MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6a906d0ebcffbc5400eb7d199e8a4002dcfd28b8f115a31677178080d0ea5d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	b6a906d0ebcffbc5400eb7d199e8a4002dcfd28b8f115a31677178080d0ea5d6
SHA3-384 hash:	7ed70b28712f88da387f19dd2a5ed4b697c16836a29dd4da348dbae26072df71367960f5a577e4d2d69291f30c513214
SHA1 hash:	7510d6a188ea6ba6ed2802da0816b3a46e5f4ca8
MD5 hash:	f72db7d8bfb182895e2589ddc97bd654
humanhash:	stairway-yellow-foxtrot-black
File name:	Data Sheets.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	801'280 bytes
First seen:	2022-01-25 10:26:14 UTC
Last seen:	2022-01-25 11:30:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:WpWWQ35z0hMEhOmXnBiPJ7zecDZWRdlWx0TXYEENtltrlFrhhxoRUS:Wpz8zGsJzjZWL42hEXlVGyS
Threatray	1'833 similar samples on MalwareBazaar
TLSH	T1B905D0046BB4CB62C13A5BF814F130048BB9355AA53DE5E52DCB62DB4BF9F209562F0B
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://2.56.59.36/index.phphp

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://2.56.59.36/index.phphp	https://threatfox.abuse.ch/ioc/325628/

Intelligence

File Origin

# of uploads :

# of downloads :

575

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Data Sheets.exe

Verdict:

Malicious activity

Analysis date:

2022-01-25 10:40:00 UTC

Tags:

trojan rat azorult

Link:

https://app.any.run/tasks/dd9c582f-fcc2-4fb0-b815-176e70a851ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/222347/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.26265.54.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Sending an HTTP POST request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61efd079f81da814afa330c7/reports/912ed951-1af4-463c-ab43-3f9a2c81aaff/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2dd3ad7b-1808-4437-b9bb-1d06d3df86ac

Result

Threat name:

AZORult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/927089

Signature

C2 URLs / IPs found in malware configuration

Detected AZORult Info Stealer

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b6a906d0ebcffbc5400eb7d199e8a4002dcfd28b8f115a31677178080d0ea5d6/

Threat name:

ByteCode-MSIL.Trojan.Scarsi

Status:

Malicious

First seen:

2022-01-25 10:27:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

12 of 43 (27.91%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=w2uqnuhlz754kqaow7izt2feaaw47uulr4ivumlhof4aqdiouxla._file

Verdict:

malicious

Label(s):

azorult

AZORult

15423b4b842ca05303dfec7d55fbd64d467bf3ce0e3f0c732f86e2b6c9d81745

AZORult

4bad8439535e56ae799bb4222a3e6f1dab00d1404338932aa80dc8d57653b187

AZORult

69beb963daa43dd4f918d96934484b37b091ba40a9697519c9803db38a2146cd

AZORult

82c8795b1a989f4f9e658aca6633f34e6acd990f73442d856fa91ae7be1168e5

AZORult

888a3f974e9662ba8d21a3346882b1934e6f22ee38a38a84223a54f3bcbc6649

AZORult

9f7d30245e52a4e2a1d6a2d7cb5ee26179c2e8ffc23cd838a887d948fee1ba86

AZORult

f827a4622e16afa2f9c9940c7b24d4c81ec206195307a7b5a0761ec735714926

AZORult

+ 1'823 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer trojan

Link:

https://tria.ge/reports/220125-mg4hxseadm/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Azorult

Malware Config

C2 Extraction:

http://2.56.59.36/index.phphp

Unpacked files

SH256 hash:

8325a5cf7942bb46ac528c836b79180c05d71a4e7de108693d303d56bcc5def1

MD5 hash:

efdf2c54a74297c24bc73285376c432b

SHA1 hash:

564f25afb6c5599cdcd5fafaff32c1475e581af4

Link:

https://www.unpac.me/results/40ced891-6223-4051-a114-f6c32a6acbbe/

SH256 hash:

aa4b18dee1dc538a29af87f68dbb6d2b96170a7f52fc9a7eb4c02f1c2e0f167a

MD5 hash:

12632697671b83c71a74149c537eb921

SHA1 hash:

4bc71e99335af06af491287aac598df13ea7be94

Link:

https://www.unpac.me/results/40ced891-6223-4051-a114-f6c32a6acbbe/

SH256 hash:

0862e0c9292cb46e704b655c953c990c780f872063ae3c7f49911d2015bd9107

MD5 hash:

33e412d26063a4cd93e955a6e1e72623

SHA1 hash:

20da1c3f5221ffd6f670850922758f28159b0d29

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/40ced891-6223-4051-a114-f6c32a6acbbe/

SH256 hash:

b6a906d0ebcffbc5400eb7d199e8a4002dcfd28b8f115a31677178080d0ea5d6

MD5 hash:

f72db7d8bfb182895e2589ddc97bd654

SHA1 hash:

7510d6a188ea6ba6ed2802da0816b3a46e5f4ca8

Link:

https://www.unpac.me/results/40ced891-6223-4051-a114-f6c32a6acbbe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/b6a906d0ebcffbc5400eb7d199e8a4002dcfd28b8f115a31677178080d0ea5d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/222347/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample