MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99a0a4ce4a345e3729c6177c979011f01d2272541d94e284b4da18c6cd59fd9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99a0a4ce4a345e3729c6177c979011f01d2272541d94e284b4da18c6cd59fd9c
SHA3-384 hash: 9589ee62658efe0d22a36b9d6de03b5a92efdc27bbc76fd35951a65fba5fe2d2eabb2835fbe9c356d4a83cce57f81571
SHA1 hash: 3cfc44783d590f0c0b19bffb205b43ed8579a0ca
MD5 hash: 63abd3223757a3c4b40d52f01d274837
humanhash: fillet-illinois-winner-finch
File name:Proforma Invoice14042187605521.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:224'478 bytes
First seen:2021-04-13 23:35:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18bc6fa81e19f21156316b1ae696ed6b (51 x Formbook, 24 x Loki, 9 x SnakeKeylogger)
ssdeep 3072:wyewmN4skJxY/F84o82KAYSvV9BVj+AQY0bj4ILVtj47XqAAatO:wdKY//gKATyAQYmvVN47XlAatO
Threatray 998 similar samples on MalwareBazaar
TLSH 3E24F162BED0DC77DA466B384CA6E33583769E00282351533FE03F6F7E76562C11929A
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://cupazo.co.in/TyBmo/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cupazo.co.in/TyBmo/index.php https://threatfox.abuse.ch/ioc/7929/

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma Invoice14042187605521.exe
Verdict:
Malicious activity
Analysis date:
2021-04-14 00:22:46 UTC
Tags:
installer trojan rat azorult
Link:
https://app.any.run/tasks/7b776987-b23b-4f7a-9d2f-53a0d4e43403

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/134010/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Launching a process
DNS request
Sending an HTTP POST request
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/674842
Signature
Contains functionality to prevent local Windows debugging
DLL side loading technique detected
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 386361 Sample: Proforma Invoice14042187605... Startdate: 14/04/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Yara detected Azorult 2->39 41 5 other signatures 2->41 7 Proforma Invoice14042187605521.exe 18 2->7         started        process3 file4 29 C:\Users\user\AppData\Local\...\rn5m6.dll, PE32 7->29 dropped 10 Proforma Invoice14042187605521.exe 16 7->10         started        14 MSBuild.exe 7->14         started        process5 file6 31 C:\Users\user\AppData\Local\...\rn5m6.dll, PE32 10->31 dropped 51 Writes to foreign memory regions 10->51 53 Maps a DLL or memory area into another process 10->53 16 MSBuild.exe 66 10->16         started        signatures7 process8 dnsIp9 33 cupazo.co.in 104.243.44.52, 49734, 80 RELIABLESITEUS United States 16->33 21 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 16->21 dropped 23 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 16->23 dropped 25 C:\Users\user\AppData\...\vcruntime140.dll, PE32 16->25 dropped 27 45 other files (none is malicious) 16->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->43 45 Tries to steal Instant Messenger accounts or passwords 16->45 47 Tries to steal Mail credentials (via file access) 16->47 49 3 other signatures 16->49 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99a0a4ce4a345e3729c6177c979011f01d2272541d94e284b4da18c6cd59fd9c/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2021-04-13 23:36:05 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgqkjtskgrpdokogc56jpear6aose4sudwkofbfu3immntkz7woa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
1d3d10e3a4a2060bcd6bdfb4249260d9ed72258ad93551ef64f0cba827b87147
AZORult
2d25d136b12c900209489988b87ec94520c0734f4f31d4497fa47dfefc551bb4
AZORult
38806d8372f8465c4775009362b83b94024fc6a280e3c83c476dec3852bcd2e6
AZORult
5af2bcd6e1359e4f5ff0b1f0d91397edb7dfeb3b6e5fef9cb73fd0bbf907b161
AZORult
5e500591cc85d6182a86762c1961cc2fc54c5c9fa6fa05b212a4e85c574d86cd
AZORult
62bcad1a08b9645f0b2bd969e31e3beda41ce828387eb60ce07b0749deee4c59
AZORult
65d873e82fc6d0e63a224589cdee5551f2d98c313e19adbc9799ef17ae493a8f
AZORult
6cda1f1821f10cb19986a831c9bca0ea1cb432f44cc7201c732b0d7bdc056ab9
AZORult
dfc46489f05e64f62434a7af40d10b919c46fd133eb0f42e33ece6c327770470
AZORult
eb7c92906b19491e5e670801cbcf189cf105f8e46a0e20c2bc8c7ab14cc1b9c7
AZORult
+ 988 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210413-mfrv1efpaa/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads local data of messenger clients
Azorult
Malware Config
C2 Extraction:
http://cupazo.co.in/TyBmo/index.php
Unpacked files
SH256 hash:
b6b8f1459cdc09825f47a2ba1f9fbd9a2c140ef08214ca255e34091fefb8a9af
MD5 hash:
1df3f1a816ae6b40e3db82eacc6e2cd2
SHA1 hash:
5719d00ef8fa6355427065e47d6483257636b7c3
Link:
https://www.unpac.me/results/0fc6467f-8b3f-4174-b46a-e2e586d6c117/
SH256 hash:
99a0a4ce4a345e3729c6177c979011f01d2272541d94e284b4da18c6cd59fd9c
MD5 hash:
63abd3223757a3c4b40d52f01d274837
SHA1 hash:
3cfc44783d590f0c0b19bffb205b43ed8579a0ca
Link:
https://www.unpac.me/results/0fc6467f-8b3f-4174-b46a-e2e586d6c117/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/99a0a4ce4a345e3729c6177c979011f01d2272541d94e284b4da18c6cd59fd9c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/134010/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 09:11:43 UTC

================================================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
================================================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0045] File System Micro-objective::Copy File
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0050] File System Micro-objective::Set File Attributes
11) [C0052] File System Micro-objective::Writes File
12) [E1510] Impact::Clipboard Modification
13) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
14) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
15) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
16) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
17) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
18) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
19) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
20) [C0017] Process Micro-objective::Create Process
21) [C0038] Process Micro-objective::Create Thread
22) [C0018] Process Micro-objective::Terminate Process