MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa097a67b670bfc6928e485a311eb8b8ff4b1af391ec8309758020faec4f8471. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa097a67b670bfc6928e485a311eb8b8ff4b1af391ec8309758020faec4f8471
SHA3-384 hash: 3d5a8d51fe724b8fbbafc0cdec9288eaa28b0b64f2ff8d08e8a7569523605eb838d4cfbd0a69fae220a7c7319372c80e
SHA1 hash: b63118a7c75ecd8dea61c7bb5ba9030872b0b430
MD5 hash: 5e46c48e41f962a3b3a43db10a80526a
humanhash: alabama-carolina-oxygen-lima
File name:HalkbankEkstre1307218483274478949429723.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:141'013 bytes
First seen:2021-07-13 11:26:32 UTC
Last seen:2021-07-13 11:37:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 3072:iBkfJpRXATwMdFCcGbFAg6PcxaWXsH0GnHxUgrRwcw0WLIKb7TjtbUFW8O:iqjIKFAg+pWqHpKL5TjtF
Threatray 1'726 similar samples on MalwareBazaar
TLSH T1A6D3017931D0C4F3CBF60AB09E739B26DFE6852229962B4B73506B557E37581920E2C3
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://37.0.11.128/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://37.0.11.128/index.php https://threatfox.abuse.ch/ioc/159991/

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HalkbankEkstre1307218483274478949429723.exe
Verdict:
Malicious activity
Analysis date:
2021-07-13 11:28:56 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/2c1dc9bc-921b-4aa7-b077-0565101adf09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171358/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.22147.26791.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4313985f-5cd1-4221-9e07-15ba3b234d1a
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815492
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa097a67b670bfc6928e485a311eb8b8ff4b1af391ec8309758020faec4f8471/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 11:27:06 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=viexuz5woc74neuojbndchvyxd7uwgxtshwigclvqaqpv3cpqryq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
06b81a3d40c9f00bbe9f0f64a962bea487772d6275f66162375c0b53b71b8d44
AZORult
1224ec1bfaa54c419bc8d701cd22c6d43f5c204a2d287a16e4eaebcc863c7572
AZORult
8333ba5146dd7f8dde824afe13e0bf988566027dbfcf239f06fd709115db68d7
AZORult
b7adfa62dab78ee0a3b1f52cee4f2edaf8f4b5f2ed866153884d4dc8519a8485
AZORult
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
AZORult
d697907fc8f52925819becd089578023988c5dd7c7a92512b83c2467b9693477
AZORult
de0c932fa9dcf368ae6d6247059b933546e941df97d03af66aeeafba3ba393ad
AZORult
f6b7e42150aea95c6af1e8c570ca45fac6e7e7dc2b27a88cae25fbc92faa07ff
AZORult
f8da3ee80f71b994d8921f9d902456cbd5187e1bdcd352a81f1d76e0f50ca0b8
AZORult
fa43d99f5f15a0f76079e1d2c35d5556fd8ff52718247829644c34112220d0f5
AZORult
+ 1'716 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210713-frz8wmthzx/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://37.0.11.128/index.php
Unpacked files
SH256 hash:
c3c8bd87537c175c85173d1873f8f9d682f2d69b5161bf49cb22dd2715f0d59e
MD5 hash:
ddd287a64ca2b47ce7033a8ab1776086
SHA1 hash:
81e0a3b6a6011bb5e60ce30fd6abccd8302d7fc8
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/3614c0b7-6716-431c-a21f-893691159c1a/
Parent samples :
73bd6f2b1b0b6ea24d811257a4e34d491ea87575e236e3ca71e03dff561b09ae
aa097a67b670bfc6928e485a311eb8b8ff4b1af391ec8309758020faec4f8471
94a5c8ef65383e64d7652a6481406eef35df90942a2c40fce9eeee5845a48bbe
SH256 hash:
5c91054f21236baf25fb88ab65885e97c30fb0f7ad0559d632eb4c18d327a127
MD5 hash:
c168357f5e76a0e0ccfdcdab90b8e6d7
SHA1 hash:
60096b9ca768488b715823ca42246a290632031f
Link:
https://www.unpac.me/results/3614c0b7-6716-431c-a21f-893691159c1a/
SH256 hash:
6c612a4e7195fd1f05acd18b5fc502fe5293cc71dcc170e8e74b123f080ced2b
MD5 hash:
eb9e80fd17ce08e6463eaf20d41d27f2
SHA1 hash:
c13916c057fa64547f4aebd74b45dcfccb9e603e
Link:
https://www.unpac.me/results/3614c0b7-6716-431c-a21f-893691159c1a/
SH256 hash:
aa097a67b670bfc6928e485a311eb8b8ff4b1af391ec8309758020faec4f8471
MD5 hash:
5e46c48e41f962a3b3a43db10a80526a
SHA1 hash:
b63118a7c75ecd8dea61c7bb5ba9030872b0b430
Link:
https://www.unpac.me/results/3614c0b7-6716-431c-a21f-893691159c1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa097a67b670bfc6928e485a311eb8b8ff4b1af391ec8309758020faec4f8471

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171358/

Comments