MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c06db424f77450a146e45a9919d223ab1631db8ebb71fcfe3702d6b925e234fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 17

Intelligence 17 IOCs YARA 14 File information Comments

SHA256 hash:	c06db424f77450a146e45a9919d223ab1631db8ebb71fcfe3702d6b925e234fb
SHA3-384 hash:	07d4950ce06c4021e578171ae850ca41e49fd8019ab6bdd49f9e6fba7ae0138a07669a00c402c1e816ae3e2d27fe1a5f
SHA1 hash:	b501b32d39a243444b5668ef42b86bf00a17b228
MD5 hash:	2bb1767607b30730a1fbd012fbdaf1f4
humanhash:	freddie-carpet-robert-gee
File name:	SecuriteInfo.com.Win32.PWSX-gen.2461.29326
Download:	download sample
Signature	AZORult Create hunting rule
File size:	634'880 bytes
First seen:	2023-09-17 10:39:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:swXbF21QtNChQLxvorSEAtdHsorHD9b9+Lh5/sxQemMSB2O2:Tbs1YoZAw8HaLQeo
Threatray	710 similar samples on MalwareBazaar
TLSH	T1C9D4014472B72364C8B08BF30495127343B7AD5915B2F7B80DD931DB2A36B464BA1A7F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

400

Origin country :

Vendor Threat Intelligence

Malware family:

azorult

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2023-09-17 13:26:08 UTC

Tags:

stealer azorult trojan

Link:

https://app.any.run/tasks/6d1ced7e-a0ba-48fc-a026-42261f025f2d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/449117/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.2461.29326.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6506d78533582f234ef9b5b0/reports/c88fdf42-ac2c-4902-b7cd-d06d356c4a12/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c06db424f77450a146e45a9919d223ab1631db8ebb71fcfe3702d6b925e234fb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/70805957-db36-4cde-82ac-21556195fd43

Result

Threat name:

Azorult

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1309567

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/c06db424f77450a146e45a9919d223ab1631db8ebb71fcfe3702d6b925e234fb/

Threat name:

Win32.Spyware.Azorult

Status:

Malicious

First seen:

2023-09-17 09:07:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ybw3ijhxorikcrxelkmrturdvmlddw4oxny7z7rxalllsjpcgt5q._file

Verdict:

malicious

Label(s):

azorult

AZORult

3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76

AZORult

5629a3ae6193f39e3d63b927f028e1e06cde3a1e7fd1c11a1bd22859db3be241

AZORult

69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a

AZORult

722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088

AZORult

d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22

AZORult

ffbc5914f16b287d3ccd7b855e634db5d95fa14596868d7dc29aaa9dd7f4180c

AZORult

+ 700 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult collection discovery infostealer spyware stealer trojan

Link:

https://tria.ge/reports/230917-mqjj4scb84/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Malware Config

C2 Extraction:

http://185.28.39.17:7777/asiamandarin.buzz/deval/index.php

Unpacked files

SH256 hash:

57a09ac10dca60215c2c2bba6a223c79e5599fafac6c3236442643e466254b10

MD5 hash:

d5f2813d4bb302428290cbad33aa7841

SHA1 hash:

e7d68dd89d434e30cd3edae19f5aa49eae666061

Link:

https://www.unpac.me/results/be735b91-6a13-45ca-86b6-5d6b58b15479/

SH256 hash:

0cc2d545cdbc9aca7ac5732fc2e1858bae1b8c575e67f0b4b8077610c5597806

MD5 hash:

604ba9fe5293c6b09155e9593e5fe8b4

SHA1 hash:

c9ca531c5c50091dcdeabea6af26643e897fe3f8

Link:

https://www.unpac.me/results/be735b91-6a13-45ca-86b6-5d6b58b15479/

SH256 hash:

33f719a1a66f13eecf53a60979d26185859b5abf7f8bbe1fd7870c36a618696c

MD5 hash:

0f75a09561777970211e2867466cfbfe

SHA1 hash:

6469fe3e492f656263c0cf550ca0fd39498b52e4

Detections:

Azorult

win_azorult_auto

win_azorult_g1

Link:

https://www.unpac.me/results/be735b91-6a13-45ca-86b6-5d6b58b15479/

Parent samples :

16495e3c7dc157fb17b808e31db3f6c6339a398c80bf6c2229cc7e0c22fed3fe
c06db424f77450a146e45a9919d223ab1631db8ebb71fcfe3702d6b925e234fb

SH256 hash:

0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198

MD5 hash:

f559a9abbd849eb977d262d597d6e4fd

SHA1 hash:

0a8769b40b026852690c89b913c2812817ef43c8

Link:

https://www.unpac.me/results/be735b91-6a13-45ca-86b6-5d6b58b15479/

Parent samples :

cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688

SH256 hash:

c06db424f77450a146e45a9919d223ab1631db8ebb71fcfe3702d6b925e234fb

MD5 hash:

2bb1767607b30730a1fbd012fbdaf1f4

SHA1 hash:

b501b32d39a243444b5668ef42b86bf00a17b228

Link:

https://www.unpac.me/results/be735b91-6a13-45ca-86b6-5d6b58b15479/

Malware family:

AZORult v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c06db424f774/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c06db424f77450a146e45a9919d223ab1631db8ebb71fcfe3702d6b925e234fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	Azorult Create hunting rule
Author:	kevoreilly
Description:	Azorult Payload

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_Azorult Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Azorult in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Links Create hunting rule

Rule name:	Trojan_W32_Gh0stMiancha_1_0_0 Create hunting rule

Rule name:	Windows_Trojan_Azorult_38fce9ea Create hunting rule
Author:	Elastic Security

Rule name:	win_azorult_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/449117/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample