MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
SHA3-384 hash: 27df364a3882c167fa8447198fec1a7d732dfe121026b6ce197f1a49f6bc5dc4d08746757c6a705caf350d4e5b72e775
SHA1 hash: d6082fcfcfa6e7f1d719c2c02a3e761e46d48004
MD5 hash: 020824e5aa9ecb744b1b94bd855a8f3a
humanhash: magazine-skylark-red-lake
File name:020824e5aa9ecb744b1b94bd855a8f3a.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'306'112 bytes
First seen:2021-08-19 06:00:56 UTC
Last seen:2021-08-19 07:20:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:o8oQcipzX0UCT88jNiyBHBhwCU2RUclLlsHD6tn4883JJRYI+fS3La:o8oQcipzX0UL8xHrhlUEUclLCD6tn4d9
Threatray 2'445 similar samples on MalwareBazaar
TLSH T1685523E473A0B913F95E0D71BC4C8EE349E6BC1834BA9D709E13C66FA981B58564128F
dhash icon cc33a86955c403c4 (3 x AZORult, 2 x AsyncRAT, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://185.53.46.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.53.46.33/ https://threatfox.abuse.ch/ioc/192020/
http://gordons.ac.ug/index.php https://threatfox.abuse.ch/ioc/192194/

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
020824e5aa9ecb744b1b94bd855a8f3a.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 06:02:15 UTC
Tags:
trojan stealer raccoon loader rat azorult vidar
Link:
https://app.any.run/tasks/4f168129-648f-46d4-ad12-3c113a178a73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180531/
Detection(s):
SecuriteInfo.com.generic.ml.13428.11832.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Creating a process with a hidden window
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b12beb7-36ea-42e7-a893-e50103b85a3b
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835525
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467956 Sample: 39tRfmC1u6.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 61 prda.aadg.msidentity.com 2->61 63 hsagoi.ac.ug 2->63 65 clientconfig.passport.net 2->65 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for URL or domain 2->83 85 9 other signatures 2->85 10 39tRfmC1u6.exe 3 8 2->10         started        signatures3 process4 file5 45 Leoiinwzyjvulnfehm...vbaconsoleapp13.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\...\39tRfmC1u6.exe, PE32 10->47 dropped 49 C:\Users\user\...\Fnpgaloxjuodppdmbufkms.vbs, ASCII 10->49 dropped 51 2 other malicious files 10->51 dropped 89 Writes to foreign memory regions 10->89 91 Injects a PE file into a foreign processes 10->91 14 wscript.exe 1 10->14         started        17 39tRfmC1u6.exe 83 10->17         started        signatures6 process7 dnsIp8 69 192.168.2.1 unknown unknown 14->69 21 Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe 6 14->21         started        71 185.53.46.33, 49704, 80 STNB-ASDE Germany 17->71 73 telete.in 195.201.225.248, 443, 49703 HETZNER-ASDE Germany 17->73 35 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 17->35 dropped 37 C:\Users\user\AppData\...\vcruntime140.dll, PE32 17->37 dropped 39 C:\Users\user\AppData\...\ucrtbase.dll, PE32 17->39 dropped 41 56 other files (none is malicious) 17->41 dropped 77 Tries to steal Mail credentials (via file access) 17->77 file9 signatures10 process11 file12 43 C:\...\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe, PE32 21->43 dropped 87 Injects a PE file into a foreign processes 21->87 25 Leoiinwzyjvulnfehmmmztvbaconsoleapp13.exe 21->25         started        30 wscript.exe 21->30         started        signatures13 process14 dnsIp15 67 gordons.ac.ug 185.215.113.77, 49706, 49713, 49715 WHOLESALECONNECTIONSNL Portugal 25->67 53 C:\Users\user\AppData\...\vcruntime140.dll, PE32 25->53 dropped 55 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 25->55 dropped 57 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 25->57 dropped 59 45 other files (none is malicious) 25->59 dropped 93 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->93 95 Tries to steal Instant Messenger accounts or passwords 25->95 97 Tries to steal Mail credentials (via file access) 25->97 99 4 other signatures 25->99 32 Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe 30->32         started        file16 signatures17 process18 signatures19 75 Injects a PE file into a foreign processes 32->75
