MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5037af6dcdc7dbbc9daf11c935cf5a57b9e7ed4290ffbf2de3aefc5a05fe85d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5037af6dcdc7dbbc9daf11c935cf5a57b9e7ed4290ffbf2de3aefc5a05fe85d
SHA3-384 hash: f842bba8e4d8c27c453e4ac7a6f03972220bec83cbf068109f31f7d6e12070c1884fca646b2ad1f963d64b9af16ae8ab
SHA1 hash: 401db5efd014a84285a18c62348b05c8fd6507b4
MD5 hash: f7cbcd030cd8b902c2c600567463566d
humanhash: yankee-idaho-hydrogen-mars
File name:NEW_ORDER_801642655.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:581'632 bytes
First seen:2020-10-08 05:30:29 UTC
Last seen:2020-10-08 07:17:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:m1MmLs8epvRRbk60VA8x8agsG9MYMASchR/+/S303O8d0CpY1hUAB9frqKbQ3DnC:Iw8shkxIsGpW6E3O8uC03eT+k6
Threatray 281 similar samples on MalwareBazaar
TLSH 42C41200B17C6763DA7E0FFDA276905693FAA4336067F7894ED43ADB0A63B004942E57
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.devbox12.com
Sending IP: 162.249.2.44
From: BagPoly Textiles & Furnishing <manuz-e@marudeni.com>
Reply-To: BagPoly Textiles & Furnishing <natroroyalgroup@yandex.com>
Subject: New Order Listed- Please send proforma
Attachment: NEW_ORDER2_801642655.rar (contains "NEW_ORDER_801642655.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69073/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484940
Signature
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294912 Sample: NEW_ORDER_801642655.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 8 other signatures 2->41 8 NEW_ORDER_801642655.exe 3 2->8         started        process3 file4 23 C:\Users\user\...23EW_ORDER_801642655.exe.log, ASCII 8->23 dropped 43 Detected AZORult Info Stealer 8->43 45 Injects a PE file into a foreign processes 8->45 12 NEW_ORDER_801642655.exe 63 8->12         started        signatures5 process6 dnsIp7 33 etrad3r.com 194.180.224.87, 49741, 49757, 80 REBECCAHOSTUS unknown 12->33 25 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->29 dropped 31 45 other files (none is malicious) 12->31 dropped 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->47 49 Tries to steal Instant Messenger accounts or passwords 12->49 51 Tries to steal Mail credentials (via file access) 12->51 53 4 other signatures 12->53 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b5037af6dcdc7dbbc9daf11c935cf5a57b9e7ed4290ffbf2de3aefc5a05fe85d/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 05:09:30 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wubxv5w43r63xso26eojgxhvuv5z47wufeh7x4w6hlx4lic75boq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
4639769fea49849bb1a85d41d7dc9f4975e0945b3e5b0622503a71b8a97faccf
AZORult
556078f7b9c9cc0472e000c38af7b5285ebc9e9e70282c5fa9e8b9063bcd16ac
AZORult
655455e4c04c7fd6e624b752797305264093264c08b0ab45ebfceee5f7abbc66
AZORult
7580b583ccf57526e5a5ca40651ec5a95abe64b77a7c223f037443e480fbe185
AZORult
90006ca498f8b95df09f017dc722da49302813fd5c483f9aec3a1f444fbad87f
AZORult
e53cd448b2fad21583ddd160f9b6cdfacbec7a8c9c7ae9712c4c39972daa4c18
AZORult
eb30ea1ed2ee540189bb11ebdf0cbe4a5f84ce64adcea3658af5842b6bf3d14d
AZORult
eb96ab93249a86be52aa53a58fb8667b4c54f6b6dbc899fd23ea56b12b52a001
AZORult
eece64fe2e9e21564eb410e0d750e9cc605f0b4c437c5b90d9d2ae0ed10ceed9
AZORult
f158be721fb34c71dedeb65d051c18da565e0aa8e1e2bf1f86e585e93c22a739
AZORult
+ 271 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
spyware discovery trojan infostealer family:azorult
Link:
https://tria.ge/reports/201008-dswbdev5qa/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://etrad3r.com/3.3/index.php
Unpacked files
SH256 hash:
b5037af6dcdc7dbbc9daf11c935cf5a57b9e7ed4290ffbf2de3aefc5a05fe85d
MD5 hash:
f7cbcd030cd8b902c2c600567463566d
SHA1 hash:
401db5efd014a84285a18c62348b05c8fd6507b4
Link:
https://www.unpac.me/results/e6dbf586-2e4b-4b11-b146-b53fc5e40e66/
SH256 hash:
508f798e3d8dc3deea9b13a9dba0ac8f3c2b94e3171309b702d9a3511452dc37
MD5 hash:
1637857945ca9e4cf718f352962a645b
SHA1 hash:
00e8978c86498d1469130c4392d4fc4b424f418f
Link:
https://www.unpac.me/results/e6dbf586-2e4b-4b11-b146-b53fc5e40e66/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/e6dbf586-2e4b-4b11-b146-b53fc5e40e66/
SH256 hash:
c4599224eca8dc90df9fc3c46ec19b6c131f7c7d4f73c0f1dc189d172dc70bab
MD5 hash:
12e1bbc50b9decd3e0f9257900ced656
SHA1 hash:
b3c08e3b81916425ddca9e9182b69856d4643b38
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/e6dbf586-2e4b-4b11-b146-b53fc5e40e66/
Parent samples :
b5037af6dcdc7dbbc9daf11c935cf5a57b9e7ed4290ffbf2de3aefc5a05fe85d
0057fefb89c07b006dab5e9950749f171e7fa84a82427eb752e8f2345b2c6f40
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5037af6dcdc7dbbc9daf11c935cf5a57b9e7ed4290ffbf2de3aefc5a05fe85d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar 13bc3aeaadee747ae270e72ad2815611e2523ed5af4bbf58ad67984b78e921b4

AZORult

Executable exe b5037af6dcdc7dbbc9daf11c935cf5a57b9e7ed4290ffbf2de3aefc5a05fe85d

(this sample)

  
Dropped by
MD5 0572f3bbcd6f427b18c17a645d55a98c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69073/
  
Dropped by
SHA256 13bc3aeaadee747ae270e72ad2815611e2523ed5af4bbf58ad67984b78e921b4

Comments