MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cff2f4cae0440ebd4c4e57589210b0198dc604006e0fb70c127add914c5be655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cff2f4cae0440ebd4c4e57589210b0198dc604006e0fb70c127add914c5be655
SHA3-384 hash: 304a16f8bce2349da58b15571778fd3925bfeea3cd546eb17e8a1fabb7e90e5774c0aaad6a9055c070036d0902f82ccd
SHA1 hash: d635393d6ab24c920b5a08268c9884a9dfb5c970
MD5 hash: ddb1b11c0fe88c29507f637ce5d5ad0c
humanhash: berlin-chicken-muppet-magnesium
File name:Pfanner_106888964.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:282'116 bytes
First seen:2021-07-29 13:34:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d51f4756e17d2e0cb52cc870ed396809 (2 x Loki, 2 x AZORult, 1 x AgentTesla)
ssdeep 6144:B7AEzX1MCI7ThkXJ191agec4dSH+EnKeR2Xu:BjMD7TiXraMmSH+bXu
Threatray 2'073 similar samples on MalwareBazaar
TLSH T1B354F19F81D4C515E532BE7559B3A2C8432E7E2B8D69B05F42D73790C871AA2FCF120A
dhash icon 981c2c1c98e9ec92 (1 x AZORult)
Reporter James_inthe_box
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pfanner_106888964.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 13:38:15 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/9cf97a4f-d671-49a1-b576-a0cf78f06e3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175037/
Detection(s):
Win.Trojan.Filerepmalware-9882244-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71acf4c7-14a8-40f8-b0f7-9de0e1ff79c0
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823850
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.MoksSteal
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 03:02:34 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7zpjsxaiqhl2tcok5mjeefqdgg4mbaanyh3odasplozctc34zkq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
120fcd098c502894515feb3814bd6edc34ceb13648dcfae2a22c4f4e2166ace2
AZORult
462f4e639cead04d64436b603d4e0a62816fcaa0b03c6390d6f2c6ff366da6c7
AZORult
62bcad1a08b9645f0b2bd969e31e3beda41ce828387eb60ce07b0749deee4c59
AZORult
65d873e82fc6d0e63a224589cdee5551f2d98c313e19adbc9799ef17ae493a8f
AZORult
6707f8585bc86cee81fa957414be0bcfc707b1786d372b057de4cc0f30d2af08
AZORult
8d706a559621c1ec74e346061820da982e2740ca365f152660cc302162073504
AZORult
96ef205b273f3f89847c788c9b63797a5fcf899c4b25106f7a21ab57311e4c2a
AZORult
d3ba82618b3527724f29e835c333807e9d72e51839990c6e95e072825cf99150
AZORult
ec61c46fdd4c22a18e41331c3b4553e385c6229b2d37c5ae4050b10e0cc27572
AZORult
+ 2'063 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210729-32xm6rp9sn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
suricata: ET MALWARE AZORult v3.3 Server Response M2
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
Malware Config
C2 Extraction:
http://203.159.80.182/index.php
Unpacked files
SH256 hash:
23e89b5b1afb58672d7c73f7e426c38a2f38e2bf5876bdd2cd3cfebe1d47e744
MD5 hash:
b2b21189c1b438ca1af67cd9eaabeba0
SHA1 hash:
d7f86caea91cac1931404ed315eb4f7d711fe4fb
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/da1cc167-33f7-4777-80f0-69844508c185/
Parent samples :
cff2f4cae0440ebd4c4e57589210b0198dc604006e0fb70c127add914c5be655
c48be028ebc8c3168adaa7df28c47543872fda1f4ab507c9197ea295bf848e6b
SH256 hash:
cff2f4cae0440ebd4c4e57589210b0198dc604006e0fb70c127add914c5be655
MD5 hash:
ddb1b11c0fe88c29507f637ce5d5ad0c
SHA1 hash:
d635393d6ab24c920b5a08268c9884a9dfb5c970
Link:
https://www.unpac.me/results/da1cc167-33f7-4777-80f0-69844508c185/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cff2f4cae0440ebd4c4e57589210b0198dc604006e0fb70c127add914c5be655

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/175037/

Comments