MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae628fd84f2ba783d82aa6e8804e7c41341671758e04ebc236f76ef7c7bee129. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae628fd84f2ba783d82aa6e8804e7c41341671758e04ebc236f76ef7c7bee129
SHA3-384 hash: 57869bdb4f4ca95eccf8e96788e5a9c4a3b11f999ed129fefb8a2c688cdb9b370fcf0112d1142ae1a97cb31a9e910bb5
SHA1 hash: f1f852ef01e1c66f19dd09229930feba8cfc9111
MD5 hash: b1c7dd257bbb1ce28510aad0176ef77a
humanhash: tennessee-freddie-maryland-utah
File name:Damage.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:4'522'035 bytes
First seen:2020-12-08 16:08:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d349bb1fedb23758a6e397e5d691576 (8 x Bancteian, 7 x AZORult, 1 x AgentTesla)
ssdeep 49152:+UJ6ZNXox4SgJhBsfHJq/nCFT4Mv0Pt97OAiiV59WAOjdOwVT0Hm7L0O8BD48rW7:+tR4xGnCtvwaXCqZLB03y
Threatray 18 similar samples on MalwareBazaar
TLSH 99268D26B284183FD07B1B3D4877A654993FBF622622DC1E16F038CC4F7A5813D6A65B
Reporter cocaman
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Damage.exe
Verdict:
Malicious activity
Analysis date:
2020-12-09 00:30:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/328c9c88-893b-4684-8c25-e04df3bc6341

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107290/
Detection(s):
Win.Trojan.Bancteian-0-6418983-0
Create hunting rule

Win.Malware.Delf-6821969-0
Create hunting rule

Win.Malware.Delf-6821971-0
Create hunting rule

Win.Trojan.Delf-33906
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows directory
Changing a file
Moving a file to the Windows directory
Moving a recently created file
Creating a file in the %AppData% directory
Moving a file to the %AppData% directory
Setting a keyboard event handler
Blocking the User Account Control
Unauthorized injection to a recently created process
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
75 / 100
Link:
https://www.joesandbox.com/analysis/558157
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 328175 Sample: Damage.exe Startdate: 08/12/2020 Architecture: WINDOWS Score: 75 52 Antivirus detection for dropped file 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 4 other signatures 2->58 7 Damage.exe 3 2->7         started        process3 file4 24 C:\Users\user\Desktop\Damage.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\icsys.ico.exe, PE32 7->26 dropped 10 icsys.ico.exe 13 7->10         started        14 Damage.exe 2 7->14         started        process5 file6 28 C:\Windows\wininit.exe, PE32 10->28 dropped 30 C:\Windows\RCX998C.tmp, PE32 10->30 dropped 32 C:\Users\user\AppData\Roaming\spoolsv.exe, PE32 10->32 dropped 34 4 other malicious files 10->34 dropped 60 Antivirus detection for dropped file 10->60 62 Machine Learning detection for dropped file 10->62 64 Drops executables to the windows directory (C:\Windows) and starts them 10->64 66 Drops PE files with benign system names 10->66 16 wininit.exe 13 10->16         started        20 svchost.exe 15 10->20         started        22 WerFault.exe 6 9 14->22         started        signatures7 process8 dnsIp9 36 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49761, 49764 DROPBOXUS United States 16->36 38 192.168.2.1 unknown unknown 16->38 40 2 other IPs or domains 16->40 42 Antivirus detection for dropped file 16->42 44 Creates an undocumented autostart registry key 16->44 46 Machine Learning detection for dropped file 16->46 48 Installs a global keyboard hook 16->48 50 Tries to harvest and steal browser information (history, passwords, etc) 20->50 signatures10
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae628fd84f2ba783d82aa6e8804e7c41341671758e04ebc236f76ef7c7bee129/
Threat name:
Win32.Trojan.Bancteian
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 16:09:15 UTC
File Type:
PE (Exe)
Extracted files:
88
AV detection:
46 of 48 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzri7wcpfotyhwbku3uiatt4ie2bm4lvrycoxqrw65xppr564euq._file
Verdict:
unknown
Similar samples:
1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd
AZORult
36aa5f316ccbdec9f0945c33c142563d4bee16b3cab1bd8f17cea4d30594cf0d
AZORult
4f3d500dc26e8a87fe7361064a50b7715731c378ec019e4643986f1e5c524cee
AZORult
7c2f0c42ed478e241d2fdb2580915342c5dbd50acc3fafa26908ae73a581eb3f
AZORult
baded1a52a51006d751c63ebecdb3ed8f07590a7773f6a40bb4a62b8f8a09210
AZORult
c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a
AZORult
d68a5a2bf92f0f08b8eb6f39351462f81d65d54085c1c7ae3aa81b2d3018434e
AZORult
d7105dfaf2690af5ecb82d31c891c8b6e36af889ddf4c10af513f4d0efd2d073
AZORult
d8b589a43f9499ffec0bc949540579b25a1c333d6e0531c7f40336e720e04a6b
AZORult
f6c28a76b12ddb94037c6cac0426ba87fb3201634731b901f66aecc15d5a98be
AZORult
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware trojan
Link:
https://tria.ge/reports/201208-h9f81e7atn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Program crash
Drops file in Windows directory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Unpacked files
SH256 hash:
ae628fd84f2ba783d82aa6e8804e7c41341671758e04ebc236f76ef7c7bee129
MD5 hash:
b1c7dd257bbb1ce28510aad0176ef77a
SHA1 hash:
f1f852ef01e1c66f19dd09229930feba8cfc9111
Link:
https://www.unpac.me/results/63a4a1a0-295c-456f-b016-d1b8c1d22b80/
SH256 hash:
c6a342076309bd41b3d799a88a645d1aaad5c6b6b6341fcf2859cb0921b33469
MD5 hash:
20dc8173a0151b1ce0b456a3bebf77c0
SHA1 hash:
4f1e56162b664b5c90a09bc1bb67cf9f699c72bd
Link:
https://www.unpac.me/results/63a4a1a0-295c-456f-b016-d1b8c1d22b80/
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/63a4a1a0-295c-456f-b016-d1b8c1d22b80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tufik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae628fd84f2ba783d82aa6e8804e7c41341671758e04ebc236f76ef7c7bee129

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar bb20b8d9dcfa42460e7942f1808f03e27ccc6f51cd86aa3b70239283afa48b55

AZORult

Executable exe ae628fd84f2ba783d82aa6e8804e7c41341671758e04ebc236f76ef7c7bee129

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 bb20b8d9dcfa42460e7942f1808f03e27ccc6f51cd86aa3b70239283afa48b55
Cape
Cape
https://www.capesandbox.com/analysis/107290/

Comments