MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b26b242e62b7ed9f8bf214f0b752866e83f13981e11b9e7c70d5aeb0cbb0f5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	9b26b242e62b7ed9f8bf214f0b752866e83f13981e11b9e7c70d5aeb0cbb0f5d
SHA3-384 hash:	e7addedc6a869465ad902c5ba3b5c75862d70515896d1d1c4509fd15705ae9ab2bed5b0a301f550811a91fae9307e23e
SHA1 hash:	fc1af516e8ea2c4f3eb1add0a65c9421cace1c4b
MD5 hash:	6146e00b16d35f03d1be912592e27576
humanhash:	coffee-bluebird-august-north
File name:	6146e00b16d35f03d1be912592e27576.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	715'776 bytes
First seen:	2022-07-29 14:45:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:MEn6R+3pMnsOZBpfmf/HK52oXBmOnyLQx8txgV2iNi9ckRJ/tGG:9Z0/pfW/KsROnykxWxgV1c1GG
TLSH	T1C5E4F0CA254C6147E2385B7410A1EA35AB7ABE36BCB7F2CA6CD5708B56B33D20931153
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter	abuse_ch
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

797

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/295120/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62e3f2d7b7eec6562779a461/reports/7801a947-f994-4f77-90ac-e0dce5d8129b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5960b544-83e8-4b62-8179-5cb613368e3d

Result

Threat name:

Azorult

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1043209

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b26b242e62b7ed9f8bf214f0b752866e83f13981e11b9e7c70d5aeb0cbb0f5d/

Threat name:

Win32.Trojan.Stimilina

Status:

Malicious

First seen:

2022-07-29 14:46:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tmtleqxgfn7nt6f7efhqw5jim3ud6e4ydyi3tz6hbvnowdf3b5oq._file

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult collection discovery infostealer spyware stealer trojan

Link:

https://tria.ge/reports/220729-r5amzabcgq/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://208.67.105.161/kendrick/index.php

Unpacked files

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/4ee64524-5263-49db-a24c-c6d44b6b7021/

SH256 hash:

0d9f8bb2a0661ca966582fad2f86c21d8b7242199de918ae29a324027d24b301

MD5 hash:

d50a5b5a0b3805ab8183164f4b23b4e1

SHA1 hash:

9b11a59873ff246985a33ae575aed1cdbc934a3e

Link:

https://www.unpac.me/results/4ee64524-5263-49db-a24c-c6d44b6b7021/

SH256 hash:

7dc4305886a665e1df0fde8c592151ef6a079775db1f9fc815b2eee371ddb82d

MD5 hash:

974e4f50166de11b32370c10660d3e33

SHA1 hash:

874559578be1ee7a8eed37183c2aacb1fb76faf8

Link:

https://www.unpac.me/results/4ee64524-5263-49db-a24c-c6d44b6b7021/

SH256 hash:

13ca2f7a55b98e1890983122e67935c97e6d9df4429279d49a1324c6d56f0451

MD5 hash:

8b3a92a3409ae046bf3dc0753fcf8685

SHA1 hash:

4455c3efa2bf569f6d180063bb1e104a22581d61

Link:

https://www.unpac.me/results/4ee64524-5263-49db-a24c-c6d44b6b7021/

SH256 hash:

e44cd49ff7afa6f66cad4220efde83538494008c68158657925413cd03f11fdf

MD5 hash:

ec030c8f65a9d6bfe9507a4028232944

SHA1 hash:

2c36d3e00f0711966929e8f2c2195283b27cdcb2

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/4ee64524-5263-49db-a24c-c6d44b6b7021/

Parent samples :

8ebca92cff949147d2dc62e0848458e51dba3063d18e370fe6ec5f6e985b7565
345b8e5f00f4098adb7da24313f6ec5a5b62ef848a8174c179097a7129850f64
5beefafe5567bd6707eed0bd46ed653a71816ffe4491e4c205dd899bbf002849
222ea7dd246109361c6a6b95f412e89376a4511f648709edbfeab959626c82be
ac05aaf10b6b112f0279ef5b5671079ab2343637fa903d587bb04dc76c829fa0
018b6eeb6fe09ffa600b34fe28c54144db3660728df29ca36c1ecfe51efa5041
489a08f890366aa554ec45fdea5f51ef79728ef030c5e83b119ad65655c79749
9b26b242e62b7ed9f8bf214f0b752866e83f13981e11b9e7c70d5aeb0cbb0f5d
93ad84ccbfa42d17d6690e0e7f6babe73ab64a672f2a1b1ab68004830efc6c6d
c5f1d36f5b7f70ffab8b430c730ff5b4a20d21cef6218e751ebd4feadb896b87

SH256 hash:

9b26b242e62b7ed9f8bf214f0b752866e83f13981e11b9e7c70d5aeb0cbb0f5d

MD5 hash:

6146e00b16d35f03d1be912592e27576

SHA1 hash:

fc1af516e8ea2c4f3eb1add0a65c9421cace1c4b

Link:

https://www.unpac.me/results/4ee64524-5263-49db-a24c-c6d44b6b7021/

Malware family:

AZORult v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9b26b242e62b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b26b242e62b7ed9f8bf214f0b752866e83f13981e11b9e7c70d5aeb0cbb0f5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Azorult Create hunting rule
Author:	kevoreilly
Description:	Azorult Payload

Rule name:	malware_Azorult Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Azorult in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_azorult_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

exe 9b26b242e62b7ed9f8bf214f0b752866e83f13981e11b9e7c70d5aeb0cbb0f5d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2259767/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/295120/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample