MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77
SHA3-384 hash: 6951413186cb296a0c9f3f0ea4cbde7ca55e41acb80fb7f60c0367e6f9d4833a7476a33ece27f7146a336eca03e22998
SHA1 hash: e19037fba59f57e964fa6467db08ca373623eb6b
MD5 hash: 226dc0a0f19f82bc6e4f08d7ebcfc9ad
humanhash: paris-crazy-wyoming-zebra
File name:226dc0a0f19f82bc6e4f08d7ebcfc9ad.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'321'472 bytes
First seen:2026-06-24 16:20:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'039 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 768:P+XGU61bijXjpqHHYrinbmCUPT1rwcbuqRfiugqWCGLt9YLWAfar+qaXjGFhpy69:P+WUYbijX6YnCUB255Ckf9
Threatray 1'162 similar samples on MalwareBazaar
TLSH T1EB555922DD773A8E32A0921017F3393D1BBE07E094199EAC826915874397FD67ED8E17
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://somrapum.mywebcommunity.org/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://somrapum.mywebcommunity.org/index.php https://threatfox.abuse.ch/ioc/1837036/

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
azorult
Create hunting rule
ID:
1
File name:
_c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77.exe
Verdict:
Malicious activity
Analysis date:
2026-06-24 16:22:34 UTC
Tags:
auto-startup auto-reg pastebin azorult loader stealer
Link:
https://app.any.run/tasks/d7705038-226e-4b47-aa7f-6d50b1ca6271

