MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ba131f17050f1a0c0acb436f1912aa5086f78a5b378fb473ad81f5a8f7995b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ba131f17050f1a0c0acb436f1912aa5086f78a5b378fb473ad81f5a8f7995b0
SHA3-384 hash: 4c08bd732dbf18da380e41e9cd8e517ba7ffc98678a7b2a19620f5da082f576bfb60f54f09a457cc49c0ea9541c8e6a8
SHA1 hash: 6fbe01bcc41bf17a3a8816773f88bbdffecc1269
MD5 hash: 5bc25c551e74416f26766f72d6c210dd
humanhash: minnesota-alabama-sodium-lactose
File name:9BA131F17050F1A0C0ACB436F1912AA5086F78A5B378F.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:4'229'632 bytes
First seen:2022-06-19 20:41:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 95b21125bddca42ada3ab031d9585fde (1 x AZORult)
ssdeep 98304:LbJmP03k9R6QjpCxPGHPVOLapih7pLJYWWXPtf1h:LbwPwk9AK1tOO69LK1fX
Threatray 1'320 similar samples on MalwareBazaar
TLSH T1F6162323F1E189B7D26716B8BD1B9674883ABE243D35980A3BF45D4C4F396C038592E7
TrID 50.7% (.EXE) Inno Setup installer (109740/4/30)
19.9% (.EXE) InstallShield setup (43053/19/16)
6.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.0% (.SCR) Windows screen saver (13101/52/3)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 9c3ee999f0ecf410 (1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://hostfiles.net/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://hostfiles.net/index.php https://threatfox.abuse.ch/ioc/716409/

Intelligence

File Origin
# of uploads :
1
# of downloads :
925
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/281361/
Detection(s):
Win.Dropper.LokiBot-6991288-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for synchronization primitives
DNS request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Moving a recently created file
Modifying a system file
Creating a file in the Windows subdirectories
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21987/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
fareit greyware hacktool keylogger loki lokibot packed
Link:
https://www.filescan.io/uploads/62af8a5a745ae0fa14f551aa/reports/e58c1e51-2a48-46df-8eb7-6abe00d9e099/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec8f94b1-83a3-450f-b807-719735a66d6a
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015990
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648486 Sample: 9BA131F17050F1A0C0ACB436F19... Startdate: 19/06/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 5 other signatures 2->49 7 9BA131F17050F1A0C0ACB436F1912AA5086F78A5B378F.exe 3 2->7         started        process3 file4 31 C:\Users\user\...\ky5p3xKqpeWAvcbYKOhjtTW.exe, PE32 7->31 dropped 33 Yll8srZTayRQcENC6H4yQHhJd9UbSbUU6jst.exe, PE32 7->33 dropped 51 Maps a DLL or memory area into another process 7->51 11 ky5p3xKqpeWAvcbYKOhjtTW.exe 2 7->11         started        15 Yll8srZTayRQcENC6H4yQHhJd9UbSbUU6jst.exe 15 3 7->15         started        18 9BA131F17050F1A0C0ACB436F1912AA5086F78A5B378F.exe 12 7->18         started        signatures5 process6 dnsIp7 35 C:\Users\user\...\ky5p3xKqpeWAvcbYKOhjtTW.tmp, PE32 11->35 dropped 53 Obfuscated command line found 11->53 20 ky5p3xKqpeWAvcbYKOhjtTW.tmp 38 29 11->20         started        37 iplogger.org 148.251.234.83, 443, 49755, 49756 HETZNER-ASDE Germany 15->37 55 May check the online IP address of the machine 15->55 57 Machine Learning detection for dropped file 15->57 39 hostfiles.net 75.2.115.196, 49757, 80 AMAZON-02US United States 18->39 41 192.168.2.1 unknown unknown 18->41 file8 signatures9 process10 file11 23 C:\...\unins000.exe (copy), PE32 20->23 dropped 25 C:\Program Files (x86)\...\is-4FLO7.tmp, PE32 20->25 dropped 27 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->27 dropped 29 7 other files (none is malicious) 20->29 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ba131f17050f1a0c0acb436f1912aa5086f78a5b378fb473ad81f5a8f7995b0/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2019-06-11 05:21:07 UTC
File Type:
PE (Exe)
Extracted files:
101
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=toqtd4lqkdy2bqfmwq3pdejkuueg66ffwn4pwrz23apvvd3zswya._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
034e8e297165eeb14372eea7a7e68756e561df39b84c5be924e542a36dee7418
AZORult
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
AZORult
3bdaeb542939de272d46fa125a9fbfc4a2bb551c3a49c5fbb68d17c45a11446d
AZORult
547bf6d6ed5ae181513ed653109514c73e5f50c3ea3a094bcd382fbd3c4b4bb0
AZORult
5e08ef6445c40ba0c1216c04291b0d9ef48f0983a9aebd25f214e6fc988daa53
AZORult
909cf19d116b61a8aba27f7f63d4b078a8f7dde3e28df3bc3d9643d0b93d3506
AZORult
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
AZORult
b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c
AZORult
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AZORult
+ 1'310 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer suricata trojan
Link:
https://tria.ge/reports/220619-zgzwysecc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Azorult
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
Malware Config
C2 Extraction:
http://hostfiles.net/index.php
Unpacked files
SH256 hash:
ffdbc7810c3b48114a9005a8d1b1c00e883e23b92d51c008333bf22c2d189559
MD5 hash:
26220f5ecf8cda574bd0dc2c74572ff5
SHA1 hash:
275fb3d1ee29fe9f8e2c965c8505f473ee530e6d
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/477aaf32-faf1-4b0b-a4d8-7f7631a7cafb/
SH256 hash:
fce50bb85a9a788702e59e56471d7021913ba43cb740ef0f76f89cbbb00c2a8b
MD5 hash:
353f9471e28b48d40b472dbb1188514a
SHA1 hash:
c81e500b224cad4f003957d5951c99d2b65dbca7
Link:
https://www.unpac.me/results/477aaf32-faf1-4b0b-a4d8-7f7631a7cafb/
SH256 hash:
3b1da51f9077a81533fd168538f13bcacc94487857f56ee1a9a0fee7debea96b
MD5 hash:
e77339cee3bd0eaebb499f38b5541be8
SHA1 hash:
e1446de5a697dc4401977e2b3c966c147cb68a00
Link:
https://www.unpac.me/results/477aaf32-faf1-4b0b-a4d8-7f7631a7cafb/
SH256 hash:
9ba131f17050f1a0c0acb436f1912aa5086f78a5b378fb473ad81f5a8f7995b0
MD5 hash:
5bc25c551e74416f26766f72d6c210dd
SHA1 hash:
6fbe01bcc41bf17a3a8816773f88bbdffecc1269
Link:
https://www.unpac.me/results/477aaf32-faf1-4b0b-a4d8-7f7631a7cafb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ba131f17050f1a0c0acb436f1912aa5086f78a5b378fb473ad81f5a8f7995b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281361/

Comments