MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a
SHA3-384 hash: d5333e0fc36983e8a077c4d9986b212cfaaf0b696fa1bc53a029408a424cf923ace1b299d82e24e9e9669e33962cf6ae
SHA1 hash: c3ab0c9f74732ab3a7fba56def0d1ca66a72ac6d
MD5 hash: 5d0dc0a30a296de94c70780eb03c541e
humanhash: mobile-connecticut-beryllium-west
File name:New Order-AW23.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:620'032 bytes
First seen:2023-07-21 00:05:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xWc/bUYIsYolna+fyoRCfWSXWuDlBMLWyuDchaY8MugICXL:kiXrYokkBKFpBMay18Mu7CX
Threatray 11 similar samples on MalwareBazaar
TLSH T1F2D4135672A95D63E474AEF160B1A1241734B608311BC3CD8C7135CA2CBAB47AE93FE7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8e336969f071338e (7 x AgentTesla, 3 x SnakeKeylogger, 2 x Formbook)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://mchas.shop/PL341/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order-AW23.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-21 00:08:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82356efe-b479-4d7b-9b6d-70cf7bdc9da3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/427243/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.37311.6967.23069.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult masquerade packed
Link:
https://www.filescan.io/uploads/64b9cbeb3a9a868a3c4fd5c8/reports/b41a4903-ee7f-46af-af10-19fe187dbfd8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b4c6520-1fed-4108-9750-9d22c07eec63
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277121
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a/
Threat name:
Win32.Spyware.Azorult
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 19:24:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhhm6ropzfqbiej4xi2fyp4rpvmy7m3s664g4i6tn477hbi5kbfa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
069c1a556943461282bfbf8411afc6213a359df9ce4894a80881e45a2ba9bc84
AZORult
2313b3f23146c4475ec50d51bea33e49f6167c799e418c4c08620e7a720edb04
AZORult
27c778ddd5fc52f6b2d3950b409b9d0eae0aa20efc48c29b6aea24c3735a979d
AZORult
3c2fd1edcb67d300923a28556cd95e82ca5500098e9b2778d3498b003037ac8b
AZORult
5629a3ae6193f39e3d63b927f028e1e06cde3a1e7fd1c11a1bd22859db3be241
AZORult
a275ff9a8fba667af2ee71739cb07eabba60bffbd880f04bcbe17d9abcd6d730
AZORult
bfde4e4d95b159f2567c39229e702fc4bba9c53dbd579855ce487794a6759aa0
AZORult
d0b0c22cd8d89cc33def6e5e61f4afd8d3f2aafdeba6833aa686489a104eefce
AZORult
dba87425c7eff12d404688728673f64bc6faf6e62cc4b3801ca18a08fc3214a9
AZORult
ffbc5914f16b287d3ccd7b855e634db5d95fa14596868d7dc29aaa9dd7f4180c
AZORult
+ 1 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230721-adrczabc68/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://mchas.shop/PL341/index.php
Unpacked files
SH256 hash:
ff86943dbbf6221210971ca6c9497c092bed4e37c91fea32f4e659c904c47320
MD5 hash:
8df29dd470f687c5bd0c588fcd3a33aa
SHA1 hash:
e458a313ecf46d04eeb117bfac4fb5336966fe1a
Detections:
Azorult
Create hunting rule
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/32297833-588b-4639-a09a-37b3d4ea5415/
Parent samples :
b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a
aa94eb8b32027c3a25f1eed2d177bcc03ce0e6894411138dfdab94dfe7046a84
8b92b038889be2da5c222872fb024d7a26c991415cb048373056518c491b19ee
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/32297833-588b-4639-a09a-37b3d4ea5415/
SH256 hash:
ea3caa9a8a7d960da8a1610b69a5bcd5cf8393752aec62f0b09007cee9d3d116
MD5 hash:
fdc3b9c5a35a30b793d63a0e455c8934
SHA1 hash:
618f81502c787bdf2c474a0be05ec668b8362216
Link:
https://www.unpac.me/results/32297833-588b-4639-a09a-37b3d4ea5415/
SH256 hash:
45abe7c6e52909b391aa592f7272f0b7b29dc96b98b0b2ea98152d5688b69435
MD5 hash:
99027e2e2f0790dc919626058425f24e
SHA1 hash:
481a2093889e72f6ce2e1d1c8e521a0beed7445f
Link:
https://www.unpac.me/results/32297833-588b-4639-a09a-37b3d4ea5415/
SH256 hash:
b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a
MD5 hash:
5d0dc0a30a296de94c70780eb03c541e
SHA1 hash:
c3ab0c9f74732ab3a7fba56def0d1ca66a72ac6d
Link:
https://www.unpac.me/results/32297833-588b-4639-a09a-37b3d4ea5415/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9cecf45cfc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9cecf45cfc96014113cba345c3f917d598fb372f7b86e23d36f3ff3851d504a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/427243/

Comments