MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
SHA3-384 hash: 0ed19efc09fc15dd56cad302b9de992d39ce4ff00b5e92d6b46cb1ca5c84ba5ee5cfb45c3368f53f782097146aacf24f
SHA1 hash: 4f295ccfc7b7a2eeeec53df66d22743dbac301a6
MD5 hash: 1ac70328ce1dea448647022c5b360a67
humanhash: washington-october-alabama-oregon
File name:ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:8'425'933 bytes
First seen:2023-03-25 13:25:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8494300a1f7342d4c600a7b12e15925 (3 x RedLineStealer, 3 x RemoteManipulator, 1 x njrat)
ssdeep 196608:oKFIqkBPpjIwzMYsK6fg4/Lovsc+eQ5AdlH3sxAPflIKap:vkFAYsrfx8vJ+eQAd5sxAPmfp
Threatray 33 similar samples on MalwareBazaar
TLSH T1788633695E98403ED946193008CBFE35B63FFE1C0A3754873BD99D5CB82B2899C1E25B
TrID 91.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.8% (.SCR) Windows screen saver (13097/50/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon b36bf0b161913280 (2 x njrat, 1 x RedLineStealer, 1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://f0355889.xsph.ru/Panel/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
400
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
Verdict:
Malicious activity
Analysis date:
2023-03-25 13:31:52 UTC
Tags:
trojan rat azorult
Link:
https://app.any.run/tasks/78be5d06-eb80-4d2b-b092-93987022192e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/377382/
Detection(s):
SecuriteInfo.com.Filecoder.I.dropper.22548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the Program Files subdirectories
Modifying a system file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Connecting to a non-recommended domain
Sending an HTTP POST request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Running batch commands
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74838/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2012-0158 exploit fingerprint greyware overlay packed shell32.dll stealer strictor
Link:
https://www.filescan.io/uploads/641ef66ba6b4db3649e8ccc4/reports/5e95eb8d-eaa7-46f7-9080-2d3d22c508ab/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AutoKMS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/842432ad-2350-4f00-a9e5-f2937af9dd6e
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1201840
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected VMProtect packer
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 834745 Sample: ADDCDF9E3BAC722442FB269492F... Startdate: 25/03/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 8 other signatures 2->49 8 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe 15 8 2->8         started        process3 file4 35 C:\Users\user\AppData\Roaming\csrss.exe, PE32 8->35 dropped 37 C:\Program Files (x86)\...\KMSAuto Net.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 8->39 dropped 51 Drops PE files with benign system names 8->51 12 csrss.exe 12 8->12         started        16 KMSAuto Net.exe 3 8->16         started        signatures5 process6 dnsIp7 41 f0355889.xsph.ru 141.8.192.151, 49695, 80 SPRINTHOSTRU Russian Federation 12->41 53 Antivirus detection for dropped file 12->53 55 Multi AV Scanner detection for dropped file 12->55 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->57 59 4 other signatures 12->59 18 WerFault.exe 24 9 12->18         started        21 cmd.exe 1 16->21         started        23 cmd.exe 2 16->23         started        25 cmd.exe 2 16->25         started        signatures8 process9 file10 33 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->33 dropped 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2023-03-24 02:14:00 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxon7hr3vrzciqx3e2kjf7vin2i5j2l64xpuzjoaguk5knh3briq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
1d128ffc3927d02e3393da5e27d2557766f82df921b09d42603b08d5724e9e9a
AZORult
1e40b7a3aca5fa0302e9f6c2e4b10f738f8ad2e357cb0987f175c456f67e8e67
AZORult
81e0959262728a0870a5fd08f80207d1157bdf2e00dde7d8481450fa17f5d718
AZORult
86360aa8ab41f3de1ba20cad54f2567c0d5994a20d5b58d0b71aa42c545bb9f8
AZORult
9542930037fd5f2261b592841e3522f75328e15e153144d732727fedd0a8d8c8
AZORult
9d313aa0090d3425564379e7674795b68f050ec6473b1ced106fff220a8749d4
AZORult
a30ca77ad86272e9b5f83aaa8a0f62baa2234fb29f63da58b580423cd00655c9
AZORult
c6255b3d3add48b7b8dea57dfc2c89345fdcc6d131fd3bfa0a806a0eaef08c2c
AZORult
+ 23 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer trojan vmprotect
Link:
https://tria.ge/reports/230325-qphszaeh91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
Azorult
Malware Config
C2 Extraction:
http://f0355889.xsph.ru/Panel/index.php
Unpacked files
SH256 hash:
dfd11cdb960d89306d306246de8b73679e5545e0d8bed036f9eb23f9d7f11086
MD5 hash:
770f7a79e448c8c56e97ab5f50248ee1
SHA1 hash:
b10947c71226afbae403d5fbc7123069fce5c35e
Detections:
Azorult
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/9c073702-751d-4f01-a9e7-46e7c78aa082/
SH256 hash:
addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
MD5 hash:
1ac70328ce1dea448647022c5b360a67
SHA1 hash:
4f295ccfc7b7a2eeeec53df66d22743dbac301a6
Link:
https://www.unpac.me/results/9c073702-751d-4f01-a9e7-46e7c78aa082/
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/addcdf9e3bac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/377382/

Comments