MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd35948712753f7a1c073fbf50e798898e0bbf9dec42a416eb33e2f78913c314. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd35948712753f7a1c073fbf50e798898e0bbf9dec42a416eb33e2f78913c314
SHA3-384 hash: 751eb913cdd2c7696fe08ebfec97966f275fbcf2447e2e55ad504f5c390afd2635e66d904df48417d7c63b08f4b58551
SHA1 hash: 1419e6cc4e3686bc8114d671d1a8896dbec82c3e
MD5 hash: 80bde3e0bd0347bc27509abd0c2b2601
humanhash: river-eleven-robin-magnesium
File name:gunzipped.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:422'349 bytes
First seen:2022-01-31 08:31:00 UTC
Last seen:2022-01-31 15:24:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:BwTa4ogLeiDcTV0YQo/PWJTYQMMHObcgnpOnbzPako3Y:kJTnDa0YQo3t3sxo3Y
Threatray 8'223 similar samples on MalwareBazaar
TLSH T1A994E3F871E1E27AC81582712E217C7193F14DA0DDB1A915EDECF9E4D630EF62B22606
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://31.210.20.167/cake/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://31.210.20.167/cake/index.php https://threatfox.abuse.ch/ioc/370949/

Intelligence

File Origin
# of uploads :
2
# of downloads :
504
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gunzipped.exe
Verdict:
Malicious activity
Analysis date:
2022-01-31 08:33:49 UTC
Tags:
installer
Link:
https://app.any.run/tasks/ec8d1dd2-389e-4a88-a044-c380dc61247d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/228356/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Sending an HTTP POST request
Reading critical registry keys
Creating a window
DNS request
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f79e48d7fd65ae55fb7bb8/reports/032b117b-99a6-463f-9f53-a5e184d6aeb7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a30a4c80-24ae-4583-b41b-5ff0ab574262
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930684
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd35948712753f7a1c073fbf50e798898e0bbf9dec42a416eb33e2f78913c314/
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-31 08:31:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xu2zjbysou7xuhahh67vbz4yrghaxp455rbkifxlgprppcitymka._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
trickbot
Create hunting rule
Similar samples:
0caaaa5f4ab21a8ceaaded6e69be05b30e424980e159c6458b0c8379adee95da
AZORult
15eb9fe80c710f5b993b7906a00cf6d775ae0a6ea93c079ec56dffd95c1b04be
AZORult
31c5ddd1fbe36e68985803eda63bfeaaccce58774389be0c0fc339d214ea1353
AZORult
4dd710964bb7577921fff55993ac0f007e489bb609fcf6ea50f5f949baa8504b
AZORult
5896ab6180021d7a1bad370dd224ef00e660c22aa7f92c928a7d1f2c44a8bf50
AZORult
6321c189d83bd48713f5a7b760d033082078e3104e148206d31c374532fbe07e
AZORult
8764b673268c50c93a845e89b84fe3d7e420807c049106bad73250799f04d5ec
AZORult
9218a2c4cfd9538b65b06202b850c2900e625477b176708d44e09a6bafbb5d43
AZORult
acfd67e70a3b73fa1c66207594fd2afb565fd437470c61f7c2de922d855e71ea
AZORult
e752bd103a473a433040a6522226aac9cecf8b5a8e6ab59fe386d63a5566b63c
AZORult
+ 8'213 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220131-keq4psgghr/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M3
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M17
Malware Config
C2 Extraction:
http://31.210.20.167/cake/index.php
Unpacked files
SH256 hash:
bd35948712753f7a1c073fbf50e798898e0bbf9dec42a416eb33e2f78913c314
MD5 hash:
80bde3e0bd0347bc27509abd0c2b2601
SHA1 hash:
1419e6cc4e3686bc8114d671d1a8896dbec82c3e
Link:
https://www.unpac.me/results/b8b3a34d-cc4c-49f6-8ab0-ff9f9b9532f8/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bd3594871275/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/bd35948712753f7a1c073fbf50e798898e0bbf9dec42a416eb33e2f78913c314

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:kevoreilly
Description:Azorult Payload
Rule name:malware_Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/228356/

Comments