MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c613749fa5ddfbc29b303f99f48fde9a00ae31c5d560e04e92922df1f966be94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c613749fa5ddfbc29b303f99f48fde9a00ae31c5d560e04e92922df1f966be94
SHA3-384 hash: 6098bdefe1c05a3bbb540e8899273205920fed54a03854a75f6e2ba00d76379a152c7d7d5258737fdd49bd7935047e0b
SHA1 hash: 82c54ef8840018043be63da501005dbffa3676a9
MD5 hash: edfba071e966aad86c057f228f01e723
humanhash: magazine-delta-failed-jersey
File name:COMMERCIAL INV-3020023.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:383'509 bytes
First seen:2022-12-10 02:53:08 UTC
Last seen:2023-01-05 12:36:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:VQ606xgw0eA2ejR8JK87jFbDf0MBWQZkSAowCyE17+0jA6NFNv/t:YwqjmBRT0MkQZk3oN179j7NFNHt
Threatray 184 similar samples on MalwareBazaar
TLSH T108840211B7A2D6F7C46D0531582B8B66ABF5FC5109F01B5B23643B7DAC332419E0EBA8
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 08dce4f8cce47c04 (6 x GuLoader, 2 x AZORult)
Reporter Anonymous
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344851/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64055589.14917.29741.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Delayed reading of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6393f4cc04e0e79bdf41f3ef/reports/11c48c5c-71e9-4bd6-847a-3f002bc480c6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/abfa05a5-206b-4c55-9f76-2d8355cd8896
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131776
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to detect Any.run
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 764500 Sample: COMMERCIAL INV-3020023.exe Startdate: 10/12/2022 Architecture: WINDOWS Score: 100 34 www.babizna.pl 2->34 36 bllsl1.shop 2->36 38 babizna.pl 2->38 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Azorult 2->48 50 2 other signatures 2->50 9 COMMERCIAL INV-3020023.exe 3 34 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 9->24 dropped 52 Tries to detect Any.run 9->52 13 COMMERCIAL INV-3020023.exe 63 9->13         started        signatures6 process7 dnsIp8 40 babizna.pl 95.216.34.216, 443, 49848 HETZNER-ASDE Germany 13->40 42 bllsl1.shop 188.114.96.3, 49849, 49854, 80 CLOUDFLARENETUS European Union 13->42 26 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->26 dropped 28 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->30 dropped 32 45 other files (none is malicious) 13->32 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->54 56 Tries to steal Instant Messenger accounts or passwords 13->56 58 Tries to steal Mail credentials (via file / registry access) 13->58 60 6 other signatures 13->60 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c613749fa5ddfbc29b303f99f48fde9a00ae31c5d560e04e92922df1f966be94/
Threat name:
Win32.Downloader.Minix
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 09:05:06 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
15 of 39 (38.46%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyjxjh5f3x54fgzqh6m7jd66tiak4mof2vqoatussiw7d6lgx2ka._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
23bdbcc94a910fc7a4873ba666aa18404017514df95a9b1266d3aa233663c3ee
AZORult
296d3276af7f064b6e29fd453f3273c4fbf7d47d5afa4a2ecb80b594467d85df
AZORult
6d986cc1bd9fd02c980515b451b918a00568baea36b0ed00113c3e5f993d99d4
AZORult
9f47ed5d4825d6cf54c46856454b381f0a594dfdaa5027af5dc8379df03bcaa8
AZORult
d3a66173013a037b63d6ab4eb79916bb7e32cea117a3a12ed823f1f41ee69ce2
AZORult
d418b33e0f47d43fcc31e623c7c2b581aa9df51fb47a15414a8bb45b009f813b
AZORult
e504cb27581e7e2bf9f32203245d8a2d00451808a66a641b8e090ebd93a5842d
AZORult
f6a79144d1ff3fe08c93e756f50d43cba75721426448c17b702cdaa66e29ea7a
AZORult
+ 174 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/221210-ddv8pseg92/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c16e2aa2-4540-4f6b-828f-925e6f486063
Unpacked files
SH256 hash:
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
MD5 hash:
8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 hash:
223bef1f19e644a610a0877d01eadc9e28299509
Link:
https://www.unpac.me/results/6b75750f-cad3-438b-ba81-edbf91cc8e8c/
SH256 hash:
c613749fa5ddfbc29b303f99f48fde9a00ae31c5d560e04e92922df1f966be94
MD5 hash:
edfba071e966aad86c057f228f01e723
SHA1 hash:
82c54ef8840018043be63da501005dbffa3676a9
Link:
https://www.unpac.me/results/6b75750f-cad3-438b-ba81-edbf91cc8e8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/c613749fa5ddfbc29b303f99f48fde9a00ae31c5d560e04e92922df1f966be94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe c613749fa5ddfbc29b303f99f48fde9a00ae31c5d560e04e92922df1f966be94

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/344851/

Comments