MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b590e7b69650242576a0ff2e6eba4a5b8f55465ca7532a644e6c4921e8904655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b590e7b69650242576a0ff2e6eba4a5b8f55465ca7532a644e6c4921e8904655
SHA3-384 hash: 910476530fbacbf78eb8ff5461623276bbbe4cb1abcaa323a63abc3dd042e18f5db192332d601be38eda1f045a674550
SHA1 hash: ee69f70df1dba296a5d5852ac80de9c610c2c08a
MD5 hash: 97bfe87bbe239998eb6e420cebb51e5e
humanhash: princess-seven-lion-carolina
File name:SecuriteInfo.com.Trojan.Packed2.44341.4832.6761
Download: download sample
Signature AZORult
Create hunting rule
File size:776'192 bytes
First seen:2022-07-18 20:42:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5a08tXNQriEMOhM5INzB0W50xauNuNQcASRzcDL+17sb2gb3IU3FnTaFlSNS:upEMOyeNl0jx/NuNdtRzjO9NTaQS
TLSH T142F4F11076A7DD02C2295BBBC1E6954013716B83A072DB4F2FD632CA5A137CB4EC5B9B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:AZORult exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://andersonlegalltn.com/PL341/index.php https://threatfox.abuse.ch/ioc/838611/

Intelligence

File Origin
# of uploads :
1
# of downloads :
846
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291711/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44341.4832.6761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d5c61e8fbcdde3605b31ab/reports/fa09f90c-d629-48c0-827d-99a7bf87d032/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d00e788-5c4e-419c-9af1-83cee04ce49e
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036138
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668629 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 9 other signatures 2->41 8 SecuriteInfo.com.Trojan.Packed2.44341.4832.exe 3 2->8         started        process3 file4 23 SecuriteInfo.com.T....44341.4832.exe.log, ASCII 8->23 dropped 43 Self deletion via cmd or bat file 8->43 45 Injects a PE file into a foreign processes 8->45 12 SecuriteInfo.com.Trojan.Packed2.44341.4832.exe 67 8->12         started        signatures5 process6 dnsIp7 33 andersonlegalltn.com 188.114.97.3, 49768, 49792, 80 CLOUDFLARENETUS European Union 12->33 25 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->29 dropped 31 45 other files (none is malicious) 12->31 dropped 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->47 49 Tries to steal Instant Messenger accounts or passwords 12->49 51 Tries to steal Mail credentials (via file / registry access) 12->51 53 5 other signatures 12->53 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b590e7b69650242576a0ff2e6eba4a5b8f55465ca7532a644e6c4921e8904655/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-18 20:43:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwiopnuwkasck5va74xg5osklohvkrs4u5jsuzconresd2eqizkq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220718-zhj7wsgdc7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M2
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
http://andersonlegalltn.com/PL341/index.php
Unpacked files
SH256 hash:
dfe65543c03114d8146169ab5d6a34cf06db5c207ad457b3339314ccce9e1e9d
MD5 hash:
004724c3ecfc404aad0ea6433134b7bc
SHA1 hash:
e30b2ab63dbaad510f91b2924a350aa84d17b6bb
Link:
https://www.unpac.me/results/ee8ea734-b1e4-47d4-a55c-52f9c6d783b4/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/ee8ea734-b1e4-47d4-a55c-52f9c6d783b4/
SH256 hash:
ee12faee4887fc42f1d2d157cbc272c3b4c1e682542dff544cac3ff2d8504b85
MD5 hash:
2103aae4b840dc09397c812685980173
SHA1 hash:
cbc5be6c928882c021994f8b5a7ecd11fd6669cd
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/ee8ea734-b1e4-47d4-a55c-52f9c6d783b4/
Parent samples :
b590e7b69650242576a0ff2e6eba4a5b8f55465ca7532a644e6c4921e8904655
2d821293816a87e0975c6b980b5a8a9d4eaac5bc9b8055a63275bf9fb1c3ce8f
df248560fdb8fde6933fa804c6f07870f86fffc7d6938409dc1cf1e5adc7486a
SH256 hash:
b32a27bb4c25a39e313fafdfa9155d913f855ea441cdf694f4dc7a7f491619c4
MD5 hash:
fb306bc813e718d6136a522261a6c380
SHA1 hash:
ab9b277e8040aea6e054e048ce93b1d91f048b53
Link:
https://www.unpac.me/results/ee8ea734-b1e4-47d4-a55c-52f9c6d783b4/
SH256 hash:
e71a92242687ee70b13e65dbacb6d2398892bc8ed7a408c3b88f4078d9d1ffdb
MD5 hash:
25d6a04573d30f85b03f36ffbcbd89a6
SHA1 hash:
710871df71e7f7c451d26166865db1e141c6f7da
Link:
https://www.unpac.me/results/ee8ea734-b1e4-47d4-a55c-52f9c6d783b4/
SH256 hash:
b590e7b69650242576a0ff2e6eba4a5b8f55465ca7532a644e6c4921e8904655
MD5 hash:
97bfe87bbe239998eb6e420cebb51e5e
SHA1 hash:
ee69f70df1dba296a5d5852ac80de9c610c2c08a
Link:
https://www.unpac.me/results/ee8ea734-b1e4-47d4-a55c-52f9c6d783b4/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b590e7b69650/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b590e7b69650242576a0ff2e6eba4a5b8f55465ca7532a644e6c4921e8904655

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291711/

Comments