MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
SHA3-384 hash: 77bb8e70778b577cdc455726e6fa704d1a67faf62543477c7124c359a0680e712333714153b793a274aa9c6efcbe64d8
SHA1 hash: 2501d72b98b8778858c3aad60a422f19fb423908
MD5 hash: 468832921f562702e1c628d7778a776b
humanhash: queen-ceiling-quebec-magnesium
File name:BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:70'144 bytes
First seen:2021-09-02 18:46:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d88d597200c0081784c27940d743ec5 (6 x AZORult, 3 x RaccoonStealer, 1 x MBRLocker)
ssdeep 1536:7W8wn/uubIuc9XtrQkWNTlpFXP0nouy8C2tKBsO:UWEILEkWN5XXPEout5A
Threatray 7'871 similar samples on MalwareBazaar
TLSH T16663D0A2B617CC2BC45662B10E65EA7867A8EC2CAD46574330E97F7F3F79B1108904A1
dhash icon d699133e2c0ce4f4 (1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://5.181.156.221/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.221/ https://threatfox.abuse.ch/ioc/213378/
http://mazoyer.ac.ug/index.php https://threatfox.abuse.ch/ioc/213380/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'089
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe
Verdict:
Malicious activity
Analysis date:
2021-09-02 19:04:04 UTC
Tags:
trojan rat azorult loader stealer vidar raccoon
Link:
https://app.any.run/tasks/e2138b66-0cb8-48cb-98c8-17882465417b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184953/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% subdirectories
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Deleting a recently created file
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Creating a file
Connection attempt to an infection source
Launching a process
Forced system process termination
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Launching a file downloaded from the Internet
Sending an HTTP GET request to an infection source
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b11001a5-249b-458c-adeb-186bfcf58685
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844277
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious PowerShell Invocations - Specific
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected BatToExe compiled binary
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476704 Sample: BD3CEFCBB135DF48CAEE6888747... Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 81 telete.in 2->81 83 mazoyer.ac.ug 2->83 85 mazooyaar.ac.ug 2->85 95 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->95 97 Multi AV Scanner detection for domain / URL 2->97 99 Found malware configuration 2->99 101 16 other signatures 2->101 12 BD3CEFCBB135DF48CAEE6888747542A304C4706E24E93.exe 7 2->12         started        signatures3 process4 file5 71 C:\Users\user\AppData\...\UNGActivator.exe, MS-DOS 12->71 dropped 15 cmd.exe 2 12->15         started        process6 process7 17 powershell.exe 15 23 15->17         started        21 UNGActivator.exe 15->21         started        24 powershell.exe 22 15->24         started        26 conhost.exe 15->26         started        dnsIp8 73 dgdfasddfs.ru 109.196.164.102, 49706, 80 MTW-ASRU Russian Federation 17->73 57 C:\Users\Public\cdoz.exe, PE32 17->57 dropped 28 cdoz.exe 13 17->28         started        31 conhost.exe 1 17->31         started        103 Detected unpacking (changes PE section rights) 21->103 105 Machine Learning detection for dropped file 21->105 107 Contains functionality to detect sandboxes (registry SystemBiosVersion/Date) 21->107 113 2 other signatures 21->113 75 bit.do 54.83.52.76, 49707, 80 AMAZON-AESUS United States 24->75 77 192.168.2.1 unknown unknown 24->77 79 dgkhj.ru 24->79 109 Drops PE files to the user root directory 24->109 111 Powershell drops PE file 24->111 33 conhost.exe 1 24->33         started        file9 signatures10 process11 signatures12 121 Antivirus detection for dropped file 28->121 123 Multi AV Scanner detection for dropped file 28->123 125 Machine Learning detection for dropped file 28->125 127 Maps a DLL or memory area into another process 28->127 35 cdoz.exe 21 28->35         started        process13 dnsIp14 87 mazoyer.ac.ug 185.215.113.77, 49709, 49713, 49715 WHOLESALECONNECTIONSNL Portugal 35->87 89 lastimaners.ug 35->89 59 C:\Users\user\AppData\...\dfgdvdfsds.exe, PE32 35->59 dropped 61 C:\Users\user\AppData\Local\...\cvbfsds.exe, PE32 35->61 dropped 63 C:\Users\user\AppData\Local\...\bvcfsds.exe, PE32 35->63 dropped 65 5 other malicious files 35->65 dropped 115 Hides threads from debuggers 35->115 40 cvbfsds.exe 35->40         started        44 bvcfsds.exe 35->44         started        46 bvasdvdfsds.exe 2 35->46         started        48 dfgdvdfsds.exe 35->48         started        file15 signatures16 process17 file18 67 C:\Users\user\AppData\Local\Temp\cbvjns.exe, PE32 40->67 dropped 117 Antivirus detection for dropped file 40->117 119 Machine Learning detection for dropped file 40->119 50 vcxfse.exe 40->50         started        53 cbvjns.exe 40->53         started        69 C:\Users\user\AppData\Local\Temp\vcxfse.exe, PE32 44->69 dropped 55 vcxfse.exe 44->55         started        signatures19 process20 signatures21 91 Antivirus detection for dropped file 50->91 93 Machine Learning detection for dropped file 50->93
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334/
Threat name:
Win32.Trojan.GenAutorunLnkFile
Create hunting rule
Status:
Malicious
First seen:
2019-06-21 14:06:48 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xu6o7s5rgxpursxoncehi5kcumcmi4doetutjeweqeqbyvll6m2a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
AZORult
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
AZORult
84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72
AZORult
895100760e67763505b9cad311be16b533db48d1f2cb28424a98495406220a2f
AZORult
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
AZORult
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
AZORult
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
AZORult
+ 7'861 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 discovery infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/210902-xe7gxabde7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
mazooyaar.ac.ug
http://195.245.112.115/index.php
Dropper Extraction:
http://bit.do/eVtV2
http://dgdfasddfs.ru/pps.ps1
Unpacked files
SH256 hash:
0b4304c295443f731f35434d1ffe611dc6aa81d3860286ad43d86aebf78df165
MD5 hash:
b5d7f694956a607640f76b17e2c80db6
SHA1 hash:
7d13a88a23da253d28712d8157ad6edabbee6559
Link:
https://www.unpac.me/results/936ff13c-f3f6-4983-a57a-157fd2360c91/
SH256 hash:
0f5d05074e8472981d364b42b6af9ad6521e750a6721a1031db917e4a24b62d2
MD5 hash:
deae37f2aded3f19dad252b9bd5794ca
SHA1 hash:
a726d7ec1daacacf347e776a23816ec72a8b9fd8
Detections:
win_batchwiper_auto
Create hunting rule
Link:
https://www.unpac.me/results/936ff13c-f3f6-4983-a57a-157fd2360c91/
SH256 hash:
7afda61d5dfdddd48d9084ac6f7ea2dbe957ba3694256426e5eeb37b7d248e60
MD5 hash:
7c8cbfc4b4b20ef592e8d5a2e1d2509d
SHA1 hash:
326dd38a6992f4321b46265b1c770d76fe9b4d08
Link:
https://www.unpac.me/results/936ff13c-f3f6-4983-a57a-157fd2360c91/
SH256 hash:
bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
MD5 hash:
468832921f562702e1c628d7778a776b
SHA1 hash:
2501d72b98b8778858c3aad60a422f19fb423908
Link:
https://www.unpac.me/results/936ff13c-f3f6-4983-a57a-157fd2360c91/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bd3cefcbb135/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184953/

Comments