MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 17


Intelligence 17 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
SHA3-384 hash: 50880bfc8ad450e39f476690b9536266250ec0c498b8ff406e9a21d57e3d3cd4436b0e3edc3480c5cbc8b532c1897d3a
SHA1 hash: 650de5fc16a287c7801742ec92a2cc1ae7fcf4e8
MD5 hash: 8816d5e592685626fbbfdb1b1b309d79
humanhash: sad-maine-virginia-asparagus
File name:IMG_1005752333.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:225'064 bytes
First seen:2024-06-04 11:21:57 UTC
Last seen:2024-06-04 12:31:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:8OJNjggfyKg0KggLV0FOhJirBwtHwwEJx5Ehl/Qs7GzrlKFHZWazC3ayZyn+q/wD:5H10CtAbe
Threatray 2'882 similar samples on MalwareBazaar
TLSH T1EE2452E1B2A5C8DFE8A551B09C8AF85031926DAD9461561F30D77F2EA8B3353106BB0F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 79e0c4ccccc4c4c0 (11 x Loki, 4 x AgentTesla, 3 x SnakeKeylogger)
Reporter lowmal3
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Verdict:
Malicious activity
Analysis date:
2024-06-04 11:24:27 UTC
Tags:
payload
Link:
https://app.any.run/tasks/dae95f28-6ae0-49bf-9604-e0096d6c2642

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.29140.296.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665f03b1ab69e84d6a2f5bfewin7simulatehigh_evasion
Tags:
Encryption Network Static Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a file
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP POST request
Reading critical registry keys
Searching for the window
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
obfuscated overlay packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/665ef8de0bf5978c0b0c0a33/reports/68d2b481-1997-43d4-829d-1565171540ae/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff6ba28b-fc95-4977-a2a3-dd5445242c08
Result
Threat name:
Azorult, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1451665
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1451665 Sample: IMG_1005752333.exe Startdate: 04/06/2024 Architecture: WINDOWS Score: 100 60 hqt3.shop 2->60 82 Snort IDS alert for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 21 other signatures 2->88 9 IMG_1005752333.exe 16 9 2->9         started        14 powershell.exe 2 15 2->14         started        signatures3 process4 dnsIp5 62 103.20.235.174, 49707, 49714, 49716 OVERTHEWIRE-AS-APOverTheWirePtyLtdAU Australia 9->62 50 C:\Users\user\AppData\Roaming\$77Ygoev.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\Temp\$777d7268, PE32 9->52 dropped 54 C:\Users\user\AppData\Local\Temp\$7704dac6, PE32 9->54 dropped 56 3 other malicious files 9->56 dropped 90 Found many strings related to Crypto-Wallets (likely being stolen) 9->90 92 Creates autostart registry keys with suspicious names 9->92 94 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->94 102 2 other signatures 9->102 16 $7704dac6 63 9->16         started        21 $777d7268 1 9->21         started        96 Writes to foreign memory regions 14->96 98 Modifies the context of a thread in another process (thread injection) 14->98 100 Found suspicious powershell code related to unpacking or dynamic code loading 14->100 23 dllhost.exe 1 14->23         started        25 conhost.exe 14->25         started        file6 signatures7 process8 dnsIp9 58 hqt3.shop 111.90.143.196, 49715, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 16->58 42 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 16->42 dropped 44 C:\Users\user\AppData\Local\...\nssdbm3.dll, PE32 16->44 dropped 46 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 16->46 dropped 48 45 other files (2 malicious) 16->48 dropped 64 Multi AV Scanner detection for dropped file 16->64 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->66 68 Tries to steal Instant Messenger accounts or passwords 16->68 78 6 other signatures 16->78 27 cmd.exe 1 16->27         started        70 Machine Learning detection for dropped file 21->70 72 Injects code into the Windows Explorer (explorer.exe) 23->72 74 Contains functionality to inject code into remote processes 23->74 76 Writes to foreign memory regions 23->76 80 3 other signatures 23->80 29 lsass.exe 23->29 injected 32 $77Ygoev.exe 23->32         started        34 winlogon.exe 23->34 injected 36 18 other processes 23->36 file10 signatures11 process12 signatures13 38 conhost.exe 27->38         started        40 timeout.exe 1 27->40         started        104 Writes to foreign memory regions 29->104 106 Multi AV Scanner detection for dropped file 32->106 process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad/
Threat name:
Win32.Spyware.Azorult
Create hunting rule
Status:
Malicious
First seen:
2024-06-04 09:54:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gbsrbv5gg7xckp324ebepazxpddhzgbfppcv75lx5usg3zyv6wq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
AZORult
21e52228ab12f2795a0413d2c07bf1f309bdbf6a85aa8cb1333f5b792163448d
AZORult
9c4b7f8a8732beb18b38ad4a4a853727cfb3da38666b45c4051c76801536bf22
AZORult
b18796fe4a4cf8e20e1a54ec3773c819533cb15a545093d1c6e19ce14efaa93d
AZORult
bfc1cdded42adb884fb46ba53e2f023d0c27d46cf8645614094f5714ebbfb9a8
AZORult
cd28fdc0ba5ed24ae7ef0916f835cb8eacaffe2f339da2081edf1de791223ec9
AZORult
+ 2'872 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/240604-ngjn7aeh77/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://hqt3.shop/DBL841/index.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/167029ce-ced7-42e7-b90a-8aad03261ff1
Unpacked files
SH256 hash:
d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
MD5 hash:
8816d5e592685626fbbfdb1b1b309d79
SHA1 hash:
650de5fc16a287c7801742ec92a2cc1ae7fcf4e8
Detections:
PureCrypter_Stage1
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/bcc917b3-5ce3-4d25-899d-a7867839da5a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit
Rule name:Windows_Trojan_Azorult_38fce9ea
Create hunting rule
Author:Elastic Security
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments