MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a
SHA3-384 hash: b7681914446e00672f23da8b4f59db9d239502e86708ac38f8287407b7311387c3102a40c49375cfeb2c2be80908db01
SHA1 hash: a4f98d7dad9f679195a0912c534b3e0eda0f7cb8
MD5 hash: e09a29a45cffaab88b52a1cb1b615777
humanhash: magazine-papa-wisconsin-south
File name:file
Download: download sample
Signature AZORult
Create hunting rule
File size:3'496'960 bytes
First seen:2023-07-21 14:57:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:irjqkI9wbOEyCbdaveg5Q7FHo+sbC40fDWJmmZ2kVj8j3m9x1A3jF641Ix+oAv:d+OKJo+shoWJZZ2kV4Yxq3jED4Vv
TLSH T180F5E003B666C6F2E28967B6DDAB9C04C360DA83772FD70B788E23A555033B79C46507
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter jstrosch
Tags:.NET AZORult exe MSIL

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
US US
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-21 15:02:54 UTC
Tags:
rhadamanthys stealer rat azorult trojan zgrat backdoor
Link:
https://app.any.run/tasks/a122d696-6d9c-4e89-aa7d-2210dd282dc0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/427419/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68261122.28977.17821.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/556cc830-944f-4577-a66f-a4175a055530
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277476
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Deletes itself after installation
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1277476 Sample: file.exe Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 49 falling.ug 2->49 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 7 other signatures 2->57 9 file.exe 5 2->9         started        12 WmiPrvSE.exe 2->12         started        14 ChannelData.exe 2 2->14         started        signatures3 process4 file5 37 C:\Users\user\AppData\Local\...\bltktsw.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->39 dropped 17 file.exe 1 9->17         started        20 bltktsw.exe 3 9->20         started        23 Z`1.exe 12->23         started        25 9M8P5aFi.exe 12->25         started        77 Multi AV Scanner detection for dropped file 14->77 79 Machine Learning detection for dropped file 14->79 signatures6 process7 dnsIp8 47 91.103.252.25, 49712, 49713, 49714 HOSTGLOBALPLUS-ASRU Russian Federation 17->47 27 certreq.exe 3 17->27         started        59 Multi AV Scanner detection for dropped file 20->59 61 Machine Learning detection for dropped file 20->61 63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->63 65 Injects a PE file into a foreign processes 20->65 31 bltktsw.exe 5 20->31         started        33 bltktsw.exe 20->33         started        67 Antivirus detection for dropped file 23->67 signatures9 process10 file11 41 C:\Users\user\AppData\Local\...\Z`1.exe, PE32+ 27->41 dropped 43 C:\Users\user\AppData\Local\...\9M8P5aFi.exe, PE32 27->43 dropped 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->69 71 Tries to steal Mail credentials (via file / registry access) 27->71 73 Tries to harvest and steal browser information (history, passwords, etc) 27->73 75 3 other signatures 27->75 35 conhost.exe 27->35         started        45 C:\Users\user\AppData\...\ChannelData.exe, PE32 31->45 dropped signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2023-07-19 16:21:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtzsm3ujs26nw6wlnbqdj4tewb6cfdhdp4jbfntdwy3myayx5yna._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:rhadamanthys collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230721-sbmk4sfe91/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Azorult
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
f89f2b9d9efd8ba1288212b65568d3e3e9538c28ae7a4aaea5e741e5b6ec8d84
MD5 hash:
b7c640fae61a7db6ca23e0175cd9587d
SHA1 hash:
df34da3e5d2389e806c101fe26680fb386f1d0af
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
aaa687762521e78d91306bd0c39820d3756f6d030e8e0c379d387ccb762fe9bb
MD5 hash:
3a5234cce8112faad3420b80a5e97531
SHA1 hash:
b094ef8756195d7dc6c2e1ab62923f35f3718079
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
9c79a8707e594bfbc14a032c40e6494e6e7950233a730f46b638241d19d8dac5
MD5 hash:
39406539aec1a06cc1e1ed4507226ee5
SHA1 hash:
6ce8cd87f89d98304f3bdd1412a2bdf74898b63b
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
093941aee7a67f526e973d0c9c87f3f23959def19e5bbb0db024c15dbddd313d
MD5 hash:
1a430d866bebd8bb5f0178de8bcd3585
SHA1 hash:
9929826d49019d8af9c5ae73686c008650b73715
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
ddd52f02adae154a3044c20f0c1e4b5818443b5b40fc1766b63fd674da1124b1
MD5 hash:
fdeebc17fb238de7f754e6b64792496f
SHA1 hash:
4dd51f9907bed0d52c0e0f850da16a9bb325cd88
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
47cfabe2e1eddeef9b63e0913e18561298c913d51f4c2bc529eb4e93a46b89b4
MD5 hash:
2c504962b1e6b364b4b30d08fbbfef88
SHA1 hash:
4c68dff6a1360541210b116daa4c27db4d6bca23
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
032f811fd58b7296e1f1bac55237193fb65590955d6877d12ac487dfa49a2307
MD5 hash:
e039151e979bbfd84f3ac262f80835bd
SHA1 hash:
7a509a6b67d8bfefdafd9b93b257b5288f262ea1
Detections:
BruteRatel
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
6cca9a789c97d3f4a0a1c236917048c7caef768084346c0371c2ecc2e8554a27
MD5 hash:
4e76b0e8f4505adfda6052ddb2f84557
SHA1 hash:
2f3b49c934cbbcc0da187384a0a10b1a1312f3ea
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
ee949e1cd23a1e50847fe077bf8f8434f0d52370376c3da117e9f21af1b30fd7
MD5 hash:
b36413814948d5ecc45280b06a12f913
SHA1 hash:
299070fc94f2c6feabafbe29ca517ee3d638301b
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
986bf52a0f46e965793f3617b4d58f6006238d1a98ead498406f8eea0c5bff05
MD5 hash:
8d55569ca90fca91eb241926aecc0c5f
SHA1 hash:
11abb47ab352fe895f3e68bc1e6c837bfa3fc456
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
SH256 hash:
bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a
MD5 hash:
e09a29a45cffaab88b52a1cb1b615777
SHA1 hash:
a4f98d7dad9f679195a0912c534b3e0eda0f7cb8
Link:
https://www.unpac.me/results/68f0dcb5-b8a0-4dd3-941d-a35dd49fbc1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteSyscallHashes
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_bruteratel_syscall_hashes_oct_2022
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.
Rule name:win_brute_ratel_c4_w0
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:win_Brute_Syscall_Hashes
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2271066/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/2577943/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/2627575/
  
URLhaus
https://urlhaus.abuse.ch/url/2506772/
  
URLhaus
https://urlhaus.abuse.ch/url/2441296/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/2578024/
  
URLhaus
https://urlhaus.abuse.ch/url/2254175/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/2627573/
  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
URLhaus
https://urlhaus.abuse.ch/url/2654454/
Cape
Cape
https://www.capesandbox.com/analysis/427419/

Comments