MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c
SHA3-384 hash: b70d7a1855f810320f60bf5b8ad65e24a8a71729025b150ba6323cff00a00cd36f386966bb4dbf1ceb93700970ba50e4
SHA1 hash: 9658d34de7857cc57eb7c9dd9a31386f23b62133
MD5 hash: c81bfa6fceb066edf7ed02789826d026
humanhash: lemon-july-london-jig
File name:QUOTATIONS10102022.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:903'168 bytes
First seen:2022-10-15 07:22:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'660 x Formbook, 12'250 x SnakeKeylogger)
ssdeep 12288:kTQO2iNFJ2uAV3O64+NDUqrIWeFIbCzuHg6VklrhT4FW9G7s:6D1Y1OP+NKxzuHNklrSW9Cs
Threatray 1'946 similar samples on MalwareBazaar
TLSH T1E21536BA11C54117E8293275D893D5F32AFBAD606061E1CB6AD73F2FBC911BB9013386
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter GovCERT_CH
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/320564/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/634a5fd71b976e20e2c27e06/reports/85b93e56-b3de-4e4c-b91c-f7e66c713a56/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c5aa697-b9d6-417b-a342-0086a0a01c93
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091150
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 03:58:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnbk6ucrnf5teikoab6hewbynt7pae7awfbzfynurjrd2uigcbga._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0e16e5938bafefb147c1c68ed3c43336e45fcdce55c915c3c1db631c7a8b7e6a
AZORult
2ce097bd6170efdac97fff7c165c836764ff12007b3407c6d28d2f49e68f1aa7
AZORult
32d010d563c618ff582ba5e5db5973a196d52f5fcb8197f6c77474ee5e000930
AZORult
a5cccf181c07d537bc3ca811ac2b4bce8fff5bf0a72bc6b35246d0ca2e420b14
AZORult
a942ff27c44b844b9b4b6c77a43fc5d454c009c8dc649cd381ca7d3a9e23792b
AZORult
b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d
AZORult
d0c9d5f00d0620b708926f4a582f1d6ff405710c9533adfeaa9847c1f1f382d3
AZORult
+ 1'936 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/221015-h7s3nafch6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Azorult
Malware Config
C2 Extraction:
http://spursg.shop/spursg/index.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/63b253c6-0e0a-4cc8-b713-caa858744977
Unpacked files
SH256 hash:
6df798f5f70c5fbf015b1bdd5dcdde4c2011ca44ab37560a2f734b7741a1b7d2
MD5 hash:
d04b4409be5a40e61c43de4d6cacb239
SHA1 hash:
ff57d24b781bd4d5d070854b3c76b48eb0c83222
Detections:
Azorult
Create hunting rule
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/7d931d58-bf4e-4ff4-ac37-74acc22998f7/
Parent samples :
57ee57cecd208ed2a62c1ed9dd7cb7375f7cc8f8527e94e6769a110042729f92
bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/7d931d58-bf4e-4ff4-ac37-74acc22998f7/
SH256 hash:
34956c39e90e7ca00f8a42c61d14afa82e960d8c3d00c138486e67e48123faf7
MD5 hash:
38a13ee80768c8fd6a3cb1aa27a7f1aa
SHA1 hash:
edf5b3d8304ed66ef7f0965d05a664c306ed1676
Link:
https://www.unpac.me/results/7d931d58-bf4e-4ff4-ac37-74acc22998f7/
SH256 hash:
a69bcb9dfb8ef647e1cd05dab944c27c9f9afdfa6b57ad17e30b976a537663b1
MD5 hash:
07039350591ef233b2f3f9e8a7fa214d
SHA1 hash:
caf44285713d99bcc1af0c47839220e97aa6707a
Link:
https://www.unpac.me/results/7d931d58-bf4e-4ff4-ac37-74acc22998f7/
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/7d931d58-bf4e-4ff4-ac37-74acc22998f7/
SH256 hash:
bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c
MD5 hash:
c81bfa6fceb066edf7ed02789826d026
SHA1 hash:
9658d34de7857cc57eb7c9dd9a31386f23b62133
Link:
https://www.unpac.me/results/7d931d58-bf4e-4ff4-ac37-74acc22998f7/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb42af505169/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c

(this sample)

  
Dropped by
azorult
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/320564/

Comments