MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6203ca5a80eb73bf0f245a482f68ce1ed689d9d57bfd943b3a82cdbc686391a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	a6203ca5a80eb73bf0f245a482f68ce1ed689d9d57bfd943b3a82cdbc686391a
SHA3-384 hash:	61522c19dad50987f8409293428267dad057be6c725602afa7553ffb170f8698aa8801ba9e4752408aa9a476c620dae8
SHA1 hash:	34420017b8a8d5c3ed6f039c11a756c193765de7
MD5 hash:	927af771cdf72afe226edace22bf6c04
humanhash:	double-wyoming-winter-mobile
File name:	RFQ 11054.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	944'128 bytes
First seen:	2021-04-30 08:39:44 UTC
Last seen:	2021-05-07 09:47:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:1PEIoLLoS60/K7yh017FOTHN3iAgijJQwXt3Wff0JShfFuXmvUBZXUgBwdRiW9K4:1zoLA170t3JgiyG3s/ET
Threatray	1'754 similar samples on MalwareBazaar
TLSH	D4157CEC361475EDC2078C3397CF0C1192202575AA2BA60B972323BD9A6FD576F389D9
Reporter	TeamDreier
Tags:	AZORult

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/147304/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.696.431.13645.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Sending an HTTP POST request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AZORult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/704350

Signature

C2 URLs / IPs found in malware configuration

Detected AZORult Info Stealer

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a6203ca5a80eb73bf0f245a482f68ce1ed689d9d57bfd943b3a82cdbc686391a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-29 15:41:06 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uyqdzjnib23tx4hsiwsif5um4hwwrhm5k675sq5tvawnxrughena._file

Verdict:

malicious

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer trojan

Link:

https://tria.ge/reports/210430-phafacspca/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Azorult

Malware Config

C2 Extraction:

http://13.233.97.208/index.php

Unpacked files

SH256 hash:

74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c

MD5 hash:

b5c218f30fecc9cb8513ff6a46737b01

SHA1 hash:

f0416867c2b114789620b318051f1fa390b07eae

Link:

https://www.unpac.me/results/726d063c-8309-43c0-8793-2b3ff145e86a/

SH256 hash:

73a37b277cbce80a8f2bcd700afe71b9be7174f582fc64ea4aa70e6c463f0f43

MD5 hash:

2403a3db1204e8ffb39528956980e399

SHA1 hash:

d53e42f34734fa05925bf6e2b35bccf538d9b1c5

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/726d063c-8309-43c0-8793-2b3ff145e86a/

Parent samples :

d286ce0a72c3053c61909e492d314b3008ca872a80ea60e29b9d0ec728e6dc62
2cc66e6b9543edef6030e5fbdc28331070efe1d6a193a2da39b026e31479452c
a6203ca5a80eb73bf0f245a482f68ce1ed689d9d57bfd943b3a82cdbc686391a

SH256 hash:

918b2568c57bc7a11c332ae50c1e6c7fe80238c51fe313d8fdf96b93e07813a5

MD5 hash:

003fc6c29f568c8d036eb7ac15e558bc

SHA1 hash:

b103f06e2bcd0988f2f2f8b13167c2d3f3509d53

Link:

https://www.unpac.me/results/726d063c-8309-43c0-8793-2b3ff145e86a/

SH256 hash:

a6203ca5a80eb73bf0f245a482f68ce1ed689d9d57bfd943b3a82cdbc686391a

MD5 hash:

927af771cdf72afe226edace22bf6c04

SHA1 hash:

34420017b8a8d5c3ed6f039c11a756c193765de7

Link:

https://www.unpac.me/results/726d063c-8309-43c0-8793-2b3ff145e86a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a6203ca5a80eb73bf0f245a482f68ce1ed689d9d57bfd943b3a82cdbc686391a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/147304/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample