MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94d39d6f9db604c0b356bb0115d361c9243bc67cb9a657e5310debed783cb6d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	94d39d6f9db604c0b356bb0115d361c9243bc67cb9a657e5310debed783cb6d3
SHA3-384 hash:	7e72c0a13d4a591d8ba860f6b8d14ee888d6087b8abcabe248c2335122d9a4cafdf118dd0a09cb98c216cf305f80f679
SHA1 hash:	01118b049ea747d80ed65742f95c88f16fe92cdb
MD5 hash:	4d921621521f649ea4741d7687f4fa34
humanhash:	harry-delaware-arizona-bulldog
File name:	TNT SHIPPING DOCUMENT.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	273'408 bytes
First seen:	2020-05-11 08:29:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:9g38wkqfCAk3cwaX0ilhgtExlFE5aS/XIRfCUgdxxFQtCdPZL1mBe7:zqfCAk3cwaX0ilhg6czSCr1
Threatray	532 similar samples on MalwareBazaar
TLSH	D0446C01326D6B7AF4B66BF52AA49451E7B1306A3862E7AD4CD215CB52F4F40C8B0F37
Reporter	abuse_ch
Tags:	AZORult exe TNT

abuse_ch

Malspam distributing AZORult:

HELO: tntexpress.com
Sending IP: 199.230.124.202
From: TNT Express® <No-reply@tntexpress.com>
Subject: TNT SHIPMENT NOTIFICATION
Attachment: TNT SHIPPING DOCUMENT.zip (contains "TNT SHIPPING DOCUMENT.exe")

AZORult C2:
http://waterchem.com.tr/css/Panel/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-11 08:39:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=stjz2345wycmbm2wxmarlu3bzesdxrt4xgtfpzjrbxv626b4w3jq._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult evasion infostealer trojan

Link:

https://tria.ge/reports/201109-r245nzyfhj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Uses the VBS compiler for execution

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

ServiceHost packer

Azorult

Malware Config

C2 Extraction:

http://waterchem.com.tr/css/Panel/index.php

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

zip 017ad7cd19f4a8fbbcb3dc700f642f48839e6abd65461df5135598a494e7069c

AZORult

exe 94d39d6f9db604c0b356bb0115d361c9243bc67cb9a657e5310debed783cb6d3

(this sample)

Dropped by

MD5 19b4ce489f9124592e24c1a45c2ac407

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 017ad7cd19f4a8fbbcb3dc700f642f48839e6abd65461df5135598a494e7069c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample