MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0
SHA3-384 hash:	58a37b7dfbc450f6747812ac4cfdd66a6897ab5bc46dc31c3337c0bf853d3162efd23b9952f6984d8f09dc66b4faec6b
SHA1 hash:	a3be9e5ebbf896408dd5e41ed53eca5699ea0562
MD5 hash:	2ab7f3ea6fc43a1d7ad31ada16ed5102
humanhash:	thirteen-montana-indigo-fix
File name:	Company profile.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	832'000 bytes
First seen:	2020-10-02 09:17:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	39842799018ad6ecbf6d3672bc15efdb (3 x AgentTesla, 1 x Loki, 1 x AZORult)
ssdeep	12288:7b6mCM9sXHh9BoRPqsxOVKuS5r70xwgeqh043L97/hOYEOJ3e0ZQsMG:KeSHhYRRxOVGcxJBdb1NzkcQsF
Threatray	370 similar samples on MalwareBazaar
TLSH	17058E22E2B15837C5236A7CDC1B577D982ABE512D287A462BE5DC4C8F397C039253A3
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://207.154.240.23/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

178

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/67698/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %temp% subdirectories

Creating a file

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Sending an HTTP POST request to an infection source

Result

Threat name:

AZORult

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/480091

Signature

Binary contains a suspicious time stamp

Contains functionality to detect sleep reduction / modifications

Detected AZORult Info Stealer

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0/

Threat name:

Win32.Trojan.LokibotCrypt

Status:

Malicious

First seen:

2020-10-02 07:15:39 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vdqqtpqgt5pooabgtfmmtirrf6cbpz7g3chfz7g4iomgl5fis3qa._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

discovery trojan infostealer family:azorult spyware

Link:

https://tria.ge/reports/201002-trjndds7le/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://207.154.240.23/index.php

Unpacked files

SH256 hash:

a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0

MD5 hash:

2ab7f3ea6fc43a1d7ad31ada16ed5102

SHA1 hash:

a3be9e5ebbf896408dd5e41ed53eca5699ea0562

Link:

https://www.unpac.me/results/fd510d61-6172-4d78-b0b0-3ae1d37577d4/

SH256 hash:

4a51221d0cfdb22ae1667889b2ca61cdde827b54065048347bae7fec90af7ee3

MD5 hash:

9b1f6700ebab67eaf6b4a4ab768c948a

SHA1 hash:

dfb1fff5addcacaf2780c86fd488c8917878e615

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/fd510d61-6172-4d78-b0b0-3ae1d37577d4/

Parent samples :

1206ddd174f5df61f70259ac6da12226590232dd5f70d3139aa290d381efecbe
a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0
9373672ac208fbcbd30989225c834fb94742f87bbf6d47ce78484076a74e8489

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

exe a8e109be069f5ee700269958c9a2312f8417e7e6d88e5cfcdc439865f4a896e0

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/67698/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample