MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489
SHA3-384 hash: 170a2ab9b0017168244fc0913107507fef7eb0114d63ccb789050ab9a3f4176ec566b06458648833f34113df3802598d
SHA1 hash: 72f009a4469593844b08f36669a3357d0725e0b1
MD5 hash: 4db75039c2a36dabfd4fb70a3940b43f
humanhash: grey-hamper-texas-twelve
File name:Catalog.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:778'752 bytes
First seen:2020-10-09 09:08:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af4375c8d93dcc880470b77718311250 (3 x MassLogger, 3 x Loki, 2 x AveMariaRAT)
ssdeep 12288:J0vjWj3aKV1KBGJ7AEQi+95fd32koDTmWOuW3vvJA3PhKHN4eza7:GqjKIUe7QLkbDTMrvS/U4em7
Threatray 296 similar samples on MalwareBazaar
TLSH B7F4A023E2E04837C17316789C1B5BB4EE26BE103928B9866BF5DD4C9F396507825F87
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69494/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Creating a file
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486538
Signature
Binary contains a suspicious time stamp
Contains functionality to detect sleep reduction / modifications
Detected AZORult Info Stealer
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 07:50:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=snzwokwcbd54xuyjrerfza2pxfduf6d3x5wupttyjbahnj2oqseq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0030717c09c6bcbe9db0f9837ac85415e0bc3762ec9a8f131f7f6920193582a3
AZORult
06de75b87333ad16ff8f3a9d1729784ef6f5ac11076d0a5effa2c023e683bd98
AZORult
28558516b6b4912e36105c566322d9e4a47a0fca0847c55227683c51834e98e9
AZORult
59e39b6123ed1218d7ae3b4406b3e06c1fc84ecb8fafad05e762b9867c77248b
AZORult
7f6bc984038905de70fa3580480df8297dbaf3eabb971fa949550a99641e56cb
AZORult
7fb195bc96bd220998dd778dd9e6fcb70320102bbb8656d4c765800ad8d9bb83
AZORult
8480058fc20ebfef47d1ebccbb54b88f656715b99c2d4e80ad46b05906ff4dbe
AZORult
bc26d6c58c878cead6d2a9597a81ad968b7f1112dcf2b1cb79b1f5d26e695e25
AZORult
c82a750c5a0dcc2a923f97b3bfbba13fd302144fdcdab020f7c7c94e24892807
AZORult
e9c42b737c586759102817b5922701598ec9c9256b36cf5fc28782fa09016ca4
AZORult
+ 286 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult
Link:
https://tria.ge/reports/201009-6mp82xhess/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Azorult
Malware Config
C2 Extraction:
http://207.154.240.23/index.php
Unpacked files
SH256 hash:
9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489
MD5 hash:
4db75039c2a36dabfd4fb70a3940b43f
SHA1 hash:
72f009a4469593844b08f36669a3357d0725e0b1
Link:
https://www.unpac.me/results/dfe4f637-d1c9-4f1b-ae4d-96b99240814d/
SH256 hash:
4a51221d0cfdb22ae1667889b2ca61cdde827b54065048347bae7fec90af7ee3
MD5 hash:
9b1f6700ebab67eaf6b4a4ab768c948a
SHA1 hash:
dfb1fff5addcacaf2780c86fd488c8917878e615
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/dfe4f637-d1c9-4f1b-ae4d-96b99240814d/
Parent samples :
1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe
a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0
9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe 9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69494/

Comments