MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9831694a7c5a2cc35a701744e35e7b268ac85074eb42f720e2cd32c3750c4c28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 8


Intelligence 8 IOCs 2 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9831694a7c5a2cc35a701744e35e7b268ac85074eb42f720e2cd32c3750c4c28
SHA3-384 hash: 4d8a05cf5cb860e83e27472ca728dd5bebade342d2608b1f583335b37e457cd4d2f7d5d1ad6325fbcab865ac33cfc267
SHA1 hash: 4dc571ca05abf85ef3a625641fb5deac57b70537
MD5 hash: 5f2319a18190cc7ef5a2de3e3201d2a5
humanhash: fifteen-network-blue-seventeen
File name:5f2319a18190cc7ef5a2de3e3201d2a5.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:18'944 bytes
First seen:2022-03-25 15:42:07 UTC
Last seen:2024-07-24 19:23:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep 192:+Q6BKuUVEhP4HEzmn4kC8s1Mm5XFcswxxHo/+DxaPxZnBbOpfupnSfDMzKSDJR9w:+Q68urhwHKQHgX9wxtQJPxdBSZQOMzE
Threatray 79 similar samples on MalwareBazaar
TLSH T156827E03EA958A73E0450E76E45343C21B7D9B13EC53E76FCF90411DAAA57581A63EF0
File icon (PE):PE icon
dhash icon 69964b642415b3d0 (2 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
62.204.41.166:27688

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
62.204.41.166:27688 https://threatfox.abuse.ch/ioc/451290/
http://charisma.ac.ug/index.php https://threatfox.abuse.ch/ioc/451291/

Intelligence

File Origin
# of uploads :
3
# of downloads :
885
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257745/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GRB.genEldorado.29435.8779.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for synchronization primitives
DNS request
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint obfuscated packed stealer
Link:
https://www.filescan.io/uploads/623de2d99253b276b76de549/reports/b3009fc7-6f5d-4cfa-93b0-d5e94d2efa18/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b5415ce-d10c-47a8-b383-9ac80d2ce086
Result
Threat name:
Azorult RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964696
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Yara detected MSILDownloaderGeneric
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 597182 Sample: KA49Yw7Fqr.exe Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 58 4.179.10.0.in-addr.arpa 2->58 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 16 other signatures 2->74 9 KA49Yw7Fqr.exe 15 5 2->9         started        signatures3 process4 dnsIp5 62 charisma.ac.ug 62.204.41.69, 49770, 49776, 49781 TNNET-ASTNNetOyMainnetworkFI United Kingdom 9->62 38 C:\...\Dwsxkqmscfcjpjmgmbqmrtfredlinenet.exe, PE32 9->38 dropped 40 C:\Users\user\AppData\...\KA49Yw7Fqr.exe.log, ASCII 9->40 dropped 88 Detected unpacking (creates a PE file in dynamic memory) 9->88 90 Found evasive API chain (may stop execution after checking mutex) 9->90 92 Self deletion via cmd delete 9->92 94 5 other signatures 9->94 14 KA49Yw7Fqr.exe 79 9->14         started        18 Dwsxkqmscfcjpjmgmbqmrtfredlinenet.exe 14 3 9->18         started        file6 signatures7 process8 dnsIp9 42 C:\Users\user\AppData\Roaming\pm.exe, PE32 14->42 dropped 44 C:\Users\user\AppData\Roaming\azne.exe, PE32 14->44 dropped 46 C:\Users\user\AppData\Local\...\pm[1].exe, PE32 14->46 dropped 48 C:\Users\user\AppData\Local\...\azne[1].exe, PE32 14->48 dropped 96 Self deletion via cmd delete 14->96 98 Tries to harvest and steal browser information (history, passwords, etc) 14->98 100 Tries to steal Crypto Currency Wallets 14->100 21 azne.exe 14 3 14->21         started        24 pm.exe 14->24         started        26 cmd.exe 14->26         started        60 cdn.discordapp.com 162.159.135.233, 443, 49775 CLOUDFLARENETUS United States 18->60 102 Machine Learning detection for dropped file 18->102 28 MSBuild.exe 18->28         started        file10 signatures11 process12 signatures13 76 Writes to foreign memory regions 21->76 78 Allocates memory in foreign processes 21->78 80 Injects a PE file into a foreign processes 21->80 30 MSBuild.exe 21->30         started        82 Antivirus detection for dropped file 24->82 84 Detected unpacking (overwrites its own PE header) 24->84 86 Machine Learning detection for dropped file 24->86 34 conhost.exe 26->34         started        36 timeout.exe 26->36         started        process14 dnsIp15 64 192.168.2.1 unknown unknown 30->64 66 charisma.ac.ug 30->66 50 C:\...\api-ms-win-core-interlocked-l1-1-0.dll, PE32 30->50 dropped 52 C:\Users\...\api-ms-win-core-heap-l1-1-0.dll, PE32 30->52 dropped 54 C:\...\api-ms-win-core-handle-l1-1-0.dll, PE32 30->54 dropped 56 7 other files (none is malicious) 30->56 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9831694a7c5a2cc35a701744e35e7b268ac85074eb42f720e2cd32c3750c4c28/
Threat name:
ByteCode-MSIL.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 15:42:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=taywsst4liwmgwtqc5cogxt3e2fmqudu5nbpoihczuzmg5imjqua._file
Verdict:
unknown
Similar samples:
0fe497b1acbeb3a024b44a626b7b12648789aa7a5c41e828d5d1d7817a7f6eab
AZORult
52ec1da96af76aed2f40385279d9e6ee093ab36d40a3cfc06814458f78059ae0
AZORult
65cea4d42f831236528dda4327e6ad7fb3b5baa7b53aeb181024f903829a7398
AZORult
754a54274a1b8866d5d4f9346522e0b2d59e5b77ab25ef7a73e37ddd6326fb7f
AZORult
805aad97c81dea343c603fa472f65b9061c97731e3870bf5de9d8427e604e001
AZORult
d7ccb616fe7cb8a33d18db6b40c9221db0d7eab713d189306fd7e7565c5d2da8
AZORult
f1be4e6d3dc2c6d4ad04a512152177aea74eafcf6c17824db54ef95185915139
AZORult
f3de094d3b47ff5064f8163c62df41b615e851a49d1dfbd4904dc188d5234611
AZORult
+ 69 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:azorult family:remcos botnet:03242022 botnet:default infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220325-s5fpnahfd5/
Behaviour
Checks processor information in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Arkei
Azorult
Remcos
Malware Config
C2 Extraction:
http://62.204.41.69/p8jG9WvgbE.php
http://
http://195.245.112.115/index.php
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
Unpacked files
SH256 hash:
9831694a7c5a2cc35a701744e35e7b268ac85074eb42f720e2cd32c3750c4c28
MD5 hash:
5f2319a18190cc7ef5a2de3e3201d2a5
SHA1 hash:
4dc571ca05abf85ef3a625641fb5deac57b70537
Link:
https://www.unpac.me/results/abd800c8-3e3f-4571-9b0c-eb01a80979cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/9831694a7c5a2cc35a701744e35e7b268ac85074eb42f720e2cd32c3750c4c28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 9831694a7c5a2cc35a701744e35e7b268ac85074eb42f720e2cd32c3750c4c28

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1746812/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/1746810/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
Cape
Cape
https://www.capesandbox.com/analysis/257745/

Comments