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2c32iwhat7iuv2chmial2wwpf7et5ihc72rvob42rdpybzzayi6q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
AZORult
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
AZORult
5e08ef6445c40ba0c1216c04291b0d9ef48f0983a9aebd25f214e6fc988daa53
AZORult
7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
AZORult
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
AZORult
b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c
AZORult
e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
AZORult
+ 2'435 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:c81fb6015c832710f869f6911e1aec18747e0184 discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210819-jm557lweca/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
hsagoi.ac.ug
Unpacked files
SH256 hash:
6e399e6aafb10ffc5fabf3e0240a57adcc549b314815fedb76cffed6c463c5e0
MD5 hash:
a2ca5ca13e516c2fb380398a98c1d746
SHA1 hash:
f9c5154d80db53e01f581daf47855a794e57c7b3
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
811b1a005ecb38930683ba45696cf1ccd7a1ded9d218f16e854bce9d19543ca6
MD5 hash:
4d9c88b1a10eb50d2178549c1abce5dc
SHA1 hash:
80551ddb1dc3372fd5bca47c9ec5dfe3046ddc84
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
a3e8b130162a04a4ccd7f98e2209407085e06d16af8bee81e0e370837273717f
MD5 hash:
b6aa4de692196ca6d35e0aa86020121b
SHA1 hash:
3a741babdbdcd61a1365ef49ec55c45d8191f5ba
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
f87879de760cdb08727eb0bd44bd3d8d81adf56b48cb55a8ac3391164ff859fc
MD5 hash:
3f49dc717a2cbf6233171409c8ae80d4
SHA1 hash:
0f49551f8a1364d1df1fc899cd46f414c8e77efc
Detections:
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
a22d4858185b9f8734c69b4e244ce4c0b183350112d5f6fe67346abb944d3c46
MD5 hash:
dd4ecc1388490addcd4ad3d0fbc51e9b
SHA1 hash:
b17341b1b96e38bcb5ca52f081d9ddd06b2a5fae
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
dec6b08ad93d22660e040ff56d4a6523428243741af91d0980efd00dc2521951
MD5 hash:
011ea7874d4283dd836277fa880e228b
SHA1 hash:
990de8c5104409e38bc9c33d246db07003c96dd0
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
ca2e9696b74bd048e680a3c3115da4e4beec9fcb2a8f11a977fb3e9f2cd226c9
MD5 hash:
7b97d1172427d34af450adeb48c2fb41
SHA1 hash:
829ed0f5b054ca8a65f34afd13fcc6feb955b704
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
c376b3369ff0b7bbaf3f73daa611928e0c202cfa63e1dd67ed8883b1d6bc5220
MD5 hash:
f6bcab0e94d8521f773c6e69194200d2
SHA1 hash:
66cf514339ca51c5efc7c8da44cec9be72b4857c
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
Parent samples :
7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
SH256 hash:
ccefb8278ce61289cb8ec6d233809c4ae98ecf792cfbf4d39e11b69247617947
MD5 hash:
7f72def2f9b10e20f1af280ef675070a
SHA1 hash:
4ef55c1460c5a98e91b29743f3cb869282c1387f
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
8fce91d54f8bcf1a0e84a23ef410e7c645ec4a61a18df1b49cf83ecf8d4515aa
MD5 hash:
6033b92c55dacd4fa4fed62f132aa9ba
SHA1 hash:
05438db87f110001076204580c5aaec346dae3b4
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
SH256 hash:
d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
MD5 hash:
020824e5aa9ecb744b1b94bd855a8f3a
SHA1 hash:
d6082fcfcfa6e7f1d719c2c02a3e761e46d48004
Link:
https://www.unpac.me/results/ef687ae4-690f-4ce1-8e91-f8ceecd79d70/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
Cape
Cape
https://www.capesandbox.com/analysis/180531/

Comments