MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc77cf4119389ffce479674f64d1c365141507b4324064cd31ec78d9f3f90dc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 18


Intelligence 18 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc77cf4119389ffce479674f64d1c365141507b4324064cd31ec78d9f3f90dc0
SHA3-384 hash: 72e185cb16500ba3c6b91ed6ebc84bf4218e6206a3eb19b6a23ef7caacd56914947930b52b20c821b51a7029e4f5cd0f
SHA1 hash: 9ef2a4900dfea65e387ca414ffa9069716ccd9a5
MD5 hash: e846af72b6fd5bff48a5125d58e9af9a
humanhash: april-oranges-jersey-robin
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'669'632 bytes
First seen:2025-02-14 06:47:09 UTC
Last seen:2025-03-07 14:10:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'649 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:49UPBYRiIRKKhHvq91aJ09ewg62+36fM7iqAr:49UZYp1vqeWJFK/qAr
Threatray 104 similar samples on MalwareBazaar
TLSH T1D9757B10BF5D6205E92C39FD6A66857726362E06A904F1EAE038730D9D35217CF3B39E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 094acb1609217567 (4 x SnakeKeylogger, 3 x AZORult, 1 x MassLogger)
Reporter abuse_ch
Tags:AZORult exe geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
2
# of downloads :
478
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
Suspicious activity
Analysis date:
2025-02-14 06:52:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3893246e-ee38-4e42-8785-5f32d3011852

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.11831.19416.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67aee72ba0fd713c335aca09
Tags:
micro virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Searching for synchronization primitives
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67aee6f8de8d8ae2bd454923/reports/1ca3c242-2ade-4603-a1ff-9a97d8df039c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bc77cf4119389ffce479674f64d1c365141507b4324064cd31ec78d9f3f90dc0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4f7c1e2-fd64-43c6-9ddc-48d33073a6dc
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614846
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614846 Sample: Ziraat Bankasi Swift Mesaji.exe Startdate: 14/02/2025 Architecture: WINDOWS Score: 100 79 ww1.wxgzshna.biz 2->79 81 gdm5.icu 2->81 83 86 other IPs or domains 2->83 97 Suricata IDS alerts for network traffic 2->97 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 15 other signatures 2->103 9 alg.exe 2->9         started        14 Ziraat Bankasi Swift Mesaji.exe 7 2->14         started        16 TieringEngineService.exe 2->16         started        18 20 other processes 2->18 signatures3 process4 dnsIp5 91 dlynankz.biz 85.214.228.140, 61490, 80 STRATOSTRATOAGDE Germany 9->91 93 gjogvvpsf.biz 208.117.43.225, 61431, 61469, 61512 STEADFASTUS United States 9->93 95 11 other IPs or domains 9->95 63 C:\Program Files\...\updater.exe, PE32+ 9->63 dropped 65 C:\Program Files\...\private_browsing.exe, PE32+ 9->65 dropped 67 C:\Program Files\...\plugin-container.exe, PE32+ 9->67 dropped 77 116 other malicious files 9->77 dropped 117 Creates files in the system32 config directory 9->117 119 Tries to harvest and steal ftp login credentials 9->119 121 Drops executable to a common third party application directory 9->121 123 Infects executable files (exe, dll, sys, html) 9->123 69 C:\Users\user\AppData\Roaming\JuGiqLILT.exe, PE32 14->69 dropped 71 C:\Users\...\JuGiqLILT.exe:Zone.Identifier, ASCII 14->71 dropped 73 C:\Users\user\AppData\Local\Temp\tmpAC8.tmp, XML 14->73 dropped 75 C:\...\Ziraat Bankasi Swift Mesaji.exe.log, ASCII 14->75 dropped 125 Writes data at the end of the disk (often used by bootkits to hide malicious code) 14->125 127 Adds a directory exclusion to Windows Defender 14->127 20 RegSvcs.exe 64 14->20         started        25 powershell.exe 22 14->25         started        27 powershell.exe 23 14->27         started        29 2 other processes 14->29 129 Creates files inside the volume driver (system volume information) 16->129 131 Contains functionality to behave differently if execute on a Russian/Kazak computer 16->131 133 Found direct / indirect Syscall (likely to bypass EDR) 18->133 file6 signatures7 process8 dnsIp9 85 gdm5.icu 188.114.96.3, 49704, 49722, 80 CLOUDFLARENETUS European Union 20->85 87 fwiwk.biz 72.52.178.23, 49715, 49720, 61400 LIQUIDWEBUS United States 20->87 89 6 other IPs or domains 20->89 45 C:\Windows\System32\wbengine.exe, PE32+ 20->45 dropped 47 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 20->47 dropped 49 C:\Windows\System32\vds.exe, PE32+ 20->49 dropped 57 85 other malicious files 20->57 dropped 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->105 107 Tries to steal Instant Messenger accounts or passwords 20->107 109 Tries to steal Mail credentials (via file / registry access) 20->109 115 6 other signatures 20->115 31 cmd.exe 20->31         started        51 C:\...