MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2fa84e5ecfde2e65cb13ae7b13be29c2bdca0b01e746cc6e015c92ed36c087a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 8


Intelligence 8 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2fa84e5ecfde2e65cb13ae7b13be29c2bdca0b01e746cc6e015c92ed36c087a
SHA3-384 hash: 6f18a2e7f6aba047da135d3571d6d08c714bf13dae9c1fb06cb20d8e54bcdd01aac5ae8910504352d1e8b4509b4b703e
SHA1 hash: d033676a11cba16ee1c7e687d4f9075aaa8e57d3
MD5 hash: ab0cc6143bdee10292eca9fb74a153ea
humanhash: connecticut-shade-coffee-three
File name:RECEIPT_PDF.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:391'893 bytes
First seen:2021-07-08 08:39:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (865 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:WjT5Zh17eWxoG/+ov/2OIQ4wW3OBsCeAW35HFbjvuLZ:WRZ+IoG/n9IQxW3OBseW5HFbjvuLZ
Threatray 657 similar samples on MalwareBazaar
TLSH T156846B03B98D97BDD7614A713935A7305539BF231B248A9BB3C4EE2D997009CA7307E2
Reporter cocaman
Tags:AZORult DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RECEIPT_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 08:41:49 UTC
Tags:
loader covid19 trojan rat azorult stealer
Link:
https://app.any.run/tasks/c445bb58-dc81-4bca-881f-84809300c039

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170374/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/aa03abee-8031-4f7c-9658-6f74f0f4b2c9
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813332
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to download files via bitsadmin
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445743 Sample: RECEIPT_PDF.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 50 cdn.discordapp.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 8 other signatures 2->62 11 RECEIPT_PDF.exe 5 9 2->11         started        signatures3 process4 file5 48 C:\Users\user\AppData\Roaming\covid.vbs, ASCII 11->48 dropped 14 wscript.exe 1 11->14         started        16 AcroRd32.exe 39 11->16         started        process6 process7 18 cmd.exe 1 14->18         started        21 RdrCEF.exe 68 16->21         started        24 AcroRd32.exe 8 6 16->24         started        dnsIp8 54 Tries to download files via bitsadmin 18->54 26 RECEIPT_pdf.exe 18->26         started        30 bitsadmin.exe 1 18->30         started        32 conhost.exe 18->32         started        52 192.168.2.1 unknown unknown 21->52 34 RdrCEF.exe 21->34         started        36 RdrCEF.exe 21->36         started        38 RdrCEF.exe 21->38         started        40 2 other processes 21->40 signatures9 process10 file11 46 C:\Users\user\AppData\...\mjofvzkqrp.dll, PE32 26->46 dropped 64 Maps a DLL or memory area into another process 26->64 42 RECEIPT_pdf.exe 26->42         started        signatures12 process13 process14 44 WerFault.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2fa84e5ecfde2e65cb13ae7b13be29c2bdca0b01e746cc6e015c92ed36c087a/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 08:40:09 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ul5ijzpm7xromxfrhlt3co7ctqv5zifqdz2gzrxacxes5u3mbb5a._file
Verdict:
malicious
Similar samples:
048066b8f8dcf8a74e78e458a727edf50094a5849dbaae9cc80df053deae7c47
AZORult
09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2
AZORult
40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8
AZORult
6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
AZORult
7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4
AZORult
8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
AZORult
85f68c16519e6f833c593ed0e6b735366c061bb808c6228d730b48e3f025a9a5
AZORult
91b886840c7f674d17b48e5d2264228a55fe0f28e32e102c84dad5cca49ed807
AZORult
a408e65fa77a4eded318a05af68fe27f522ec61b0c3e30aa34a5703b06fe2cf8
AZORult
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
AZORult
+ 647 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210708-2axyjq8lg6/
Behaviour
Checks processor information in registry
Download via BitsAdmin
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
a2fa84e5ecfde2e65cb13ae7b13be29c2bdca0b01e746cc6e015c92ed36c087a
MD5 hash:
ab0cc6143bdee10292eca9fb74a153ea
SHA1 hash:
d033676a11cba16ee1c7e687d4f9075aaa8e57d3
Link:
https://www.unpac.me/results/5421ea56-76b4-48b5-934d-1687d65fc870/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2fa84e5ecfde2e65cb13ae7b13be29c2bdca0b01e746cc6e015c92ed36c087a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_karius_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar 103d49b3d4a0bdb4227674f8962821a88ac09d6ba6db2b779d07b598efbf5eeb

AZORult

Executable exe a2fa84e5ecfde2e65cb13ae7b13be29c2bdca0b01e746cc6e015c92ed36c087a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 103d49b3d4a0bdb4227674f8962821a88ac09d6ba6db2b779d07b598efbf5eeb
Cape
Cape
https://www.capesandbox.com/analysis/170374/

Comments