MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
SHA3-384 hash: b2061c0264932e869bbca6b345b70685ade82896c44d8deb967b760787a5bf840968ca8299d0b2d48375366b419af33c
SHA1 hash: 119a9cd7907658400441708282ad58fb42c7ffec
MD5 hash: 7163db70565abe42159c2389c6075fcb
humanhash: papa-minnesota-paris-floor
File name:Price inquiry,pdf.scr
Download: download sample
Signature AZORult
Create hunting rule
File size:663'896 bytes
First seen:2020-08-18 12:54:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d3807efc70a0a5a6d2ab497250e9cb5 (4 x RemcosRAT, 1 x AZORult, 1 x AveMariaRAT)
ssdeep 12288:7m/ZNPa2c/PWwuUDKcoEwWLC2W2nKjdkOdqY55w/aPXjlBeh0niI:7m/TyzPWwuUDpoEwECcKpkON/hno0B
Threatray 325 similar samples on MalwareBazaar
TLSH 63E49E62E6804837C0531578AC0B9FE9D937AF113B98AC476BE63E0C5F397D17A29097
Reporter abuse_ch
Tags:AZORult geo Halkbank scr TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: halkbank.com.tr
Sending IP: 185.222.58.113
From: Sasco Purchase - Liaqat <ekstre@halkbank.com.tr>
Subject: Urgent -- Price inquiry
Attachment: Price inquiry,pdf.001 (contains "Price inquiry,pdf.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47858/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d/
Threat name:
Win32.Spyware.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 12:56:10 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdo2igzu5gyw3iztx6rqmu5g6rv6m7dfofmoz7jmarrzaoyb4vgq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
02f2ef392aadd8b486f022e3cd6bad2e6d0a2b6d39d2371b7d528e9ea6607a00
AZORult
1224ec1bfaa54c419bc8d701cd22c6d43f5c204a2d287a16e4eaebcc863c7572
AZORult
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
AZORult
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
AZORult
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
AZORult
a0ac0b34898186c8e9400fe4e2fa71a228b455a9fce6d9261fe3c9d062d028f5
AZORult
a860b7f6787c55f457249bf722d6ce93034391889c05f6ec0c9e10befe8c8c03
AZORult
d697907fc8f52925819becd089578023988c5dd7c7a92512b83c2467b9693477
AZORult
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
AZORult
f7505d1a7254a1a38c4570f0abb3fe3a462d3c34efca6372841ac37876d2af05
AZORult
+ 315 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
spyware trojan infostealer family:azorult
Link:
https://tria.ge/reports/200818-ksbmvftk62/
Behaviour
Checks processor information in registry
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar 4f0afbc697c7f0ea85f2bc58d0f345a418cc488c44201de794d2de3bd112d22c

AZORult

Executable exe c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d

(this sample)

  
Dropped by
MD5 0122e10f12e31e8024e8c1a8318d70c2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47858/
  
Dropped by
SHA256 4f0afbc697c7f0ea85f2bc58d0f345a418cc488c44201de794d2de3bd112d22c

Comments