MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
SHA3-384 hash: ac73cdf2369fdfdb478557bbe8973604b1d24e6b287dffd0d75caf290841fb7a2ef7017f0d6a5cd0be40a9cd837a9342
SHA1 hash: b64c49054f5c98211c6c44f48acc33f14eeb9838
MD5 hash: f0d14517fdc249bdd8f3bd53f8d9c341
humanhash: freddie-finch-pip-ceiling
File name:F0D14517FDC249BDD8F3BD53F8D9C341.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:4'329'472 bytes
First seen:2021-09-03 03:30:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca357d1c9b605d95e9d31e67e1c53033 (6 x AZORult, 2 x RaccoonStealer, 1 x NetWire)
ssdeep 98304:yBla/SREsGrSQNFLlbSww3QHM/WvqcYvPjZ:yTzk3lbSwDHaWScYN
Threatray 6'280 similar samples on MalwareBazaar
TLSH T167165B236BAFCCCFD9DE5070EDADC279E080AD292657485E5AF18CCFB52160935C94B2
dhash icon 8e1763b29263078e (2 x AZORult)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://5.181.156.221/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.221/ https://threatfox.abuse.ch/ioc/213378/
http://mazoyer.ac.ug/index.php https://threatfox.abuse.ch/ioc/213380/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'018
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F0D14517FDC249BDD8F3BD53F8D9C341.exe
Verdict:
Malicious activity
Analysis date:
2021-09-03 03:33:40 UTC
Tags:
trojan stealer raccoon loader vidar rat azorult
Link:
https://app.any.run/tasks/267fe918-9611-4fda-b725-0b69b9a38ed0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Meteorite
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184994/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f202333d-d912-467e-9c02-aeb1e3ad8e57
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844488
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to resolve many domain names, but no domain seems valid
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476919 Sample: r6oYAy0fxf.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 48 mazooyaar.ac.ug 2->48 50 mazoyer.ac.ug 2->50 52 2 other IPs or domains 2->52 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 69 11 other signatures 2->69 10 r6oYAy0fxf.exe 15 2->10         started        signatures3 67 Tries to resolve many domain names, but no domain seems valid 48->67 process4 file5 46 C:\Users\user\AppData\Local\...\vctuacx.exe, PE32 10->46 dropped 81 Maps a DLL or memory area into another process 10->81 14 vctuacx.exe 4 10->14         started        17 r6oYAy0fxf.exe 2 10->17         started        signatures6 process7 signatures8 89 Antivirus detection for dropped file 14->89 91 Multi AV Scanner detection for dropped file 14->91 93 Performs DNS queries to domains with low reputation 14->93 95 2 other signatures 14->95 19 vctuacx.exe 23 14->19         started        process9 dnsIp10 54 wishamag.ac.ug 19->54 57 tuekisa.ac.ug 19->57 59 21 other IPs or domains 19->59 34 C:\Users\user\AppData\Local\...\Dropkxa.exe, PE32 19->34 dropped 36 C:\Users\user\AppData\Local\...\Dropakxa.exe, PE32 19->36 dropped 38 C:\Users\user\AppData\Local\...\ghjk[1].exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Local\...\ghjkl[1].exe, PE32 19->40 dropped 23 Dropakxa.exe 7 19->23         started        27 Dropkxa.exe 2 19->27         started        file11 71 Tries to resolve many domain names, but no domain seems valid 57->71 signatures12 process13 file14 42 C:\Users\user\AppData\Local\Temp\vcxfse.exe, PE32 23->42 dropped 44 C:\Users\user\AppData\Local\Temp\cbvjns.exe, PE32 23->44 dropped 73 Antivirus detection for dropped file 23->73 75 Multi AV Scanner detection for dropped file 23->75 77 Machine Learning detection for dropped file 23->77 79 2 other signatures 23->79 29 vcxfse.exe 4 23->29         started        32 cbvjns.exe 4 23->32         started        signatures15 process16 signatures17 83 Antivirus detection for dropped file 29->83 85 Multi AV Scanner detection for dropped file 29->85 87 Machine Learning detection for dropped file 29->87
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 01:30:48 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztk2wkirco7wt7f4z3ukxce4tt22bubeb7xnio3tpbkjplhdyrtq._file
Verdict:
malicious
Similar samples:
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
AZORult
84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72
AZORult
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
AZORult
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
AZORult
bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
AZORult
d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
AZORult
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
AZORult
+ 6'270 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210903-d23bxscaa5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
mazooyaar.ac.ug
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
95b94a7a06b6cd5734013ef7ebb9f9cea6d04f7f467fffa203a09a8e6d5ff0d3
MD5 hash:
5acd21381d600765601be0e4e7b6597a
SHA1 hash:
879cec8513536dfb7a2b562e05893bbf0ef6f5ee
Link:
https://www.unpac.me/results/a78bb9bd-485b-4ef7-89d8-3c7a40ba912b/
SH256 hash:
cc19fe1d0e9498cf6d5fc35ac9cb54aa4e44e4d47fe9d1dc8d49b658898fbfc6
MD5 hash:
7ceb66cd5721d508a005cd402a8f0b72
SHA1 hash:
b07357d705c3dca97986d6e1d669fbe754ad2130
Link:
https://www.unpac.me/results/a78bb9bd-485b-4ef7-89d8-3c7a40ba912b/
SH256 hash:
10777f6e508a2e404021c7ade679d9df66efc69daabc5cd1f0bf8b2e9373673f
MD5 hash:
64a575b69259def48185c48dd03b36ad
SHA1 hash:
02f6c9f79859cb48aa194e5fcb7ba7baf83076bf
Link:
https://www.unpac.me/results/a78bb9bd-485b-4ef7-89d8-3c7a40ba912b/
SH256 hash:
5f6cd3b1bbbfcb2458d5b4811ba2995a828952619f1e5e91ee969b17b22ce9e7
MD5 hash:
bf3316d0be3721a19d5cc2036717997c
SHA1 hash:
613ddee728d6a2ccc9eee52263ff631baa084e9f
Link:
https://www.unpac.me/results/a78bb9bd-485b-4ef7-89d8-3c7a40ba912b/
SH256 hash:
18f5db85b3503d5c7849e5dbebbcc05ab5e59c14395c5f54e3db5bc70b2f3c52
MD5 hash:
d12127c74cdbf0ef6717b956c108be4b
SHA1 hash:
cb9b78c32b29629d051b0323f58d289c397f9a89
Link:
https://www.unpac.me/results/a78bb9bd-485b-4ef7-89d8-3c7a40ba912b/
SH256 hash:
ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
MD5 hash:
f0d14517fdc249bdd8f3bd53f8d9c341
SHA1 hash:
b64c49054f5c98211c6c44f48acc33f14eeb9838
Link:
https://www.unpac.me/results/a78bb9bd-485b-4ef7-89d8-3c7a40ba912b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ccd5ab291113/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Meteorite
Create hunting rule
Author:ditekSHen
Description:Detects Meteorite downloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184994/

Comments