MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99ba4d5d99ff78d07193851a25935dbf32a98a86ab053c2a5d6c9a4ca8ca5075. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	99ba4d5d99ff78d07193851a25935dbf32a98a86ab053c2a5d6c9a4ca8ca5075
SHA3-384 hash:	5d0b418ffa300dc7d76034667865ad935e1ad7ef5b1f37109feaf64cc37077b419ee3e334f9020ac995fdde298a233af
SHA1 hash:	48bf5f2e4f1ccc32b7d66969aff1257f1d8c83cc
MD5 hash:	dd1b8358d9e94c5d887cfe7b71fe001d
humanhash:	yellow-cold-dakota-nuts
File name:	99ba4d5d99ff78d07193851a25935dbf32a98a86ab053c2a5d6c9a4ca8ca5075
Download:	download sample
Signature	AZORult Create hunting rule
File size:	3'669'530 bytes
First seen:	2020-11-10 11:03:03 UTC
Last seen:	2024-07-24 19:28:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep	98304:PqH/fh+/qD6NJIQmEvIAdwja7bOtOKeGk0DORXLD:Pqfg/nLmtaHOtObGk8EXLD
TLSH	1A0633837A5780F7CB712570359AE68715B6F722136C88DBB9C0CE095E86BC0AB7C943
Reporter	seifreed
Tags:	AZORult

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Azorult-9776568-0

PUA.Win.Trojan.Generic-6843329-0

PUA.Win.Dropper.Driverpack-6931197-0

PUA.Win.Downloader.Driverpack-6998194-0

PUA.Win.Adware.Generic-7505646-0

PUA.Win.File.Generic-7557964-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Launching a process

Creating a process with a hidden window

Creating a process from a recently created file

Deleting a recently created file

Creating a file

Creating a file in the %AppData% directory

Running batch commands

DNS request

Sending an HTTP POST request

Delayed writing of the file

Launching the process to interact with network services

Launching the process to change the firewall settings

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99ba4d5d99ff78d07193851a25935dbf32a98a86ab053c2a5d6c9a4ca8ca5075/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2020-11-10 11:04:05 UTC

AV detection:

21 of 48 (43.75%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tg5e2xmz754na4mtquncle25x4zktcugvmctyks5nsnezkgkkb2q._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult evasion infostealer persistence spyware trojan

Link:

https://tria.ge/reports/201110-j78aq2bsyx/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies system certificate store

Runs net.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Launches sc.exe

Drops file in System32 directory

Modifies service

Suspicious use of SetThreadContext

Modifies WinLogon

Loads dropped DLL

Reads user/profile data of web browsers

Blacklisted process makes network request

Executes dropped EXE

Modifies RDP port number used by Windows

Modifies Windows Firewall

Sets DLL path for service in the registry

Grants admin privileges

Azorult

Malware Config

C2 Extraction:

http://430lodsposlok.monster/index.php

Unpacked files

SH256 hash:

99ba4d5d99ff78d07193851a25935dbf32a98a86ab053c2a5d6c9a4ca8ca5075

MD5 hash:

dd1b8358d9e94c5d887cfe7b71fe001d

SHA1 hash:

48bf5f2e4f1ccc32b7d66969aff1257f1d8c83cc

Link:

https://www.unpac.me/results/4aebe09f-27e4-40b3-8cbf-ba63d04e3331/

SH256 hash:

96696221259e39bdb0d57e66ac1528cd1e25338913ed3ce612852448839b4764

MD5 hash:

744cb1b21bb7a324e3623998e83482fa

SHA1 hash:

415cf35b39fe0582122f6bcd6c72e4f1038d10e2

Link:

https://www.unpac.me/results/4aebe09f-27e4-40b3-8cbf-ba63d04e3331/

SH256 hash:

e566f04f1340f627e7ed1022948708dcdf20fa5687b7ec108cac2a9420abca4b

MD5 hash:

347e238c00fa2b13fbef667095a32868

SHA1 hash:

8cfe01775385c3de8c6e21a0b24a40913ee7a7d1

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/4aebe09f-27e4-40b3-8cbf-ba63d04e3331/

SH256 hash:

c9ec065b0b4603b9aba14f88ae4e5fa0bbebe7b215432b17a9603b91ed6a1889

MD5 hash:

574084758f649821c95159e5375d7164

SHA1 hash:

a67337ed6ab11ccadf38ba09ac26883990677add

Link:

https://www.unpac.me/results/4aebe09f-27e4-40b3-8cbf-ba63d04e3331/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample