MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a16003498f3aadaf2404af1054cb0bdd9583bb0413847adecefc8e64fde60cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a16003498f3aadaf2404af1054cb0bdd9583bb0413847adecefc8e64fde60cc
SHA3-384 hash: d6b4b01da7867b096dce5c7ef3ff7efeda687161b1d1da6457b44fa84d5fc05829bdcc7f027bbcb4975b23bc06864867
SHA1 hash: 1df4ccb013d61278f8ce93b28e820113a0133e15
MD5 hash: 8838150097445aea2194ed4c3a5b0caf
humanhash: oklahoma-fourteen-network-bacon
File name:8838150097445aea2194ed4c3a5b0caf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:721'920 bytes
First seen:2022-02-21 07:11:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:hGi7pBv82tb0ir4yJw3qttCpJzXuJesT3DAwDxWzXGbAsNAV:L7jkgdcqcsTUAxca5NAV
Threatray 1'248 similar samples on MalwareBazaar
TLSH T161E4DF213AEE905DF3B3ABB14FC8F4BF4A6AF573151AA1BA358213464B61F808D01775
File icon (PE):PE icon
dhash icon ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://nnpcoil.buzz/kendrick/panel/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://nnpcoil.buzz/kendrick/panel/index.php https://threatfox.abuse.ch/ioc/389747/

Intelligence

File Origin
# of uploads :
1
# of downloads :
781
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242863/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP POST request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit obfuscated obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/62133b09875593a3ccf98c51/reports/a4e62ef1-2003-4fbb-9cde-3951f74fce9b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76e8fa47-a9c3-4334-8055-f41f2938b435
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943028
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a16003498f3aadaf2404af1054cb0bdd9583bb0413847adecefc8e64fde60cc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 07:11:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tilaaney6ovnv4sajlyqktfqxxmvqo5qie4eplpm57eomt66mdga._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
10fed6bb7e0d98d4c39fecce52838efecad2e6d836ceabaf40b438e6790e8abf
AZORult
172f87bb27c59a83f26061358df1a3407cc46d8ebd5a65dc2a8e24c4f3765f71
AZORult
510fc8ddf4ef05deb48ee47645b7df2c5f577179a80f84fbe091ba1ad5589f52
AZORult
5c52d01a13034d617c28365f534c392ec264c3d755dc36ff188082081af05688
AZORult
8a1e242d7dd4840b60db37d09828f24fe047f0b7d7a74af48bd3bfc68f7c0d97
AZORult
8a4e21250c7411e253d17ef56bd2ede874fd945fbeed7948b39f4e3b147232ef
AZORult
afa9c8dfed5854fb55279a38fe6dcf64c0c3f8617107dbc672960d94ccca409c
AZORult
+ 1'238 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer suricata trojan
Link:
https://tria.ge/reports/220221-hzy9psggfp/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Azorult
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
Malware Config
C2 Extraction:
http://nnpcoil.buzz/kendrick/panel/index.php
Unpacked files
SH256 hash:
abe09e5f9aaef888b38cefb475872754a702fe3cd2a7e34d8cba6d1075ae7020
MD5 hash:
ed7aa8ec452b281d1dbc490e81f4927e
SHA1 hash:
c905c621acfad9cd7cc41c6655049f9eddc34cf4
Link:
https://www.unpac.me/results/dc55a012-936f-4e40-8a84-98b8fe6acc2f/
SH256 hash:
e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43
MD5 hash:
b597cce7bfc65e56fa69ebb7f413a33f
SHA1 hash:
7ee40df5ac783432e7c9f7be4f7ed1f286345d58
Link:
https://www.unpac.me/results/dc55a012-936f-4e40-8a84-98b8fe6acc2f/
SH256 hash:
19c6068bbf5e44d00eaa2a5aec113b25c025d9e55c263984b28bb3a746b0e490
MD5 hash:
083b496da567423cf16ace134ea8b30b
SHA1 hash:
2d09e332f5daa209d6e5247c085f4e4928d670ae
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/dc55a012-936f-4e40-8a84-98b8fe6acc2f/
SH256 hash:
99e3f9de161304bd7901d7cf04b267039a66d63344662e0622ba94f0c2a70035
MD5 hash:
3e95e48146bcd51ad0b2a87bab3a8215
SHA1 hash:
02c8b0313717394fd7227515edd55e2ba7596c34
Link:
https://www.unpac.me/results/dc55a012-936f-4e40-8a84-98b8fe6acc2f/
SH256 hash:
9a16003498f3aadaf2404af1054cb0bdd9583bb0413847adecefc8e64fde60cc
MD5 hash:
8838150097445aea2194ed4c3a5b0caf
SHA1 hash:
1df4ccb013d61278f8ce93b28e820113a0133e15
Link:
https://www.unpac.me/results/dc55a012-936f-4e40-8a84-98b8fe6acc2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a16003498f3aadaf2404af1054cb0bdd9583bb0413847adecefc8e64fde60cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:kevoreilly
Description:Azorult Payload
Rule name:malware_Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe 9a16003498f3aadaf2404af1054cb0bdd9583bb0413847adecefc8e64fde60cc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2038758/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/242863/

Comments