MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a9c9824497908a525a168c43d743fea3d1f5dc4c3004e8fe51b77a28ac018829. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AZORult
Vendor detections: 13
| SHA256 hash: | a9c9824497908a525a168c43d743fea3d1f5dc4c3004e8fe51b77a28ac018829 |
|---|---|
| SHA3-384 hash: | 9a34b11e636fe07fdcf1cb568cf8b29043614306892c9873bd984cfe69a9bd49763bbd4caf199ff74f27500a504f5ac9 |
| SHA1 hash: | a1d450a61681d4f2e882f84b5d505b5d47839e5d |
| MD5 hash: | db11017a353658fcc955f9135686b16e |
| humanhash: | lima-florida-music-red |
| File name: | A9C9824497908A525A168C43D743FEA3D1F5DC4C3004E.exe |
| Download: | download sample |
| Signature | AZORult |
| File size: | 1'273'736 bytes |
| First seen: | 2021-04-23 12:30:53 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT) |
| ssdeep | 24576:SAHnh+eWsN3skA4RV1Hom2KXMmHaFdQmC62pUaV5wz5y:Vh+ZkldoPK8YabQmCey |
| Threatray | 1'589 similar samples on MalwareBazaar |
| TLSH | C045BF42B395C0B6FF9B92B35F69B24257BD69354133802F23982D78BD711B2123E663 |
| Reporter |  abuse_ch |
| Tags: | AZORult exe |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://cryptofaze.com/index.php | https://threatfox.abuse.ch/ioc/9725/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A9C9824497908A525A168C43D743FEA3D1F5DC4C3004E.exe
Verdict:
Malicious activity
Analysis date:
2021-04-23 12:38:06 UTC
Tags:
trojan rat azorult
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
Launching cmd.exe command interpreter
Creating a process with a hidden window
DNS request
Sending a UDP request
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Detection:
azorult
Threat name:
Win32.Infostealer.Azorult
Status:
Malicious
First seen:
2019-01-31 08:07:21 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 1'579 additional samples on MalwareBazaar
Result
Malware family:
azorult
Score:
10/10
Tags:
family:azorult infostealer trojan
Behaviour
NTFS ADS
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Azorult
Malware Config
C2 Extraction:
http://cryptofaze.com/index.php
Unpacked files
SH256 hash:
84435cb1b1151a1b307cf95acb0c0783c192fdfe0999629b8aa7e4dc01c9c4b9
MD5 hash:
7265a53a4799129f33d9767f630cfaea
SHA1 hash:
05bad985e761eaf1f0603175c61f1aab2a800487
Detections:
win_azorult_g1
win_azorult_auto
SH256 hash:
a9c9824497908a525a168c43d743fea3d1f5dc4c3004e8fe51b77a28ac018829
MD5 hash:
db11017a353658fcc955f9135686b16e
SHA1 hash:
a1d450a61681d4f2e882f84b5d505b5d47839e5d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.033] Anti-Behavioral Analysis::Timing/Delay Check QueryPerformanceCounter
1) [B0009.012] Anti-Behavioral Analysis::Human User Check
2) [F0002.002] Collection::Polling
4) [B0030.002] Command and Control::Receive Data
5) [B0030.001] Command and Control::Send Data
6) [C0002.009] Communication Micro-objective::Connect to Server::HTTP Communication
7) [C0002.012] Communication Micro-objective::Create Request::HTTP Communication
8) [C0002.017] Communication Micro-objective::Get Response::HTTP Communication
9) [C0002.004] Communication Micro-objective::Open URL::HTTP Communication
10) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
11) [C0002.003] Communication Micro-objective::Send Request::HTTP Communication
12) [C0014.002] Communication Micro-objective::Echo Request::ICMP Communication
13) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
14) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
15) [C0021.005] Cryptography Micro-objective::Mersenne Twister::Generate Pseudo-random Sequence
16) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
17) [C0026.001] Data Micro-objective::Base64::Encode Data
18) [C0026.002] Data Micro-objective::XOR::Encode Data
21) [B0043] Discovery::Taskbar Discovery
22) [C0045] File System Micro-objective::Copy File
23) [C0046] File System Micro-objective::Create Directory
24) [C0048] File System Micro-objective::Delete Directory
25) [C0047] File System Micro-objective::Delete File
26) [C0049] File System Micro-objective::Get File Attributes
27) [C0051] File System Micro-objective::Read File
28) [C0050] File System Micro-objective::Set File Attributes
29) [C0052] File System Micro-objective::Writes File
30) [E1510] Impact::Clipboard Modification
31) [C0007] Memory Micro-objective::Allocate Memory
32) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
33) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
34) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
35) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
36) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
37) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
38) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
39) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
40) [C0040] Process Micro-objective::Allocate Thread Local Storage
41) [C0017] Process Micro-objective::Create Process
42) [C0038] Process Micro-objective::Create Thread
43) [C0054] Process Micro-objective::Resume Thread
44) [C0041] Process Micro-objective::Set Thread Local Storage Value
45) [C0018] Process Micro-objective::Terminate Process
46) [C0039] Process Micro-objective::Terminate Thread