MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 bea960ae51836b4d2233c5df014fd0c7fa70bd99456fe247d7c8b4efec36b352. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AZORult
Vendor detections: 11
| SHA256 hash: | bea960ae51836b4d2233c5df014fd0c7fa70bd99456fe247d7c8b4efec36b352 |
|---|---|
| SHA3-384 hash: | 37162ca35aeab8cdbc07df81e0c41036429e6876e3bdbea5aa0c6f6497fd6765e2940780d2a7a9fe88742d3a81d8bab0 |
| SHA1 hash: | 59b07fb7cf8fc6691c7427248218037d8bff7e7e |
| MD5 hash: | a2585ea964bff6f97eb64ecd6db479c1 |
| humanhash: | crazy-gee-carolina-magazine |
| File name: | Company profile.exe |
| Download: | download sample |
| Signature | AZORult |
| File size: | 851'456 bytes |
| First seen: | 2021-01-18 09:43:04 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger) |
| ssdeep | 12288:lfZK9dnWRUlfiHb2s6mFrQd4Klfm/4CA3HvxU77Y:lklfYT6mFKNmAB3Hvx4Y |
| Threatray | 605 similar samples on MalwareBazaar |
| TLSH | 6305293D72B44B06E4396FF44A5493CC4BBDEE595226CE09FCC136FAD971B228606623 |
| Reporter |  abuse_ch |
| Tags: | AZORult exe |
abuse_ch
Malspam distributing AZORult:HELO: mail.facetohen.tk
Sending IP: 163.44.193.146
From: CARME MOLLET <anwa@facetohen.tk>
Reply-To: Richard Mahabir <pe@masseng.com>
Subject: INQUIRY: Request for prices and lead time
Attachment: Company profile.zip (contains "Company profile.exe")
AZORult C2:
http://66.228.39.174/index.php
Intelligence
File Origin
# of uploads :
1
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Company profile.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 09:49:18 UTC
Tags:
trojan rat azorult
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AZORult
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-01-18 09:44:05 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
azorult
Similar samples:
+ 595 additional samples on MalwareBazaar
Result
Malware family:
azorult
Score:
10/10
Tags:
family:azorult discovery infostealer spyware trojan
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://66.228.39.174/index.php
Unpacked files
SH256 hash:
c1bd5dc0de0deea2b7001a66dc7e3e5b48c4d66a2cb0670a10490a4bf8e8b7de
MD5 hash:
e59f1d69ab0431862ae9a5ec6fb3a419
SHA1 hash:
ee5de94c9e729f9c0436de586da71114beb64852
SH256 hash:
73f765ca2708b0d361edcbd1009541b22a032a0fdb490e2ad81cd2b65ea48d5d
MD5 hash:
4e47e55c2fd1194b279b902599b00677
SHA1 hash:
d763f655dea18f56534d28fc996508f23a2d9d1a
Detections:
win_azorult_g1
win_azorult_auto
SH256 hash:
af7a0e736cdb6828d3fa532aeda4d9a46722325b1b247c207523006a921a2bb4
MD5 hash:
1e0b600376fdcaaca0b03a1ed1ffa8b8
SHA1 hash:
4cfd690b6af3daedc063417a11f349ba71d3e020
SH256 hash:
bea960ae51836b4d2233c5df014fd0c7fa70bd99456fe247d7c8b4efec36b352
MD5 hash:
a2585ea964bff6f97eb64ecd6db479c1
SHA1 hash:
59b07fb7cf8fc6691c7427248218037d8bff7e7e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.