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71866/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.527.11853.17733.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3c03ed86bc95245bf92c4f
Tags:
azorult autorun lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending an HTTP POST request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated vbnet
Link:
https://www.filescan.io/uploads/6a3c03fa90632a45f738f56a/reports/54fbbbd8-cd22-4ca0-8936-bb1b3cf01b56/overview
Verdict:
Malicious
Labled as:
Kryptik.Generic
Link:
https://www.hybrid-analysis.com/sample/c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-20T04:14:00Z UTC
Last seen:
2026-06-24T22:44:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Azorult.HTTP.ServerRequest Trojan-PSW.Azorult.HTTP.C&C HEUR:Trojan-PSW.MSIL.Agensla.vho Trojan.MSIL.Inject.sb Trojan.Win32.Vimditator.sb Trojan.MSIL.Agent.sb PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Agensla.pef Trojan.MSOffice.Ogneglazka.bu HEUR:Trojan-Downloader.MSIL.BaseLoader.gen Trojan.Win32.Agent.sb Trojan-PSW.Win32.Azorult.sb Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.MSIL.BaseLoader.sb Backdoor.Win32.Androm.sb
Link:
https://opentip.kaspersky.com/c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77/results?tab=lookup
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a35d95e-6143-484f-af91-be5cd21c94d9
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1933298
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Disables Windows Defender Tamper protection
Drops PE files to the startup folder
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933298 Sample: 1km7iopBnN.exe Startdate: 24/06/2026 Architecture: WINDOWS Score: 100 63 pastebin.com 2->63 65 somrapum.mywebcommunity.org 2->65 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 12 other signatures 2->81 8 1km7iopBnN.exe 24 7 2->8         started        13 1km7iopBnN.exe 2->13         started        15 1km7iopBnN.exe 2->15         started        17 4 other processes 2->17 signatures3 79 Connects to a pastebin service (likely for C&C) 63->79 process4 dnsIp5 67 pastebin.com 104.20.29.150, 443, 49690, 49700 CLOUDFLARENET-CloudflareIncUS Canada 8->67 57 C:\Users\user\AppData\...\1km7iopBnN.exe, PE32 8->57 dropped 59 C:\Users\...\1km7iopBnN.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\...\1km7iopBnN.exe.log, ASCII 8->61 dropped 85 Creates an undocumented autostart registry key 8->85 87 Drops PE files to the startup folder 8->87 89 Adds extensions / path to Windows Defender exclusion list (Registry) 8->89 97 2 other signatures 8->97 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        30 2 other processes 8->30 91 Adds a directory exclusion to Windows Defender 13->91 26 powershell.exe 13->26         started        28 powershell.exe 13->28         started        33 5 other processes 13->33 35 5 other processes 15->35 69 127.0.0.1 unknown unknown 17->69 93 Creates autostart registry keys with suspicious names 17->93 95 Creates multiple autostart registry keys 17->95 37 16 other processes 17->37 file6 signatures7 process8 dnsIp9 83 Loading BitLocker PowerShell Module 19->83 39 conhost.exe 19->39         started        41 conhost.exe 22->41         started        43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 conhost.exe 28->47         started        71 somrapum.mywebcommunity.org 185.176.43.80, 49691, 49707, 49709 ZETTA-ASBG Bulgaria 30->71 49 conhost.exe 30->49         started        51 2 other processes 33->51 53 4 other processes 35->53 55 12 other processes 37->55 signatures10 process11
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77/
Verdict:
Malicious
Threat:
Family.AZORULT
Link:
https://tip.neiki.dev/file/c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-20 06:12:00 UTC
File Type:
PE (.Net Exe)
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3bn77ohu7qavd3sn4lahmaadltsiss7zhnq4mde5k3ijqm7nn3q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
473bfba1685fe3047cc582f18e36120c1b55449363834dbafcce003a89e5864c
AZORult
496eee9f60b594a19b4c773b94b9c18f9863339f51280f1c90a799769eb24de0
AZORult
5705f860865c9fd9eb6a5609d3ea183b201e72fa45db0b06be00a4a6f665f82a
AZORult
83ed44db03acc4abfb655a211c01e03c56bab2a016e603de64aeeb0bca8a77ca
AZORult
a3161c883a81cbe903b259ded89c4ff0130806583188a34b93bdaf2116a33e9e
AZORult
error
AZORult
+ 1'152 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult adware defense_evasion discovery evasion execution infostealer persistence ransomware spyware trojan
Link:
https://tria.ge/reports/260624-tthwbadw9q/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Enumerates connected drives
Checks computer location settings
Drops startup file
Windows security modification
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Family: Azorult
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
http://somrapum.mywebcommunity.org/index.php
Unpacked files
SH256 hash:
c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77
MD5 hash:
226dc0a0f19f82bc6e4f08d7ebcfc9ad
SHA1 hash:
e19037fba59f57e964fa6467db08ca373623eb6b
Link:
https://www.unpac.me/results/625c8370-a3f1-4016-85bd-faef42cf5fd2/
SH256 hash:
06bd82580db928403489f55450c602d0f3b53191b48359d6dd0796830a8dfc41
MD5 hash:
07f30617a04ce91f5e958bee01015b6b
SHA1 hash:
08c4f5ee36ed38f379f3bbc27e623b5c547d53de
Link:
https://www.unpac.me/results/625c8370-a3f1-4016-85bd-faef42cf5fd2/
SH256 hash:
06bd82580db928403489f55450c602d0f3b53191b48359d6dd0796830a8dfc41
MD5 hash:
07f30617a04ce91f5e958bee01015b6b
SHA1 hash:
08c4f5ee36ed38f379f3bbc27e623b5c547d53de
Link:
https://www.unpac.me/results/625c8370-a3f1-4016-85bd-faef42cf5fd2/
SH256 hash:
740c5cc2d0f78309d8fc8949ecdd01737bca50c3e2c273f852d8e8fda2c582ac
MD5 hash:
e8b300200d3664f0ef42897f95608373
SHA1 hash:
e9f39e121b7afb44865fb599cc87553274d5c8a6
Detections:
win_azorult_g1
Create hunting rule
Azorult
Create hunting rule
win_azorult_g1
Create hunting rule
Azorult
Create hunting rule
Link:
https://www.unpac.me/results/625c8370-a3f1-4016-85bd-faef42cf5fd2/
SH256 hash:
740c5cc2d0f78309d8fc8949ecdd01737bca50c3e2c273f852d8e8fda2c582ac
MD5 hash:
e8b300200d3664f0ef42897f95608373
SHA1 hash:
e9f39e121b7afb44865fb599cc87553274d5c8a6
Detections:
win_azorult_g1
Create hunting rule
Azorult
Create hunting rule
win_azorult_g1
Create hunting rule
Azorult
Create hunting rule
Link:
https://www.unpac.me/results/625c8370-a3f1-4016-85bd-faef42cf5fd2/
Malware family:
AZORult.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6c2dffdc7a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6c2dffdc7a7e00a8f726f1603b0001ae7244a5fc9db0e3064eab684c19f6b77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71866/

Comments