MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a36fc89381b4c1f3f368fc7ce1beb6ef3c7f1a31bc486e37a43fb5d4f62f5d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a36fc89381b4c1f3f368fc7ce1beb6ef3c7f1a31bc486e37a43fb5d4f62f5d9
SHA3-384 hash: badef34c39393bfc3683341ca6321609db593f29c70ab83bc903ad8fd51312b30ff9893a545bc7e047edac9ed76fb094
SHA1 hash: 75bc5184bc158208efc0e432d1ac7fe26aa224ea
MD5 hash: c28ae758c50f4898effb332a7ce08bc1
humanhash: oven-bakerloo-tennis-north
File name:hussan.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:45'056 bytes
First seen:2020-09-21 15:01:41 UTC
Last seen:2020-09-21 15:42:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df5b62a3567f2fb9079d505df45c52ce (4 x AZORult, 3 x GuLoader)
ssdeep 768:K1OVecVfroydKHXGSyoczcQy0aGgJZUQ9V9:veaoyIHXGVNAQy0aGIRd
Threatray 1'633 similar samples on MalwareBazaar
TLSH 0A13191FA1B49B35F66085BD8E684F68005A7F30D4A1CE07ED1B392D4F31A21DAE4B97
Reporter James_inthe_box
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Razy.755503.31283.13783.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Stealing user critical data
Result
Threat name:
Azorult GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/471388
Signature
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9a36fc89381b4c1f3f368fc7ce1beb6ef3c7f1a31bc486e37a43fb5d4f62f5d9/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2020-09-21 02:06:06 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ti3pzcjydngb6pzwr7d44g7ln3z4p4nddpciny32ip5v2t3c6xmq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
azorult
Create hunting rule
Similar samples:
0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2
AZORult
2c80924676beb57ffb753a576380eed1ec48e265a7843a52b08664463d890b61
AZORult
4320e2bf2bc6115ae79a52777bdd9aef62db691a756640f9c7fa6e8372e46193
AZORult
684c43f7e479e302f4c19387be2d3b059a93ee2680379fa242b7c064913f43cf
AZORult
6964c8791bbf63ce0cf1dac7e62486fd3398d16c72774904fd3a7ca4f3957fff
AZORult
abfd516f0c6cbc380eaefd3da726160b16755fb00c38cafcaa02db61b7208ba7
AZORult
acd781dfe44f61dafb6b3fc6f648c4833b96872caca16e7d746c914987979dd5
AZORult
bd91fca56344fa142bbc4d498cc74cdccec0539c53a7a64c81a3e6c419baba0a
AZORult
d3b837c6df7e17d6f6ff9c20066fa5b0064408935d62bacdd4c9b5791002b941
AZORult
e184f318d66c8ea996fd994937e70a67591a5f77a86058244746089ed51819ad
AZORult
+ 1'623 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult spyware discovery
Link:
https://tria.ge/reports/200921-brdhk62mb6/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/9a36fc89381b4c1f3f368fc7ce1beb6ef3c7f1a31bc486e37a43fb5d4f62f5d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/134/

Comments