MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 16


Intelligence 16 IOCs 2 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
SHA3-384 hash: bc1e3b856856d2aa4a09423ab3c28ef1eac0cf92f49ecb127d73027803db01e430cd1475e3d6d01a62f9535f464eeb27
SHA1 hash: d6dce4f41bd2999e33c7260633557679c7f23a6f
MD5 hash: 7ff3500fe7dff844c6e8b92db6218904
humanhash: white-india-mango-vermont
File name:7ff3500fe7dff844c6e8b92db6218904.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:974'848 bytes
First seen:2022-01-07 13:31:14 UTC
Last seen:2022-01-07 16:14:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a1715d4e9b83d4067f1f68c3c4012c17 (1 x RaccoonStealer, 1 x AZORult)
ssdeep 24576:PY9jEyfJi7KZEDyOcRhXEIussCIXYEM8Ry:PYqWi2aDLcRREIus89M8Ry
TLSH T1DF2501177B214813E0850B3189E382E56B39BC07B6436F1FEB45BA2D2DF17966CE0679
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://underdohag.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://underdohag.ac.ug/index.php https://threatfox.abuse.ch/ioc/291744/
http://pretorian.ug/ https://threatfox.abuse.ch/ioc/291745/

Intelligence

File Origin
# of uploads :
2
# of downloads :
497
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7ff3500fe7dff844c6e8b92db6218904.exe
Verdict:
Malicious activity
Analysis date:
2022-01-07 13:36:49 UTC
Tags:
trojan rat azorult stealer raccoon vidar loader
Link:
https://app.any.run/tasks/c05492f5-cef4-47c5-8fea-0785aec69719

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217721/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.9752.18281.17743.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
anti-debug anti-vm greyware hacktool obfuscated packed sinowal virus
Link:
https://www.filescan.io/uploads/61d840da1c0d769df9d5a465/reports/9a3dc48c-a155-439e-b833-c336e50a096c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd82c208-6706-4c29-a354-974516ef619f
Result
Threat name:
Azorult Oski Stealer Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916836
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Oski Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549314 Sample: ZKbqiKnqHn.exe Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for URL or domain 2->107 109 9 other signatures 2->109 10 ZKbqiKnqHn.exe 16 2->10         started        process3 file4 85 C:\Users\user\AppData\Local\...\dvffame.exe, PE32 10->85 dropped 87 C:\Users\user\AppData\Local\...\dsavcfsd.exe, PE32 10->87 dropped 123 Maps a DLL or memory area into another process 10->123 14 dvffame.exe 4 10->14         started        17 ZKbqiKnqHn.exe 85 10->17         started        21 dsavcfsd.exe 4 10->21         started        signatures5 process6 dnsIp7 127 Maps a DLL or memory area into another process 14->127 23 dvffame.exe 69 14->23         started        89 185.163.204.24, 49748, 49770, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 17->89 91 5.181.156.155, 49747, 80 MIVOCLOUDMD Moldova Republic of 17->91 61 C:\Users\user\AppData\...\Sn2z1X0pgI.exe, PE32 17->61 dropped 63 C:\Users\user\AppData\...\KpeGw7OYiV.exe, PE32 17->63 dropped 65 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 17->65 dropped 67 58 other files (none is malicious) 17->67 dropped 129 Tries to steal Mail credentials (via file / registry access) 17->129 28 Sn2z1X0pgI.exe 17->28         started        30 KpeGw7OYiV.exe 17->30         started        131 Found evasive API chain (may stop execution after checking locale) 21->131 32 dsavcfsd.exe 191 21->32         started        file8 signatures9 process10 dnsIp11 95 192.168.2.1 unknown unknown 23->95 69 C:\Users\user\AppData\Local\Temp\pm.exe, PE32 23->69 dropped 71 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 23->71 dropped 73 C:\Users\user\AppData\...\vcruntime140.dll, PE32 23->73 dropped 81 47 other files (none is malicious) 23->81 dropped 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->113 115 Tries to steal Instant Messenger accounts or passwords 23->115 117 Tries to steal Mail credentials (via file / registry access) 23->117 121 3 other signatures 23->121 34 pm.exe 23->34         started        37 cc.exe 23->37         started        40 cmd.exe 23->40         started        97 www.uplooder.net 28->97 99 underdohag.ac.ug 185.215.113.77, 49746, 49752, 49769 WHOLESALECONNECTIONSNL Portugal 32->99 101 pretorian.ug 32->101 75 C:\ProgramData\vcruntime140.dll, PE32 32->75 dropped 77 C:\ProgramData\sqlite3.dll, PE32 32->77 dropped 79 C:\ProgramData\softokn3.dll, PE32 32->79 dropped 83 4 other files (none is malicious) 32->83 dropped 119 Tries to steal Crypto Currency Wallets 32->119 42 cmd.exe 32->42         started        file12 signatures13 process14 dnsIp15 111 Encrypted powershell cmdline option found 34->111 44 powershell.exe 34->44         started        47 conhost.exe 34->47         started        93 www.uplooder.net 144.76.120.25, 443, 49773, 49779 HETZNER-ASDE Germany 37->93 49 conhost.exe 40->49         started        51 timeout.exe 40->51         started        53 conhost.exe 42->53         started        55 taskkill.exe 42->55         started        signatures16 process17 signatures18 125 Uses ipconfig to lookup or modify the Windows network settings 44->125 57 conhost.exe 44->57         started        59 ipconfig.exe 44->59         started        process19
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 13:32:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcdi5od4ps4uk4cofufy5qxl3seqzvw7cl466ctssvmcy76qz4pq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:430b44da03f446d836eb08f3a54b774257f1a348 discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220107-qsz7esccf6/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
pretorian.ug
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
7ce90592dfd41f2e1e0fad42a8070bf9d1e395aeb1c4d1989c165fa6d37e00b2
MD5 hash:
8a124d40c3100a496071b0c345290da4
SHA1 hash:
604df9e616f28229978ad2ebe407754ea3e57446
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/c664a506-b4c9-4438-98b0-352b4ead59c6/
SH256 hash:
6709011f7659345fecd027945ddbb5f63f8762d2e0a27e038b200380bdc50fb5
MD5 hash:
6e0dfcd53aee99657aa8d576390da157
SHA1 hash:
b456c02da2f89cd1d6de36d9137351dda730e3f8
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/c664a506-b4c9-4438-98b0-352b4ead59c6/
SH256 hash:
b04a9fe8c3a3daceee9e753d4ebfba788cfca3baf3b7b4ee93a610b5700b951b
MD5 hash:
03bf9c34233d23adcb6a2b620fdc749b
SHA1 hash:
c011c9888483b9a5e6da5f8fc8c9fcc3dd887a54
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/c664a506-b4c9-4438-98b0-352b4ead59c6/
SH256 hash:
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
MD5 hash:
7ff3500fe7dff844c6e8b92db6218904
SHA1 hash:
d6dce4f41bd2999e33c7260633557679c7f23a6f
Link:
https://www.unpac.me/results/c664a506-b4c9-4438-98b0-352b4ead59c6/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b8868eb87c7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1746807/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/1746806/
  
URLhaus
https://urlhaus.abuse.ch/url/1746814/
  
URLhaus
https://urlhaus.abuse.ch/url/1746815/
  
URLhaus
https://urlhaus.abuse.ch/url/1808366/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
  
URLhaus
https://urlhaus.abuse.ch/url/1808367/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/1746813/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
Cape
Cape
https://www.capesandbox.com/analysis/217721/

Comments