\__PSScriptPolicyTest_slegayc0.mwn.ps1, ASCII 25->51 dropped 59 4 other malicious files 25->59 dropped 111 Writes data at the end of the disk (often used by bootkits to hide malicious code) 25->111 113 Loading BitLocker PowerShell Module 25->113 33 conhost.exe 25->33         started        53 C:\...\__PSScriptPolicyTest_r1cn4hze.zez.ps1, ASCII 27->53 dropped 55 C:\...\__PSScriptPolicyTest_p5ipnfkb.c45.psm1, ASCII 27->55 dropped 61 2 other malicious files 27->61 dropped 35 conhost.exe 27->35         started        37 WmiPrvSE.exe 27->37         started        39 conhost.exe 29->39         started        file10 signatures11 process12 process13 41 conhost.exe 31->41         started        43 timeout.exe 31->43         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bc77cf4119389ffce479674f64d1c365141507b4324064cd31ec78d9f3f90dc0
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bc77cf4119389ffce479674f64d1c365141507b4324064cd31ec78d9f3f90dc0/
Threat name:
Win32.Trojan.AZORult
Create hunting rule
Status:
Malicious
First seen:
2025-02-13 14:17:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xr346qizhcp7zzdzm5hwjuodmukbkb5ugjagjtjr5r4nt47zbxaa._file
Verdict:
malicious
Label(s):
expiro
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
0ea2f7230b7cb4a06bc6810e647a96d445962148694b45d282d551402d8f52db
AZORult
2a923c898e9d8d0f176591f5e662183d97e6ffd7d5aa74181babdde5cca2ae81
AZORult
3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
AZORult
5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796
AZORult
6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9
AZORult
9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365
AZORult
9a759f2ef8ee16b697f30aab51fc726f9697b338e0aba56c063860146bbfc76b
AZORult
b336830d627101633db934f8d48606639c70d133a5985026bc250c035e887faf
AZORult
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
AZORult
error
AZORult
+ 94 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection credential_access discovery execution infostealer spyware stealer trojan
Link:
https://tria.ge/reports/250214-hkab2awkfr/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Azorult
Azorult family
Malware Config
C2 Extraction:
http://gdm5.icu/HL341/index.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/081d76cf-fe41-4d60-a686-6a468e5f6a7b
Unpacked files
SH256 hash:
bc77cf4119389ffce479674f64d1c365141507b4324064cd31ec78d9f3f90dc0
MD5 hash:
e846af72b6fd5bff48a5125d58e9af9a
SHA1 hash:
9ef2a4900dfea65e387ca414ffa9069716ccd9a5
Link:
https://www.unpac.me/results/4862e5da-d17d-4ca1-aba8-6ea8afc4af35/
SH256 hash:
cb7531e16da0f865ab37c69746da07d084cec94e049a75e57449dc641874dc9d
MD5 hash:
f0583dc54005ee477182fd6053ce5a82
SHA1 hash:
057b6480e276fcefdc8f25efc1b6927a9264e7be
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Azorult
Create hunting rule
Azorult
Create hunting rule
Link:
https://www.unpac.me/results/4862e5da-d17d-4ca1-aba8-6ea8afc4af35/
SH256 hash:
18ec2f02a931ddec650022a9c82bb14a8f180626460f70b9db517c7f2df1d61f
MD5 hash:
8fbc028c3b3984606261d39e4537bb0c
SHA1 hash:
4cb9a560da28d72bc04512c1f4d47b2c914b16de
Link:
https://www.unpac.me/results/4862e5da-d17d-4ca1-aba8-6ea8afc4af35/
SH256 hash:
bebc72ce1b0c88c3332764785c4c358d7af13e82375a82f0e02dea37456cf2d1
MD5 hash:
af644ac3aa8b062720685d5a1be75f28
SHA1 hash:
5729811c420e080aa30aa7d9b931081ae51b07cc
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Azorult
Create hunting rule
Azorult
Create hunting rule
Link:
https://www.unpac.me/results/4862e5da-d17d-4ca1-aba8-6ea8afc4af35/
SH256 hash:
4628cb18ccef62be95407ddc750ba354c6eeb8711f1883bfe6fb9861943d9760
MD5 hash:
3cde8af256835d6a97e7e2be17165ff6
SHA1 hash:
827b3aa22f1b179256891b1737b6ad074aeb7b19
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4862e5da-d17d-4ca1-aba8-6ea8afc4af35/
SH256 hash:
abdd6f31a909b0b10e30ced74a1f6f037adf1f61a8a842048dbc254d6f076169
MD5 hash:
c33a7f0e25bb3f4d3c19fc8441e9d12b
SHA1 hash:
0286b277e97b9f7c217a0d029e8144f8e20b40b9
Link:
https://www.unpac.me/results/4862e5da-d17d-4ca1-aba8-6ea8afc4af35/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc77cf411938/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc77cf4119389ffce479674f64d1c365141507b4324064cd31ec78d9f3f90dc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_ebf62328
Create hunting rule
Author:Elastic Security
Rule name:win_m0yv_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments