MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0e129540ee58ba0b23d465d0722e396a0500270a02b95b9bf632257c8d7f540. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0e129540ee58ba0b23d465d0722e396a0500270a02b95b9bf632257c8d7f540
SHA3-384 hash: 63d7e21a3a8ffae959ea0b2a2978738a7bde90302a2eb1e790944f9da56a821a0edcc1aa18ad5e3c888af1ee2a91aebf
SHA1 hash: 898b43f4800d6978ca6393256cfdb04042e220f4
MD5 hash: 5eb8425a4e810d201c30e3fbe734eab0
humanhash: vermont-shade-charlie-alaska
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.53838.21070.10599
Download: download sample
Signature AZORult
Create hunting rule
File size:576'000 bytes
First seen:2020-08-24 19:31:10 UTC
Last seen:2020-08-25 06:56:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:iKNLdi99qhqrC9VLhjbu7qP7E8nSsqBpDG:iKNLdi9oMrWjbu7qPtalG
Threatray 268 similar samples on MalwareBazaar
TLSH 48C4193772C25035D63942754828E5E1B2387A5C3FA54A3FB1DB4B0CAE5648B7F292CE
Reporter SecuriteInfoCom
Tags:AZORult

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/50315/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.53838.21070.10599.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending an HTTP POST request
Creating a file
Deleting a recently created file
Reading critical registry keys
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/447926
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 276296 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 24/08/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 6 other signatures 2->42 7 SecuriteInfo.com.Trojan.PWS.Siggen2.53838.21070.exe 4 2->7         started        process3 file4 20 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->20 dropped 22 SecuriteInfo.com.T...53838.21070.exe.log, ASCII 7->22 dropped 44 Writes to foreign memory regions 7->44 46 Allocates memory in foreign processes 7->46 48 Injects a PE file into a foreign processes 7->48 11 AddInProcess32.exe 61 7->11         started        16 AddInProcess32.exe 7->16         started        signatures5 process6 dnsIp7 32 flitegetit.top 178.128.38.76, 49749, 49751, 80 DIGITALOCEAN-ASNUS Netherlands 11->32 34 192.168.2.1 unknown unknown 11->34 24 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 11->26 dropped 28 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 11->28 dropped 30 45 other files (none is malicious) 11->30 dropped 50 Detected AZORult Info Stealer 11->50 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->52 54 Tries to steal Instant Messenger accounts or passwords 11->54 56 4 other signatures 11->56 18 WerFault.exe 23 9 16->18         started        file8 signatures9 process10
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b0e129540ee58ba0b23d465d0722e396a0500270a02b95b9bf632257c8d7f540/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-21 07:48:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdqssvao4wf2bmr5izoqoixds2qfaatquavzlon7mmrfpsgx6vaa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
4639769fea49849bb1a85d41d7dc9f4975e0945b3e5b0622503a71b8a97faccf
AZORult
556078f7b9c9cc0472e000c38af7b5285ebc9e9e70282c5fa9e8b9063bcd16ac
AZORult
655455e4c04c7fd6e624b752797305264093264c08b0ab45ebfceee5f7abbc66
AZORult
7580b583ccf57526e5a5ca40651ec5a95abe64b77a7c223f037443e480fbe185
AZORult
90006ca498f8b95df09f017dc722da49302813fd5c483f9aec3a1f444fbad87f
AZORult
e53cd448b2fad21583ddd160f9b6cdfacbec7a8c9c7ae9712c4c39972daa4c18
AZORult
eb30ea1ed2ee540189bb11ebdf0cbe4a5f84ce64adcea3658af5842b6bf3d14d
AZORult
eb96ab93249a86be52aa53a58fb8667b4c54f6b6dbc899fd23ea56b12b52a001
AZORult
eece64fe2e9e21564eb410e0d750e9cc605f0b4c437c5b90d9d2ae0ed10ceed9
AZORult
f158be721fb34c71dedeb65d051c18da565e0aa8e1e2bf1f86e585e93c22a739
AZORult
+ 258 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
agilenet spyware discovery trojan infostealer family:azorult
Link:
https://tria.ge/reports/200824-6w6h9mnmb6/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://flitegetit.top/Gomovo/db/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0e129540ee58ba0b23d465d0722e396a0500270a02b95b9bf632257c8d7f540

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe b0e129540ee58ba0b23d465d0722e396a0500270a02b95b9bf632257c8d7f540

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/439832/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50315/
  
URLhaus
https://urlhaus.abuse.ch/url/440521/

Comments