MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
SHA3-384 hash: 70b765587954ec7a5570a42211fb516dc990b0e9e7bd56ea3e35cca626d47ef844b25eabb2026ee1d601291ad1652f7f
SHA1 hash: 6516b7e30fc92ced182230288726e517251db430
MD5 hash: c04ab7d36b2e6e8175fe2e0fa8dccf14
humanhash: wisconsin-maryland-hotel-mango
File name:Adobe Download Manager.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:2'110'512 bytes
First seen:2023-12-23 01:34:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB
TLSH T130A5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
TrID 52.1% (.OCX) Windows ActiveX control (116521/4/18)
25.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
7.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter adm1n_usa32
Tags:AZORult exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
QuasarRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469094/
Detection(s):
Win.Dropper.Miner-7086570-0
Create hunting rule

Win.Packed.Autoit-7640561-0
Create hunting rule

Win.Malware.Carberp-9796259-0
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

Win.Packed.QuasarRAT-10012744-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
anti-debug anti-vm autoit carberp control crypto evasive eventvwr explorer fingerprint greyware hook infostealer keylogger keylogger lolbin lolbin miner overlay packed quasar quasarrat rat schtasks shell32 stealer stealer ursnif vermin xrat
Link:
https://www.filescan.io/uploads/658639476b1c246046021cb1/reports/4b664190-56e6-4305-9c53-d98400be494d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkVNC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f70d554-588f-4f42-936b-c9669d52c2b7
Result
Threat name:
AZORult, Quasar, Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366443
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains VNC / remote desktop functionality (version string found)
Detected AZORult Info Stealer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366443 Sample: Adobe_Download_Manager.exe Startdate: 23/12/2023 Architecture: WINDOWS Score: 100 65 0x21.in 2->65 67 ip-api.com 2->67 73 Snort IDS alert for network traffic 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Found malware configuration 2->77 79 14 other signatures 2->79 10 Adobe_Download_Manager.exe 5 2->10         started        14 SystemPropertiesPerformance.exe 1 2->14         started        16 windef.exe 2->16         started        signatures3 process4 file5 59 C:\Users\...\SystemPropertiesPerformance.exe, PE32 10->59 dropped 61 C:\Users\user\AppData\Local\Temp\windef.exe, PE32 10->61 dropped 63 C:\Users\user\AppData\Local\Temp\vnc.exe, PE32 10->63 dropped 113 Detected AZORult Info Stealer 10->113 115 Binary is likely a compiled AutoIt script file 10->115 117 Found many strings related to Crypto-Wallets (likely being stolen) 10->117 125 3 other signatures 10->125 18 windef.exe 15 5 10->18         started        23 vnc.exe 10->23         started        25 Adobe_Download_Manager.exe 12 10->25         started        27 schtasks.exe 1 10->27         started        119 Antivirus detection for dropped file 14->119 121 Machine Learning detection for dropped file 14->121 123 Contains VNC / remote desktop functionality (version string found) 14->123 29 vnc.exe 14->29         started        31 SystemPropertiesPerformance.exe 14->31         started        33 schtasks.exe 14->33         started        35 windef.exe 14->35         started        signatures6 process7 dnsIp8 69 ip-api.com 208.95.112.1, 49730, 49731, 80 TUT-ASUS United States 18->69 57 C:\Users\user\AppData\Roaming\...\winsock.exe, PE32 18->57 dropped 81 Antivirus detection for dropped file 18->81 83 Multi AV Scanner detection for dropped file 18->83 85 Machine Learning detection for dropped file 18->85 99 2 other signatures 18->99 37 winsock.exe 14 4 18->37         started        40 schtasks.exe 1 18->40         started        87 Contains VNC / remote desktop functionality (version string found) 23->87 89 Writes to foreign memory regions 23->89 91 Allocates memory in foreign processes 23->91 42 svchost.exe 23->42         started        93 Binary is likely a compiled AutoIt script file 25->93 45 conhost.exe 27->45         started        95 Modifies the context of a thread in another process (thread injection) 29->95 97 Maps a DLL or memory area into another process 29->97 47 svchost.exe 29->47         started        49 conhost.exe 33->49         started        file9 signatures10 process11 dnsIp12 101 Antivirus detection for dropped file 37->101 103 Multi AV Scanner detection for dropped file 37->103 105 Machine Learning detection for dropped file 37->105 111 2 other signatures 37->111 51 schtasks.exe 37->51         started        53 conhost.exe 40->53         started        71 5.8.88.191, 443, 49732, 8080 KOMETA-ASRU Russian Federation 42->71 107 Contains VNC / remote desktop functionality (version string found) 42->107 109 Contains functionality to modify clipboard data 42->109 signatures13 process14 process15 55 conhost.exe 51->55         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413/
Threat name:
Win32.Trojan.MoksSteal
Create hunting rule
Status:
Malicious
First seen:
2023-12-20 03:33:24 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqqhls72uet2ni7wqs5ufoxg6emgcjmggdrxiixl3aznf4vuaqjq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:quasar botnet:ebayprofiles infostealer spyware trojan
Link:
https://tria.ge/reports/231223-bzpa6sgch9/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
AutoIT Executable
Looks up external IP address via web service
Checks computer location settings
Azorult
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
5.8.88.191:443
sockartek.icu:443
http://0x21.in:8000/_az/
Unpacked files
SH256 hash:
bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
MD5 hash:
c04ab7d36b2e6e8175fe2e0fa8dccf14
SHA1 hash:
6516b7e30fc92ced182230288726e517251db430
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
AutoIT_Compiled
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Quasar_RAT_2
Create hunting rule
Quasar
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MALWARE_Win_QuasarRAT
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Quasar_RAT_1
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/355ce4db-93bf-4adc-afe7-65ae75f42526/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc2075cbfaa1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/7fa52370-9467-4ea8-8895-d6a4f398669e
Cape
Cape
https://www.capesandbox.com/analysis/469094/

Comments