MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc
SHA3-384 hash: 46c1f50a4ef16eb7b5b43c391694921196faade9795e79e99b7dd44dc5699108d6bb48a9c11b80494cd90f8429cc1e2e
SHA1 hash: a85c6a43b18fbadea52f571cecba05d6a0130539
MD5 hash: a84c839796276cfaac74df29d5b2e496
humanhash: south-nuts-london-florida
File name:a84c839796276cfaac74df29d5b2e496.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:139'392 bytes
First seen:2021-09-18 12:50:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f105b079e26a72f1e39b46e0f5f8ab23 (2 x AZORult, 1 x RaccoonStealer)
ssdeep 3072:slKmvMHwdF68nJi4Xz3R5mBROogsH6n9U5zr6HvkHw:0K+MnkJz7mAD9Udr8
Threatray 8'817 similar samples on MalwareBazaar
TLSH T10ED3AF1365B40AA2F4560AB51AE198B85737FD718544CE07328ABF0D1DB3BC36DE1B2B
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://maurizio.ug/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://maurizio.ug/ https://threatfox.abuse.ch/ioc/223007/

Intelligence

File Origin
# of uploads :
1
# of downloads :
659
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a84c839796276cfaac74df29d5b2e496.exe
Verdict:
Malicious activity
Analysis date:
2021-09-18 12:51:42 UTC
Tags:
trojan stealer vidar rat azorult loader raccoon
Link:
https://app.any.run/tasks/3ce96b2c-73aa-4183-bcec-921980e05576

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Meteorite
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188929/
Detection(s):
PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Win.Trojan.Barys-9890423-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending an HTTP POST request to an infection source
Launching the default Windows debugger (dwwin.exe)
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Launching a service
Launching a process
Delayed writing of the file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14d01bfc-5bc0-4442-bf90-13afdf4e101f
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853189
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to resolve many domain names, but no domain seems valid
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485620 Sample: hrebBwxQXQ.exe Startdate: 18/09/2021 Architecture: WINDOWS Score: 100 39 pshmn.com 2->39 41 maurizio.ug 2->41 43 3 other IPs or domains 2->43 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 66 11 other signatures 2->66 9 hrebBwxQXQ.exe 13 2->9         started        signatures3 64 Tries to resolve many domain names, but no domain seems valid 39->64 process4 signatures5 74 Performs DNS queries to domains with low reputation 9->74 76 Maps a DLL or memory area into another process 9->76 12 hrebBwxQXQ.exe 23 9->12         started        process6 dnsIp7 45 wishamag.ac.ug 12->45 48 tuekisa.ac.ug 12->48 50 22 other IPs or domains 12->50 31 C:\Users\user\AppData\Local\...\Dropkxa.exe, PE32 12->31 dropped 33 C:\Users\user\AppData\Local\...\Dropakxa.exe, PE32 12->33 dropped 35 C:\Users\user\AppData\Local\...\ghjk[1].exe, PE32 12->35 dropped 37 C:\Users\user\AppData\Local\...\ghjkl[1].exe, PE32 12->37 dropped 16 Dropakxa.exe 11 12->16         started        20 Dropkxa.exe 2 12->20         started        file8 78 Tries to resolve many domain names, but no domain seems valid 48->78 signatures9 process10 file11 27 C:\Users\user\AppData\Local\...\dscadeq.exe, PE32 16->27 dropped 29 C:\Users\user\AppData\Local\Temp\dnadeq.exe, PE32 16->29 dropped 52 Antivirus detection for dropped file 16->52 54 Multi AV Scanner detection for dropped file 16->54 56 Machine Learning detection for dropped file 16->56 22 dnadeq.exe 4 16->22         started        25 dscadeq.exe 4 16->25         started        signatures12 process13 signatures14 68 Antivirus detection for dropped file 22->68 70 Multi AV Scanner detection for dropped file 22->70 72 Machine Learning detection for dropped file 22->72
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 11:36:35 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyf6xypxour4tgicfcc3nvv2jqxjn2jq2insn4rfj4it4f44jdga._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
Similar samples:
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
AZORult
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
AZORult
42caa5a2e19134770914b3b33dffaceaae03a44fc52babd8abc250d7d7696945
AZORult
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
AZORult
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
AZORult
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
AZORult
b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c
AZORult
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
AZORult
+ 8'807 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/210918-p2zrkshda6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
maurizio.ug
Unpacked files
SH256 hash:
95b94a7a06b6cd5734013ef7ebb9f9cea6d04f7f467fffa203a09a8e6d5ff0d3
MD5 hash:
5acd21381d600765601be0e4e7b6597a
SHA1 hash:
879cec8513536dfb7a2b562e05893bbf0ef6f5ee
Link:
https://www.unpac.me/results/4d6df83a-f6ba-4ced-bb69-9bd8469c987f/
SH256 hash:
2cfef8bd8151c3c77514da41268cf6bb7adba60f509246b180813641abacc78d
MD5 hash:
f5819f0afafa08b2b0a4ef787896384b
SHA1 hash:
3b8e662597ec8c6518c9d229c2dc88b3a60ac7df
Link:
https://www.unpac.me/results/4d6df83a-f6ba-4ced-bb69-9bd8469c987f/
SH256 hash:
a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc
MD5 hash:
a84c839796276cfaac74df29d5b2e496
SHA1 hash:
a85c6a43b18fbadea52f571cecba05d6a0130539
Link:
https://www.unpac.me/results/4d6df83a-f6ba-4ced-bb69-9bd8469c987f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188929/

Comments