MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3106e981a3c90e2512b5f67afdb8e8430fa3bc75cc11eab5541a7200ecd0fba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	a3106e981a3c90e2512b5f67afdb8e8430fa3bc75cc11eab5541a7200ecd0fba
SHA3-384 hash:	e421e06a8c1be31949fb2b609fa785890a9730cbca51f070cb7558665c34d1d6ca2978e4a06da02471a4c787b3bd1c89
SHA1 hash:	81aeca85212c7a72b7ada8e491ce6d59b57e0da4
MD5 hash:	d0e647af8626999e69f866e7974f6419
humanhash:	bakerloo-eighteen-california-uncle
File name:	d0e647af8626999e69f866e7974f6419.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	700'416 bytes
First seen:	2021-01-20 14:50:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:mfIqe7rYHzjLIy50jRVCdT3/ceLDcLuZTvpaN2Pn7BiWgwRB/Wr4KY+kkl0:mfIqSYb50jwcEc6tpi2Pn7Bjg1rQh
Threatray	233 similar samples on MalwareBazaar
TLSH	FBE4CF29B78ECDA3D06D3B3F01FE68144392F1C7AA52E36B1A285FB317151C52B4E895
Reporter	abuse_ch
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

343

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d0e647af8626999e69f866e7974f6419.exe

Verdict:

Malicious activity

Analysis date:

2021-01-20 15:34:45 UTC

Tags:

trojan rat azorult

Link:

https://app.any.run/tasks/bf9b7525-3345-4bcd-8dcd-d876dbd7e859

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/113147/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a UDP request

Creating a file

DNS request

Sending an HTTP POST request

Deleting a recently created file

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Azorult

Detection:

malicious

Classification:

spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/586254

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a3106e981a3c90e2512b5f67afdb8e8430fa3bc75cc11eab5541a7200ecd0fba/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-01-20 14:51:07 UTC

AV detection:

13 of 29 (44.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=umig5ga2hsioeujll5t27w4oqqypuo6hltar5k2vigtsadwnb65a._file

Verdict:

unknown

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer spyware trojan

Link:

https://tria.ge/reports/210120-wsqktj7bzn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Azorult

Malware Config

C2 Extraction:

http://195.245.112.115/index.php

Unpacked files

SH256 hash:

a3c90d4bc4b6c3b8389a0007f4e3e00022ea4518df291ee08b57a145ebb1ed19

MD5 hash:

d86326c573eda1c5e8081458705028bf

SHA1 hash:

75512a2d7cef1383f02e7777c5a75cbd2db80ec9

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/48b3a18c-6e82-456a-b20c-0c5bde390e05/

Parent samples :

dd8f6125085752edcbf972de78d0b635e8c0558d0071890bcfcc2472cc035484
83ee84084d628a921bd29b547f6767e17d8cd89a6132f9d717d5ccab7da72fbd
b22aed0458247b059e32aa4ffd4fcaf3ba7c097432fcbcbea9db7482899addbf
fbc1e4ec22cd7339eb5fbc8d64320bb825f411e3c6ade350705586bfab4e1808
a3106e981a3c90e2512b5f67afdb8e8430fa3bc75cc11eab5541a7200ecd0fba
2282058691f8597344411ed34d7c33a8d23ca40362d8ee9567f3e71ed22bedef

SH256 hash:

e2b5646e959fcf2f6ed994780262e65c16cecbc9d3421ada3239f26130ebe8d1

MD5 hash:

7a13d5b7628956f87cb4f24b3e66ff5d

SHA1 hash:

5a2a3e4a70a7ef67180b6dea2273c9c3ae162f9c

Link:

https://www.unpac.me/results/48b3a18c-6e82-456a-b20c-0c5bde390e05/

SH256 hash:

4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046

MD5 hash:

29e19b5dce96140a8b90152b16bd44af

SHA1 hash:

4f3dc6eb876bb58f53966980a9c451a04ec17d8a

Link:

https://www.unpac.me/results/48b3a18c-6e82-456a-b20c-0c5bde390e05/

SH256 hash:

c06d4e3d0205d9bdd4a4b40b8da710d698b3a5d73a1626c9ca058c10b2c6d00c

MD5 hash:

7f67414b3fd29299f2d29ad7c2afb995

SHA1 hash:

2ec40d57c08c47433a6d044d271d74005dddae8d

Link:

https://www.unpac.me/results/48b3a18c-6e82-456a-b20c-0c5bde390e05/

SH256 hash:

49dc26861fffee2f6440e56a10b7086ea305d2f16bb9e27ba3e08b9893557f86

MD5 hash:

e732cd6decfed3503b4020899d5a56f9

SHA1 hash:

024c1bf147c698e92aae340bbee323601d02a787

Link:

https://www.unpac.me/results/48b3a18c-6e82-456a-b20c-0c5bde390e05/

SH256 hash:

a3106e981a3c90e2512b5f67afdb8e8430fa3bc75cc11eab5541a7200ecd0fba

MD5 hash:

d0e647af8626999e69f866e7974f6419

SHA1 hash:

81aeca85212c7a72b7ada8e491ce6d59b57e0da4

Link:

https://www.unpac.me/results/48b3a18c-6e82-456a-b20c-0c5bde390e05/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a3106e981a3c90e2512b5f67afdb8e8430fa3bc75cc11eab5541a7200ecd0fba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Azorult Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Azorult in memory
Reference:	internal research

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	Trojan_W32_Gh0stMiancha_1_0_0 Create hunting rule

Rule name:	win_azorult_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator