MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 999d1fd5603673893862f2d908ca57d2b29716a335fad168eec8fd00e3ac9220. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	999d1fd5603673893862f2d908ca57d2b29716a335fad168eec8fd00e3ac9220
SHA3-384 hash:	c7ba7e8cd964eadfb75a4d9f66b201f3158eaa2fc4dd8a8ad70038b32ec765828e1cdf64c5813d30e841e789f5cb12df
SHA1 hash:	f897c8d9ff472cc4a6367a6758b6338f7ad2aacc
MD5 hash:	3e77906a70fa859395970b0b521c26df
humanhash:	illinois-early-undress-chicken
File name:	974208_982_pdf.vbs
Download:	download sample
Signature	AZORult Create hunting rule
File size:	2'581 bytes
First seen:	2022-03-22 18:36:33 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	48:kPowJJkZohXLzQSiJI1rSI0jujqpIwGrFoZ0Bdj:kNJ8GLzCJI1rSI7jmG+y
Threatray	4'465 similar samples on MalwareBazaar
TLSH	T1E2510F0E394F796851366E73CC1F448EE63257C7B07921E13A0DAAC6CD3612C9A8991D
Reporter	abuse_ch
Tags:	AZORult vbs

abuse_ch

Payload URL:
http://84.38.132.43/dublin1/AttDub1.jpg
http://84.38.132.43/dublin1/dub1.jpg

Intelligence

File Origin

# of uploads :

# of downloads :

405

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/255045/

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/623a175cb94fb38cb4d0d973/reports/674bb00d-b50a-4e08-b6f3-90a70f907bb5/overview

Result

Verdict:

UNKNOWN

Result

Threat name:

AZORult

Detection:

malicious

Classification:

phis.troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962115

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/999d1fd5603673893862f2d908ca57d2b29716a335fad168eec8fd00e3ac9220/

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2022-03-22 18:37:09 UTC

File Type:

Text (VBS)

AV detection:

6 of 42 (14.29%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tgor7vlagzzysodc6lmqrssx2kzjofvdgx5nc2hozd6qby5msiqa._file

Verdict:

malicious

Label(s):

azorult

agenttesla

AZORult

3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b

AZORult

56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6

AZORult

e325188649a8eef76951cc308fd75f0d0101887f482dc45a4a6f2a920c71d3c6

AZORult

e93cc14c93709b38dc8d95fb58d70d1a8930576c7d16c64c3efbc4cc08d951ff

AZORult

+ 4'455 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult collection infostealer spyware stealer suricata trojan

Link:

https://tria.ge/reports/220322-w9gpasdagj/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Loads dropped DLL

Reads local data of messenger clients

Blocklisted process makes network request

Azorult

suricata: ET MALWARE AZORult v3.2 Server Response M3

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4

Malware Config

C2 Extraction:

http://84.38.129.126/Panel/index.php

Malware family:

AZORult

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/999d1fd56036/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/999d1fd5603673893862f2d908ca57d2b29716a335fad168eec8fd00e3ac9220

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

vbs 999d1fd5603673893862f2d908ca57d2b29716a335fad168eec8fd00e3ac9220

(this sample)

URLhaus

https://urlhaus.abuse.ch/host/84.38.132.43/

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/255045/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample