MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bca4b6e9f14cb4d84674d2f4db286e0ea692f68e8b1d906d04ced807556c6174. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	bca4b6e9f14cb4d84674d2f4db286e0ea692f68e8b1d906d04ced807556c6174
SHA3-384 hash:	ae4d2c122911bf3518b5a92e8a5b7a2252f4e84af792815d0923c8a7bbb4de3455a26a9e56d59e998a5b69e96123ede4
SHA1 hash:	828a7fe08403f22619f56b01b5d55ff56dafa590
MD5 hash:	e2a14164c28e5bc72c86d4d13a48dcd1
humanhash:	music-may-coffee-echo
File name:	Bidvest Order RFQ BV322910098ZA.PDF.gz.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	577'536 bytes
First seen:	2020-10-27 10:18:02 UTC
Last seen:	2020-10-27 12:15:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:/vTqChYdShQpfbHiiZuDRsCZSrdamUiR9Y3CnZn+Yqy9iH/CfrJ:3TNzhQciZ0RsISrdaadRfr
Threatray	362 similar samples on MalwareBazaar
TLSH	B6C4AE9A31D539DECC9FC5FE8D591CF0A713B8AE83179106701350AE59CE682EF183A6
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

Malspam distributing AZORult:

HELO: host.noanfair.com
Sending IP: 69.64.34.145
From: invoices@bidvestgroup.co.za
Subject: Bidvest Order: RFQ BV322910098ZA
Attachment: Bidvest Order RFQ BV322910098ZA.PDF.gz.gz (contains "Bidvest Order RFQ BV322910098ZA.PDF.gz.exe")

AZORult C2:
http://45.145.185.111/owa/index.php

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/79799/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.hc.24007.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Deleting a recently created file

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Result

Threat name:

AZORult

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/513321

Signature

Binary contains a suspicious time stamp

Detected AZORult Info Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bca4b6e9f14cb4d84674d2f4db286e0ea692f68e8b1d906d04ced807556c6174/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2020-10-27 06:04:43 UTC

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xssln2prjs2nqrtu2l2nwkdob2tjf5uormoza3iez3maovlmmf2a._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

spyware discovery trojan infostealer family:azorult

Link:

https://tria.ge/reports/201027-hjgdsfaqws/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

JavaScript code in executable

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://45.145.185.111/owa/index.php

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

gz c6a6f672b8239f4b4780deb8e1a8048cc2babf9c1fcc81f9bd7bc3d4cc9492a6

AZORult

exe bca4b6e9f14cb4d84674d2f4db286e0ea692f68e8b1d906d04ced807556c6174

(this sample)

Dropped by

MD5 854b13ea385e2c86aede47bdfb5b13d0

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 c6a6f672b8239f4b4780deb8e1a8048cc2babf9c1fcc81f9bd7bc3d4cc9492a6

Cape

https://www.capesandbox.com/analysis/79799/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample