MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b539aec34ed21ef7a636aab7b0890849ef1b08bd144e2d419dcdadbdbc6bdbf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	b539aec34ed21ef7a636aab7b0890849ef1b08bd144e2d419dcdadbdbc6bdbf6
SHA3-384 hash:	3618dd9a679cbeb5284b5ea60c64047919453f6d16a12a2c9bf9ce27d5d35062685b8a73c4f6de7fd05ff3f61194f9a0
SHA1 hash:	dd322dd4fd793201644398a58c25fafaa09122dc
MD5 hash:	3ebfce732b865f245e1f234c1b75be04
humanhash:	mountain-william-lemon-robert
File name:	CCMA Final Reminder Case CCMAGAJK1889182000.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	241'664 bytes
First seen:	2021-01-11 09:14:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1c111df02e2fb1f8eb1d52bfc842bac4 (8 x AZORult)
ssdeep	6144:Zo0Eke8NgiCfpO9vtoTVZznaN/X6kkwN:XZZWfpO9GPnaJ
Threatray	570 similar samples on MalwareBazaar
TLSH	1F34E740F240DA62E8870FB3D93BCDB1512BBE795678471E258E77291AF338600B5E5B
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

Malspam distributing AZORult:

HELO: slot0.challengehardware.info
Sending IP: 45.85.90.17
From: admin@ccma.org.za
Subject: URGENT - CCMA Final Reminder: Case CCMAGAJK1889182000 (GAJK) is scheduled for 'Arbitration' for Mon 18-January-2021 10:00
Attachment: CCMA Final Reminder Case CCMAGAJK1889182000.gz (contains "CCMA Final Reminder Case CCMAGAJK1889182000.exe")

AZORult C2:
http://193.239.147.212/aztwo/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CCMA Final Reminder Case CCMAGAJK1889182000.exe

Verdict:

No threats detected

Analysis date:

2021-01-11 09:15:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f3541842-51d5-42b6-b6cf-64c0421292d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/111260/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AZORult

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/577770

Signature

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Detected AZORult Info Stealer

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b539aec34ed21ef7a636aab7b0890849ef1b08bd144e2d419dcdadbdbc6bdbf6/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-01-11 09:15:06 UTC

AV detection:

10 of 46 (21.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wu425q2o2ipppjrwvk33bciijhxrwcf5crhc2qm5zww33pdl3p3a._file

Verdict:

malicious

Label(s):

azorult

netwirerc

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210111-58jb5q8m9s/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

b539aec34ed21ef7a636aab7b0890849ef1b08bd144e2d419dcdadbdbc6bdbf6

MD5 hash:

3ebfce732b865f245e1f234c1b75be04

SHA1 hash:

dd322dd4fd793201644398a58c25fafaa09122dc

Link:

https://www.unpac.me/results/bd09f621-1e3d-4282-8ed8-220e103aba94/

SH256 hash:

6798449d3b7c2a258c788bb5cc703747b54dd8e437981559a59ea785e5b5160a

MD5 hash:

9b4a869c89026a21559ce4645bc24171

SHA1 hash:

ce31e13a6322825b669dd0f1e0f01e31f812d06a

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/bd09f621-1e3d-4282-8ed8-220e103aba94/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b539aec34ed21ef7a636aab7b0890849ef1b08bd144e2d419dcdadbdbc6bdbf6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

gz 3b10bcbc78e22b2baa4bdc6a2903dd82113b425e8ccd9a02ac562b30eefb0903

AZORult

exe b539aec34ed21ef7a636aab7b0890849ef1b08bd144e2d419dcdadbdbc6bdbf6

(this sample)

Dropped by

MD5 6c61509ae9eb1175aae7a79dcf781cc6

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/111260/

Dropped by

SHA256 3b10bcbc78e22b2baa4bdc6a2903dd82113b425e8ccd9a02ac562b30eefb0903

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample