MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4eb20d605f8598e0b330d458403886fa2c80dcd22b6ce1177d1cb74a521bf55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4eb20d605f8598e0b330d458403886fa2c80dcd22b6ce1177d1cb74a521bf55
SHA3-384 hash: 0ad0c7ebb61a92819adf7b056c7ed74d30142fcb6b50beef34b08203bb209dbc66b84091c0fed9104b6430bb817b3b8b
SHA1 hash: 2eac5c7d7a4b9704aa732ac14c716e030d8e1b77
MD5 hash: 4c6d3ce81464988264cf356090b04c5e
humanhash: march-bacon-triple-lemon
File name:4c6d3ce81464988264cf356090b04c5e.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:820'224 bytes
First seen:2022-03-03 08:42:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:zQR/IKTyxDH2oTYVYJ3c9jLW9inLLCUi84xvbeepyXt3gMy:zS2H2jYC9jLW9inL27HxvbU9QMy
Threatray 1'792 similar samples on MalwareBazaar
TLSH T1F205CF0438E68034F97A8BB0CAC4E7F0DB6EF225E588A0F654105E157656BBECD45EBC
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
688
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246783/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2c1522e-a3ba-40e1-a5d4-d14f9303bd48
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/949774
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4eb20d605f8598e0b330d458403886fa2c80dcd22b6ce1177d1cb74a521bf55/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 08:43:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76
AZORult
867e4de82fdd0954cdbc7b15ccd77a476aaddbcc9c8dfdfc67bf8030de8b9c7d
AZORult
974d2391a4d887922f71fcdceed19918b217f6496d3f76157de533fc281baca1
AZORult
9cecbacae003bd0c84b9fc7fa83ea9a398ee337a5090f06b076cbb4aeb687ff8
AZORult
b7954b71caab224fd99f6283922051868f2fa42d9a15206afc11119b98ccb1ed
AZORult
b970a6c6ceb71957fa81dd6bb7c8dd6d9af99706a1db183ffe13039a6df2f637
AZORult
c3e4c2e1e242cf92142f4d4fb1896354cfa07089f40243b31046ff3eae8ac2c8
AZORult
c563c22a6ef57303146195f39aba8eff9dff5e46ddc85e05fb6dab4d14543bfa
AZORult
f009fefd38c1d334b374ba816a9218c3bb213c4556e3c45567dbbf7cf0cda55d
AZORult
f72d78438de45cac03cd9145af801de62abc023cf0a7766b3eb0802c2de26b99
AZORult
+ 1'782 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-kmk8esaaf5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
aa94e5d2edb81419a9845c63a806b0f6f4fb33e04b9313f2606f1cea80f87b56
MD5 hash:
59e1e2f1031a67aeec147f67fa18f140
SHA1 hash:
bc1a46c708e988013d5091bd7ea0da6c4347b514
Link:
https://www.unpac.me/results/9bd83190-773b-45d1-8b39-79ba197c19bc/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/9bd83190-773b-45d1-8b39-79ba197c19bc/
SH256 hash:
66415681d5ff42a8466b8d6a7d8727f5f34b48ba370229151ffc0f40eb55b94b
MD5 hash:
0e3570323ae76ff1ce30ee172991a7f0
SHA1 hash:
299c82dddbeb1e33671661b37ad5e9fef8fe9057
Link:
https://www.unpac.me/results/9bd83190-773b-45d1-8b39-79ba197c19bc/
SH256 hash:
3218b9c485205380a0dad356fd4ba92c115fb8337e45cdb81e347900da8844a2
MD5 hash:
346923721d3ba4b0c89807b2dfcd24f7
SHA1 hash:
0cd44ecbac4e723a018b9ab881303c3f315feb8f
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/9bd83190-773b-45d1-8b39-79ba197c19bc/
Parent samples :
3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76
b4eb20d605f8598e0b330d458403886fa2c80dcd22b6ce1177d1cb74a521bf55
SH256 hash:
b4eb20d605f8598e0b330d458403886fa2c80dcd22b6ce1177d1cb74a521bf55
MD5 hash:
4c6d3ce81464988264cf356090b04c5e
SHA1 hash:
2eac5c7d7a4b9704aa732ac14c716e030d8e1b77
Link:
https://www.unpac.me/results/9bd83190-773b-45d1-8b39-79ba197c19bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4eb20d605f8598e0b330d458403886fa2c80dcd22b6ce1177d1cb74a521bf55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe b4eb20d605f8598e0b330d458403886fa2c80dcd22b6ce1177d1cb74a521bf55

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2055564/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246783/

Comments