af680f74b9bf681da5988e07fa2f7ead4f3f71289d0a4c5
AZORult
737ff2b259449c91d68130a8508b51544310a6e6b50891fdc5682e7d242a79b4
AZORult
8d55fa987ac27e338c576cccaf4cc008e0e569bf69fd77899d68c1ba6f1e2671
AZORult
bfabca4f85e2741a8261d288f37a72ca122cc7d470496a27841f50bea84d3344
AZORult
d286ce0a72c3053c61909e492d314b3008ca872a80ea60e29b9d0ec728e6dc62
AZORult
f73579603fda08d484fd111ba5c0f00ea57d25c79365608995dedb0cd037c66b
AZORult
+ 2'942 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210831-r72jeaxcyx/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.2 Server Response M3
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M1
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M16
Malware Config
C2 Extraction:
https://updserv.ga/Panel/index.php
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/a6361ecc-19e6-40b1-99f5-52e5be3d94b5/
SH256 hash:
103f1dd61d7d41c9a2bc4798ffd35cb70ca0264a8fda84af4a0a7c0bf86a7408
MD5 hash:
866e86b868ecfba454ed0f0061721c17
SHA1 hash:
6a2da83ae99c146f98fcca77547df152d07b2cd4
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/a6361ecc-19e6-40b1-99f5-52e5be3d94b5/
SH256 hash:
5eac42eb11859ff23410912157e302d44a8e83ceeab8f60492aff4cef81c4ca0
MD5 hash:
7ccfa7351e3a03fcc8d8966989b4c99f
SHA1 hash:
120c546f805e54bb6c6da6ed328251f27bf3fa49
Link:
https://www.unpac.me/results/a6361ecc-19e6-40b1-99f5-52e5be3d94b5/
SH256 hash:
902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8
MD5 hash:
78403b3c4175178c7984db73cc7945d5
SHA1 hash:
bdffc6c6bd6aff8bb80b411f73d03bde1cd336ed
Link:
https://www.unpac.me/results/a6361ecc-19e6-40b1-99f5-52e5be3d94b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184064/

Comments