MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf1aeb2835afd01b7ddc5218ab7b3bfeae4c21dffc0c37111fe3238228791ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caf1aeb2835afd01b7ddc5218ab7b3bfeae4c21dffc0c37111fe3238228791ea
SHA3-384 hash: 8bba6ac67b3c0afdfba6c59ab249da364f42d718699e0426803a79af6e932ea005948322ab8adf93ec69ba9d6d9efcb9
SHA1 hash: 67de77276772fa812d25dcf30518178f4ab8b28c
MD5 hash: 4294e8f4beb04035a9427305e0a98ea0
humanhash: alanine-salami-helium-eight
File name:Dekont.pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:937'984 bytes
First seen:2020-10-12 19:23:38 UTC
Last seen:2020-10-12 20:24:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:a15i+5/lz7DRokeo8ZfpzsNm+YWf8Q51T0JBS0tV5NeURVh4Zce9Rgz+gKESusKW:+/lN1gGd6aWVC9++gKLio69
Threatray 311 similar samples on MalwareBazaar
TLSH D015714AABA847D1C9F4F3FB2BA5722823E2FCF71750D60D1F0A79A519730E1598D206
Reporter abuse_ch
Tags:AZORult exe geo Halkbank TUR


Avatar
abuse_ch
Malspam distributing AZORult:

HELO: server.gmdsa.us
Sending IP: 31.214.245.90
From: Halkbank Internet Subesi <internet.subesi@halkbank.com.tr>
Subject: 12.10.2020 TARİHLİ DEKONT
Attachment: Dekont.pdf.img (contains "Dekont.pdf.exe")

AZORult C2:
http://pilsans.com/mxnjs/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70199/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.36917.19649.12992.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Creating a process from a recently created file
Launching a process
DNS request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488882
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected AZORult Info Stealer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296898 Sample: Dekont.pdf.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 9 other signatures 2->50 9 Dekont.pdf.exe 2 2->9         started        13 set.exe 2->13         started        process3 file4 38 C:\Users\user\AppData\...\Dekont.pdf.exe.log, ASCII 9->38 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->60 15 cmd.exe 1 9->15         started        17 cmd.exe 2 9->17         started        62 Writes to foreign memory regions 13->62 64 Allocates memory in foreign processes 13->64 66 Injects a PE file into a foreign processes 13->66 20 mscorsvw.exe 12 13->20         started        signatures5 process6 dnsIp7 23 set.exe 3 15->23         started        26 conhost.exe 15->26         started        36 C:\Users\user\Desktop\set.exe, PE32 17->36 dropped 28 conhost.exe 17->28         started        42 pilsans.com 20->42 file8 process9 signatures10 52 Antivirus detection for dropped file 23->52 54 Multi AV Scanner detection for dropped file 23->54 56 Machine Learning detection for dropped file 23->56 58 4 other signatures 23->58 30 mscorsvw.exe 23->30         started        process11 signatures12 68 Detected AZORult Info Stealer 30->68 33 WerFault.exe 23 9 30->33         started        process13 dnsIp14 40 192.168.2.1 unknown unknown 33->40
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/caf1aeb2835afd01b7ddc5218ab7b3bfeae4c21dffc0c37111fe3238228791ea/
Threat name:
ByteCode-MSIL.Infostealer.Stimilina
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 15:44:29 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zly25mudll6qdn65yuqyvn5tx7vojqq577amg4ir7yzdqiuhshva._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
12826d5302af642e1152b7b65718d7bcd1deca268630fa61444f131575795589
AZORult
50871b11ec8d79116e3e61c9e082967e6327e58a7478b92b16cb821ec23dcf79
AZORult
5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9
AZORult
6d7dc72817910ada384e0c5d6569b046706c68af888627798db937e81c9baea6
AZORult
74817ca889247bccdb4d0c98c608d0bf46912a7d1cf00ba43c070f9093326a07
AZORult
84783d501b78575f30aa33097f9c7c885542b892512403424fc069b048189e98
AZORult
c578d33e132ccbbc26a4a31e6054fea7f42591b391e9b8eb30eaf732ed119088
AZORult
ccedefbb232fd22909bc7b342fe7d3c1e0551b149a0b2e392a23030ceef1814e
AZORult
ce06efe2c18c75da9d9535b4328677f4136a3f04ea666d037bf55dce7c9b7c57
AZORult
d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72
AZORult
+ 301 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult
Link:
https://tria.ge/reports/201012-vjb5gyh15j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://pilsans.com/mxnjs/index.php
Unpacked files
SH256 hash:
caf1aeb2835afd01b7ddc5218ab7b3bfeae4c21dffc0c37111fe3238228791ea
MD5 hash:
4294e8f4beb04035a9427305e0a98ea0
SHA1 hash:
67de77276772fa812d25dcf30518178f4ab8b28c
Link:
https://www.unpac.me/results/c8471d6b-312d-4947-a348-400e375d2a16/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/c8471d6b-312d-4947-a348-400e375d2a16/
SH256 hash:
1c91b0dfca665d00929f7496ef2be63ae24cf9b99494ce9ab77a5dab09abd0b1
MD5 hash:
4764cfc4b2e0b626ee0a6bf139c7e1f5
SHA1 hash:
c834ef2ab559f0d2b0ebbdd7232c48bae0b84592
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/c8471d6b-312d-4947-a348-400e375d2a16/
Parent samples :
5b1be73c028d92e81dd464150fba38c640f3a25cdb7b80a9041e38921da542a9
caf1aeb2835afd01b7ddc5218ab7b3bfeae4c21dffc0c37111fe3238228791ea
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/c8471d6b-312d-4947-a348-400e375d2a16/
SH256 hash:
9790a6aa3d28d77d320c8f32938122c1212b7f6291daa7511f854a3fcd0fb037
MD5 hash:
6e53bc3c0364eefd1d448d25e026975d
SHA1 hash:
f11ea87b0638531f442b113feb19dbaae81ad518
Link:
https://www.unpac.me/results/c8471d6b-312d-4947-a348-400e375d2a16/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caf1aeb2835afd01b7ddc5218ab7b3bfeae4c21dffc0c37111fe3238228791ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_azorult_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

img cea79d3e3df2aaa3dc0c2f77cd0427d4ea008d5ed33d24b60bba17c2cd5cec7e

AZORult

Executable exe caf1aeb2835afd01b7ddc5218ab7b3bfeae4c21dffc0c37111fe3238228791ea

(this sample)

  
Dropped by
MD5 fa9d1cb84c16c824c2186f8cda28c8f6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70199/
  
Dropped by
SHA256 cea79d3e3df2aaa3dc0c2f77cd0427d4ea008d5ed33d24b60bba17c2cd5cec7e

Comments