MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b11a974fee906fcfbfadce6a615552bb396a0ab0fa891f87f78476f5e63da275. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b11a974fee906fcfbfadce6a615552bb396a0ab0fa891f87f78476f5e63da275
SHA3-384 hash: 06f681c781a7058fdfb3659a967ace02dea261bbaba2d0d5c7fec1230cdc32f38b045b0604f317ba7e099fc903a45dfa
SHA1 hash: aea155ebb9d87bbc9dcecf2d4fc3e9e84aeb8d30
MD5 hash: c452b3b6eb8f0bb0ca0be29370811c42
humanhash: pasta-johnny-alanine-yankee
File name:Quotation Request.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:2'847'744 bytes
First seen:2021-05-10 12:18:35 UTC
Last seen:2021-05-10 13:06:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:Yj2HaOy9fvBviRLSCYb7SLScrhetKwctPVGWI0Dul/YAb53DjXx:Y6ap3BaRW1GScrTwcyWIKm/Ya
Threatray 132 similar samples on MalwareBazaar
TLSH 6AD512717AE4AA18E5BF4B378DB08480D3BBFE17C722C16DAAC6318E1C72B555621713
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154007/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779328
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b11a974fee906fcfbfadce6a615552bb396a0ab0fa891f87f78476f5e63da275/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 04:20:40 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wenjot7osbx47p5nzzvgcvksxm4wucvq7ker7b7xqr3plzr5uj2q._file
Verdict:
suspicious
Similar samples:
1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd
AZORult
280cc07780558d0d3368a4e8b5b4caa401e2049c7c256e24cd02cd989713142f
AZORult
4f3d500dc26e8a87fe7361064a50b7715731c378ec019e4643986f1e5c524cee
AZORult
c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a
AZORult
d68a5a2bf92f0f08b8eb6f39351462f81d65d54085c1c7ae3aa81b2d3018434e
AZORult
d6b229f25b3f185395e58f98c048cad58d929c7a25e6b95319d27da5f5292588
AZORult
d7105dfaf2690af5ecb82d31c891c8b6e36af889ddf4c10af513f4d0efd2d073
AZORult
d8b589a43f9499ffec0bc949540579b25a1c333d6e0531c7f40336e720e04a6b
AZORult
e582696b2f3c980a6d81be401fc5da4c24a4b0c490ff6764516a0aa3e3aae23b
AZORult
f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0
AZORult
+ 122 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210510-x5hempnfrx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b11a974fee906fcfbfadce6a615552bb396a0ab0fa891f87f78476f5e63da275

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe b11a974fee906fcfbfadce6a615552bb396a0ab0fa891f87f78476f5e63da275

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/154007/

Comments