MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6f4d4c251aae9d522dc8f82d6f640eefc0d909e0213f0feb4a9d1f062367748. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 3 File information Comments

SHA256 hash:	b6f4d4c251aae9d522dc8f82d6f640eefc0d909e0213f0feb4a9d1f062367748
SHA3-384 hash:	1427202aa9875def7fef5c218d0f36a08ef729061b454c579f4dcaa48984765a11abca98fc67827af99f58f3f53160d4
SHA1 hash:	7b2e5c760d8c29bcd85a0ce35ace5b2f33769d6a
MD5 hash:	9603c7e0ab84c9086e774ef62a437e06
humanhash:	moon-louisiana-timing-grey
File name:	9603c7e0ab84c9086e774ef62a437e06.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	393'728 bytes
First seen:	2021-07-30 18:05:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:zEgPMjJM7SuTqdrbP99xYywGVYn2vACXqKATOv1M9Ye+iBvMz9FTE8Qg:p0NMdT+PxlwGHpATku5+i+o
Threatray	1'931 similar samples on MalwareBazaar
TLSH	T1AF847B3904944A63F676E2B7C264E610FEE08AD3F200DE1AD797A9C71D0360365DEE5E
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://37.0.8.169/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://37.0.8.169/index.php	https://threatfox.abuse.ch/ioc/164912/

Intelligence

File Origin

# of uploads :

# of downloads :

969

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9603c7e0ab84c9086e774ef62a437e06.exe

Verdict:

Malicious activity

Analysis date:

2021-07-30 18:07:08 UTC

Tags:

trojan rat azorult stealer

Link:

https://app.any.run/tasks/2d234547-e158-4bee-8722-1c7a4ecf9cb8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/175332/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.14680.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/84312d13-2669-47d2-b31b-8530d21f4cf2

Result

Threat name:

Azorult

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824630

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected AntiVM3

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/b6f4d4c251aae9d522dc8f82d6f640eefc0d909e0213f0feb4a9d1f062367748/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-07-27 03:42:26 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=w32njqsrvlu5kiw4r6bnn5sa536a3ee6aij7b7vuvhi7ayrwo5ea._file

Verdict:

malicious

Label(s):

azorult

AZORult

6cda1f1821f10cb19986a831c9bca0ea1cb432f44cc7201c732b0d7bdc056ab9

AZORult

83fb67804fa25e791c7871712005a006909d679d6846dffade6f02470c8a849d

AZORult

93afbf31e1e5cd810db5fd58660f87fb68039ac138686f3884ea9cd05cb48c9e

AZORult

aae9e232abe6255663d52d2db42079a395e3e50f712b8a39f269116ed419f8c6

AZORult

c5839285f4a558b1dd13bf1aabb2fab38ca97d3aa07979b06c8c7d1cbb19e788

AZORult

cff2f4cae0440ebd4c4e57589210b0198dc604006e0fb70c127add914c5be655

AZORult

dfc46489f05e64f62434a7af40d10b919c46fd133eb0f42e33ece6c327770470

AZORult

e24d9c156411ed4698c9683009c79136171d9946ac7e55e053f5d75343c1c40f

AZORult

+ 1'921 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer spyware stealer suricata trojan

Link:

https://tria.ge/reports/210730-pyqlql73c6/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

suricata: ET MALWARE AZORult v3.3 Server Response M2

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3

Malware Config

C2 Extraction:

http://37.0.8.169/index.php

Unpacked files

SH256 hash:

c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b

MD5 hash:

0327d1374a5ce015ad9c83c5de76e823

SHA1 hash:

e521349d9e96a4191248747c42c78b6f88fc8f63

Link:

https://www.unpac.me/results/d3ccb1ca-0e79-437f-8538-c6bb3ef4d213/

SH256 hash:

06a48a51b1782375fda8f64c79c757321336e673daa9e0bab27bb42bb31020d9

MD5 hash:

7d4ebcf58ffde01c97bb4cc1f3a2d28f

SHA1 hash:

b94a208b33a35110862f753fc19c2b1cafa703c0

Link:

https://www.unpac.me/results/d3ccb1ca-0e79-437f-8538-c6bb3ef4d213/

SH256 hash:

4969ddd390dec370a8be0f4cd2dde0596a5896ef607abd71610c49f9b6f92890

MD5 hash:

db978ea974ce1f574b4f6eb56d62009d

SHA1 hash:

3871375b25de73d3328e28c018d69508e25a7912

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/d3ccb1ca-0e79-437f-8538-c6bb3ef4d213/

SH256 hash:

b6f4d4c251aae9d522dc8f82d6f640eefc0d909e0213f0feb4a9d1f062367748

MD5 hash:

9603c7e0ab84c9086e774ef62a437e06

SHA1 hash:

7b2e5c760d8c29bcd85a0ce35ace5b2f33769d6a

Link:

https://www.unpac.me/results/d3ccb1ca-0e79-437f-8538-c6bb3ef4d213/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b6f4d4c251aae9d522dc8f82d6f640eefc0d909e0213f0feb4a9d1f062367748

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175332/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample