MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c881770186468637dd024971988c9147593f437833e767e6ca252be27b7ca82b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	c881770186468637dd024971988c9147593f437833e767e6ca252be27b7ca82b
SHA3-384 hash:	6b6f6b077757515aafa3a0b429b6f8702bd3362697ac16637335aeddc77fd0c1ab5c0129c47536c2969ce734432ee1e5
SHA1 hash:	63ee07859ba27b4440422450ab5716903347321a
MD5 hash:	312062576b8c6ce5e204e37f5745bd52
humanhash:	foxtrot-charlie-arizona-ohio
File name:	RECEIPT_pdf.rar
Download:	download sample
Signature	AZORult Create hunting rule
File size:	3'879 bytes
First seen:	2021-08-05 05:45:31 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	96:ZSiJrNZn3gvm2YH9Jox9DE59/iIZ0RS9fuK/48NT1F:Z/nQeXH9JojEr0RQxNf
TLSH	T1F8817C64D9C3C21251180CE3962A1FED7CC32B45ADA01CDF34B3F2880ABC997DB9620E
Reporter	cocaman
Tags:	AZORult DHL rar

cocaman

Malicious email (T1566.001)
From: "DHL Express <consignments-notification@dhl.com>" (likely spoofed)
Received: "from vl23433.dns-privadas.es (vl23433.dns-privadas.es [81.21.70.244]) "
Date: "Wed, 04 Aug 2021 21:46:34 -0700"
Subject: "=?UTF-8?Q?DHL=E5=8D=95=E5=8F=B7__SHIPMENT_NOTIFICATION_FOR_INCOM?=
=?UTF-8?Q?ING__AIR_WAYBILL?="
Attachment: "RECEIPT_pdf.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

504

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27382.Rar5Heur.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c881770186468637dd024971988c9147593f437833e767e6ca252be27b7ca82b/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-08-05 05:33:49 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zcaxoamgi2ddpxicjfyzrderi5mt6q3ygptwpzwkeuv6e634vavq._file

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer spyware stealer suricata trojan

Link:

https://tria.ge/reports/210805-mssex9e9gx/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Reads local data of messenger clients

Downloads MZ/PE file

Executes dropped EXE

Azorult

suricata: ET MALWARE AZORult v3.3 Server Response M2

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3

Malware Config

C2 Extraction:

http://37.0.10.99/PL341/index.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/c881770186468637dd024971988c9147593f437833e767e6ca252be27b7ca82b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar c881770186468637dd024971988c9147593f437833e767e6ca252be27b7ca82b

(this sample)

AZORult

exe 57f0ed548834dae8947ee1e4ef77b1780cf929af0aa406dcf2b4e06298607809

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 57f0ed548834dae8947ee1e4ef77b1780cf929af0aa406dcf2b4e06298607809

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample