MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261
SHA3-384 hash: 647946d481a2515361b7e0ded2f1518be1a978cdb20fb613153f328d0615062b285b5588d3e5cc1f8a9cdfedd80a0ec6
SHA1 hash: aa5aa4142ff6de7e5560424d252c2bf234f14651
MD5 hash: 6d01213c51ed2570b263b28fa4b9f320
humanhash: wolfram-king-arkansas-maine
File name:6d01213c51ed2570b263b28fa4b9f320.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'172'992 bytes
First seen:2020-11-11 16:18:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:QVlMGc4wSNu9IVPknPVIHxF3qppOl1RKlYYU0ZivJ5lDh:QVlohSNgI2nP+H73Hl1RwYb
TLSH 6045CE883998F6AFD41BCF7A89551C60AA3120B7134BF643969715D8DA0EBC6CE103F7
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Sending a custom TCP request
Deleting a recently created file
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/531518
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 314859 Sample: S01NwVhW5A.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 104 agentpurple.ac.ug 2->104 106 agentpapple.ac.ug 2->106 108 3 other IPs or domains 2->108 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Found malware configuration 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 12 other signatures 2->132 11 S01NwVhW5A.exe 15 5 2->11         started        signatures3 process4 dnsIp5 124 morasergiov.ac.ug 217.8.117.77, 49713, 49718, 49722 CREXFEXPEX-RUSSIARU Russian Federation 11->124 82 C:\Users\user\AppData\...\axcjgfhwvvas.exe, PE32 11->82 dropped 84 C:\Users\user\AppData\...\S01NwVhW5A.exe.log, ASCII 11->84 dropped 15 axcjgfhwvvas.exe 14 5 11->15         started        18 S01NwVhW5A.exe 87 11->18         started        file6 process7 dnsIp8 86 C:\Users\user\AppData\...\oscjgfhwvvas.exe, PE32 15->86 dropped 22 axcjgfhwvvas.exe 15->22         started        27 oscjgfhwvvas.exe 3 15->27         started        29 axcjgfhwvvas.exe 15->29         started        110 telete.in 195.201.225.248, 443, 49715 HETZNER-ASDE Germany 18->110 112 flowerpowergrandmother.top 104.27.160.61, 443, 49731 CLOUDFLARENETUS United States 18->112 88 C:\Users\user\AppData\...\xQ3xZTwf7Q.exe, PE32 18->88 dropped 90 C:\Users\user\AppData\...\AOotKFfKFS.exe, PE32 18->90 dropped 92 C:\Users\user\AppData\...\sqNeMtgG1w.exe, PE32 18->92 dropped 94 60 other files (none is malicious) 18->94 dropped 134 Tries to steal Mail credentials (via file access) 18->134 31 xQ3xZTwf7Q.exe 18->31         started        33 AOotKFfKFS.exe 18->33         started        35 cmd.exe 18->35         started        37 2 other processes 18->37 file9 signatures10 process11 dnsIp12 114 jamesrlongacre.ug 22->114 70 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 22->70 dropped 72 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 22->72 dropped 74 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 22->74 dropped 80 49 other files (none is malicious) 22->80 dropped 136 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->136 138 Tries to steal Instant Messenger accounts or passwords 22->138 140 Tries to steal Mail credentials (via file access) 22->140 148 4 other signatures 22->148 39 rc.exe 22->39         started        43 cmd.exe 22->43         started        45 ds2.exe 22->45         started        56 2 other processes 22->56 47 oscjgfhwvvas.exe 27->47         started        50 oscjgfhwvvas.exe 27->50         started        116 cdn.discordapp.com 162.159.133.233 CLOUDFLARENETUS United States 31->116 76 C:\Users\user\AppData\Local\...\Ijdkdrv.exe, PE32 31->76 dropped 142 Creates a thread in another existing process (thread injection) 31->142 144 Injects a PE file into a foreign processes 31->144 78 C:\Users\user\AppData\Roaming\...\cabvlc.exe, PE32 33->78 dropped 146 Creates an undocumented autostart registry key 33->146 52 conhost.exe 35->52         started        54 timeout.exe 35->54         started        file13 signatures14 process15 dnsIp16 118 162.159.135.233 CLOUDFLARENETUS United States 39->118 120 cdn.discordapp.com 39->120 150 Creates a thread in another existing process (thread injection) 39->150 152 Injects a PE file into a foreign processes 39->152 58 conhost.exe 43->58         started        60 timeout.exe 43->60         started        62 ds2.exe 45->62         started        122 morasergiov.ac.ug 47->122 96 C:\ProgramData\vcruntime140.dll, PE32 47->96 dropped 98 C:\ProgramData\sqlite3.dll, PE32 47->98 dropped 100 C:\ProgramData\softokn3.dll, PE32 47->100 dropped 102 4 other files (none is malicious) 47->102 dropped 154 Tries to harvest and steal browser information (history, passwords, etc) 47->154 156 Tries to steal Crypto Currency Wallets 47->156 64 cmd.exe 47->64         started        file17 signatures18 process19 process20 66 conhost.exe 64->66         started        68 taskkill.exe 64->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 17:08:18 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgov2dtox7jyyr5ztgtqjszflb4x5vvrje2wa5idnig6k754ujqq._file
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:modiloader discovery evasion infostealer persistence rat spyware trojan
Link:
https://tria.ge/reports/201111-8rdzx5n4bn/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Modifies service
Suspicious use of SetThreadContext
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Async RAT payload
ModiLoader First Stage
ModiLoader Second Stage
ServiceHost packer
AsyncRat
Azorult
Contains code to disable Windows Defender
ModiLoader, DBatLoader
Modifies Windows Defender Real-time Protection settings
Malware Config
C2 Extraction:
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261
MD5 hash:
6d01213c51ed2570b263b28fa4b9f320
SHA1 hash:
aa5aa4142ff6de7e5560424d252c2bf234f14651
Link:
https://www.unpac.me/results/946de267-cf96-4e4f-a127-f5408793c5f4/
SH256 hash:
2f273e48da464611abbcd8d68fe3f1e3699b52dc681d39bcc9456dc276b2e437
MD5 hash:
2b1bc525d29fe617a1d2bd4802ecacc6
SHA1 hash:
53417140d2606f65087e52001f47259f60b03111
Link:
https://www.unpac.me/results/946de267-cf96-4e4f-a127-f5408793c5f4/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/946de267-cf96-4e4f-a127-f5408793c5f4/
SH256 hash:
a7724d7cfed475de9b54a5f9ba0d2366d7b971496dfb380cb037335c77290bab
MD5 hash:
89250a633f36e23aa542bd2fd353786c
SHA1 hash:
e841c6aaededf28401f996dc1832451d719c8b20
Detections:
win_raccoon_a0
Create hunting rule
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/946de267-cf96-4e4f-a127-f5408793c5f4/
Parent samples :
77d3172d77aa45c61b8563dcb13b26bd2f8f9fb4cbc2fcc966966a26f316ba56
b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/677625/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/584223/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/677631/
  
URLhaus
https://urlhaus.abuse.ch/url/790801/
  
URLhaus
https://urlhaus.abuse.ch/url/790808/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/446435/
  
URLhaus
https://urlhaus.abuse.ch/url/446430/

Comments