MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a
SHA3-384 hash: 4420589d8fd3b3342a6c18bafad3cd39effc9f967c56b878de2084eb28ab73d314f2362de4c13b3fa5b4350a6924cdb1
SHA1 hash: 0ba85429cca551d03f7d0e367c091dd7dfc58989
MD5 hash: 42f83346f095d3d4c0351a9e36f7341e
humanhash: neptune-romeo-tennis-coffee
File name:PAYMENT SWIFT ADVICE.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:5'747'251 bytes
First seen:2020-10-14 15:11:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d349bb1fedb23758a6e397e5d691576 (8 x Bancteian, 7 x AZORult, 1 x AgentTesla)
ssdeep 98304:+tR4xGnCtvwCEQjfkeoS9yn45+ZkvyzHvz6z49m:O4xEfQTkS9ynfk2Hvz6U4
TLSH 7146AE16B6C42C3FC0AB17364C265E30D93B7EA126269C1F16F078DC8E7D5817D2A69B
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: DBS BANK <startextile@cyber.net.pk>
Subject: Fwd:PAYMENT ADVICE NOTIFICATION 13-10-20 (DBS).
Attachment: PAYMENT SWIFT ADVICE.zip (contains "PAYMENT SWIFT ADVICE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Trojan.Bancteian-0-6418983-0
Create hunting rule

Win.Malware.Delf-6821969-0
Create hunting rule

Win.Malware.Delf-6821971-0
Create hunting rule

Win.Trojan.Delf-33906
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows directory
Changing a file
Moving a file to the Windows directory
Moving a recently created file
Creating a file in the %AppData% directory
Moving a file to the %AppData% directory
Setting a keyboard event handler
Blocking the User Account Control
Unauthorized injection to a recently created process
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491230
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298142 Sample: PAYMENT SWIFT ADVICE.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 9 other signatures 2->60 8 PAYMENT SWIFT ADVICE.exe 3 2->8         started        process3 file4 34 C:\Users\user\...\PAYMENT SWIFT ADVICE.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\icsys.ico.exe, PE32 8->36 dropped 11 icsys.ico.exe 13 8->11         started        15 PAYMENT SWIFT ADVICE.exe 3 8->15         started        process5 file6 38 C:\Windows\wininit.exe, PE32 11->38 dropped 40 C:\Windows\RCX45B0.tmp, PE32 11->40 dropped 42 C:\Users\user\AppData\Roaming\spoolsv.exe, PE32 11->42 dropped 46 4 other malicious files 11->46 dropped 72 Antivirus detection for dropped file 11->72 74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 80 2 other signatures 11->80 17 wininit.exe 13 11->17         started        21 svchost.exe 14 11->21         started        44 C:\Users\...\PAYMENT SWIFT ADVICE.exe .log, ASCII 15->44 dropped 78 Injects a PE file into a foreign processes 15->78 23 PAYMENT SWIFT ADVICE.exe 1 15->23         started        25 PAYMENT SWIFT ADVICE.exe 15->25         started        27 PAYMENT SWIFT ADVICE.exe 15->27         started        29 2 other processes 15->29 signatures7 process8 dnsIp9 48 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49744, 49745 DROPBOXUS United States 17->48 50 192.168.2.1 unknown unknown 17->50 52 2 other IPs or domains 17->52 62 Antivirus detection for dropped file 17->62 64 Creates an undocumented autostart registry key 17->64 66 Machine Learning detection for dropped file 17->66 68 Installs a global keyboard hook 17->68 31 spoolsv.exe 1 17->31         started        70 Tries to harvest and steal browser information (history, passwords, etc) 21->70 signatures10 process11 signatures12 82 Antivirus detection for dropped file 31->82 84 Machine Learning detection for dropped file 31->84
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a/
Threat name:
Win32.Trojan.Bancteian
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 22:07:12 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyxp52ksyg5u76hj7uuphzdxdaabb6f6cyxg3x4lrp5ufr4n7yva._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence spyware
Link:
https://tria.ge/reports/201014-lb3mkymx5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Unpacked files
SH256 hash:
c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a
MD5 hash:
42f83346f095d3d4c0351a9e36f7341e
SHA1 hash:
0ba85429cca551d03f7d0e367c091dd7dfc58989
Link:
https://www.unpac.me/results/5a6a3e50-95a7-43d2-8c8f-d55540e2036a/
SH256 hash:
5410b97fdd4a9f55d8390416b5fac3cca476ed0c9cf0bb85e5068659ba44f802
MD5 hash:
4c974e3365cdf8197308e75dbe9ba1c5
SHA1 hash:
16a7c3a921f51c00daf85e96a45358622b3ea18c
Link:
https://www.unpac.me/results/5a6a3e50-95a7-43d2-8c8f-d55540e2036a/
SH256 hash:
cb678ee992d8574227e81f40e206c006a3add395023c7ae8511844a88ef15f6f
MD5 hash:
d304074a7df645b9b4dbbe6a4896a721
SHA1 hash:
0383582e46b781999046f1eb48f117877a694865
Link:
https://www.unpac.me/results/5a6a3e50-95a7-43d2-8c8f-d55540e2036a/
SH256 hash:
af42fa6663ce3d49fc2a3c629033e3fe2896bafe2ef54b1ddea1f25b5494c38f
MD5 hash:
e57e64fc92672377caad91aca90851ca
SHA1 hash:
52eff77000fad6f027d310c7b6c3e70060ceaf2a
Link:
https://www.unpac.me/results/5a6a3e50-95a7-43d2-8c8f-d55540e2036a/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/5a6a3e50-95a7-43d2-8c8f-d55540e2036a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

zip 066b91498739df6eb1a785567702971261dafa8a5d1861df1b5161373f19a1e5

AZORult

Executable exe c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a

(this sample)

  
Dropped by
MD5 b87e7fee041e999baa8265c73e7fe8ba
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70859/
  
Dropped by
SHA256 066b91498739df6eb1a785567702971261dafa8a5d1861df1b5161373f19a1e5

Comments