MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288
SHA3-384 hash: 780cfad14cc98a69b3aef359d8da9634eb3a3541618ec35c5e4310411237a76a8e14fe629937c6ab25f58cbcdf5e104b
SHA1 hash: 20024678e5e5f08873fa051be05bddfd16d576c8
MD5 hash: cab82b71499add29affd3b1d08737549
humanhash: single-beryllium-fruit-mountain
File name:LPO355 - Order2313518.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:420'615 bytes
First seen:2023-09-04 16:10:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 6144:uT4DtHOOUPy5MI1RhksWkoTK4zZzMl4r1cpzsBYg/L0n9S5QKsCSgMQjVT+suXIp:uTeeZ2wzW4r1cGj/eWQRh7Q5Txu4Wu
Threatray 981 similar samples on MalwareBazaar
TLSH T15E94E050AB50D87FE7AE1A3449F9E77952B8ECE02822970377813E9F7D25F8DE840251
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 61d4d4d4f8ec71b2 (4 x AZORult, 1 x GuLoader)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://mixz.shop/MI341/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LPO355 - Order2313518.exe
Verdict:
Suspicious activity
Analysis date:
2023-09-04 16:11:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8d191f06-4d0d-406e-a6d3-e0021a5714cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446125/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.16.4166.31945.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64f601975c5d7698b7f630d7/reports/af4a4414-d5ca-4493-a4b7-abc003f4fe52/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b008384e-1b37-4bca-be6b-513dc9b24b3c
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
evad.phis.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303057
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1303057 Sample: LPO355_-_Order2313518.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 34 mixz.shop 2->34 36 futotarsakse.hu 2->36 42 Snort IDS alert for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 3 other signatures 2->48 9 LPO355_-_Order2313518.exe 5 31 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 9->24 dropped 50 Self deletion via cmd or bat file 9->50 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->52 54 Tries to detect Any.run 9->54 56 Maps a DLL or memory area into another process 9->56 13 LPO355_-_Order2313518.exe 64 9->13         started        signatures6 process7 dnsIp8 38 futotarsakse.hu 185.80.49.249, 49945, 80 RACKFOREST-ASHU Hungary 13->38 40 mixz.shop 172.67.199.143, 49946, 49947, 80 CLOUDFLARENETUS United States 13->40 26 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->26 dropped 28 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->30 dropped 32 45 other files (none is malicious) 13->32 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->58 60 Tries to steal Instant Messenger accounts or passwords 13->60 62 Tries to steal Mail credentials (via file / registry access) 13->62 64 6 other signatures 13->64 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 16:11:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtg43bj4n74v36ra4fthws3zahohjyj2p6qo4eya3kkj4ut44kea._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1
AZORult
31c5ddd1fbe36e68985803eda63bfeaaccce58774389be0c0fc339d214ea1353
AZORult
3a6341209457442497117e5f32a2c7401328c5fbfe07a18d16411c724663de67
AZORult
62173847065d1aa1b93254e623844a1f223a4df4a06499f21b64fe82389fb327
AZORult
a800f3aefe262ccf51d647a154e8db7195ff6e4a360ec3f84586f763abff19fd
AZORult
cb34bcf1043d10a15d4a823fe188296e161b88b630f090c8dc644de84b6105ae
AZORult
f5d0792248cb4a496cb1d59f94aa291e734b250760018e533290c9aa573276c0
AZORult
+ 971 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230904-tmxqwshf44/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Unpacked files
SH256 hash:
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
MD5 hash:
6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 hash:
070ea80e2192abc42f358d47b276990b5fa285a9
Link:
https://www.unpac.me/results/3191d4db-bc9e-4d84-bb11-06f814b1b0b2/
SH256 hash:
b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288
MD5 hash:
cab82b71499add29affd3b1d08737549
SHA1 hash:
20024678e5e5f08873fa051be05bddfd16d576c8
Link:
https://www.unpac.me/results/3191d4db-bc9e-4d84-bb11-06f814b1b0b2/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4cdcd853c6f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446125/

Comments