MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f75d7b0a9006f15297ee21ed5aa35c3a27835b18c83854479e900118fab75ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f75d7b0a9006f15297ee21ed5aa35c3a27835b18c83854479e900118fab75ca
SHA3-384 hash: 6cae963bfccdbc94b5fb6d69848ddf7594a919846fb4bd766ea987ebc24961a41c35a4af63a476d8da7b2f05bb853024
SHA1 hash: a11db9dc93e67933a7212ca6b2db943ac60af381
MD5 hash: 2cda6936ba8920094b1dcf16702f1290
humanhash: hot-carpet-mockingbird-bravo
File name:Order _ Confirmation_ No-1191244.pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:2'931'200 bytes
First seen:2021-05-10 12:53:52 UTC
Last seen:2021-05-10 13:02:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:JgEXq7CA/AhrAEsE82q7fpKDd8BB4Pzray5ZkkqPSGMheWP89B4:JZ95suqDpKLa/j8EWw
Threatray 72 similar samples on MalwareBazaar
TLSH DAD5121923845A1FE57B777244686B0013B17ABEAA63C73DBD58B04BF9217C68233637
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154065/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779278
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9f75d7b0a9006f15297ee21ed5aa35c3a27835b18c83854479e900118fab75ca/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 12:54:15 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t525pmfjabxrkkl64ipnlkrvyorhqnnrrsbykrdz5eabdd5loxfa._file
Verdict:
unknown
Similar samples:
280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f
AZORult
36aa5f316ccbdec9f0945c33c142563d4bee16b3cab1bd8f17cea4d30594cf0d
AZORult
371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d
AZORult
7c2f0c42ed478e241d2fdb2580915342c5dbd50acc3fafa26908ae73a581eb3f
AZORult
932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a
AZORult
b11a974fee906fcfbfadce6a615552bb396a0ab0fa891f87f78476f5e63da275
AZORult
c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a
AZORult
d7105dfaf2690af5ecb82d31c891c8b6e36af889ddf4c10af513f4d0efd2d073
AZORult
f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0
AZORult
f6c28a76b12ddb94037c6cac0426ba87fb3201634731b901f66aecc15d5a98be
AZORult
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210510-awnntkd5z2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/9f75d7b0a9006f15297ee21ed5aa35c3a27835b18c83854479e900118fab75ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154065/

Comments