MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d35d564e13ff46a6d1bf48bb7890b2c25586b0201f955847ee314ef8996e54a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d35d564e13ff46a6d1bf48bb7890b2c25586b0201f955847ee314ef8996e54a8
SHA3-384 hash: 4dfaa6c5066dc2b6ca072645bc8de7d5064186b07b8dfa4247b92109035084ea656021dc6c0118fba58cd0fb76998d23
SHA1 hash: 223755d47f77480e3f1d23b417a7d50a7d4e03ba
MD5 hash: dc442cd9fca1a3be7a89cf8321b575a6
humanhash: nevada-angel-summer-illinois
File name:6917926pdf.vbs
Download: download sample
Signature AZORult
Create hunting rule
File size:2'702 bytes
First seen:2022-03-24 23:01:58 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:oYlbr0p8+l9y6IaICBkSHDMJF1rSN0jWV+mtpIwXQkA0BdB:61l9Z1hBcJF1rSNvomz1AU
TLSH T18851ED5EB89B797852262FF2A81F584DF9734783B1B94280790AC5C9CD3507CA7C6C9C
Reporter abuse_ch
Tags:AZORult vbs


Avatar
abuse_ch
AZORult C2:
http://185.29.10.106/Panel/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.29.10.106/Panel/index.php https://threatfox.abuse.ch/ioc/448109/

Intelligence

File Origin
# of uploads :
1
# of downloads :
608
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257425/
Detection(s):
SecuriteInfo.com.VBS.TrojanDownloader.Agent.WVY.31613.23622.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/623cf8759253b276b765c10a/reports/db47d2bd-488b-4ff0-b489-b152be4115b4/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964198
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected AZORult Info Stealer
DLL side loading technique detected
Drops PE files to the startup folder
Drops VBS files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596675 Sample: 6917926pdf.vbs Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 5 other signatures 2->84 9 wscript.exe 13 2->9         started        12 wscript.exe 14 2->12         started        process3 dnsIp4 100 System process connects to network (likely due to code injection or exploit) 9->100 102 Wscript starts Powershell (via cmd or directly) 9->102 104 Very long command line found 9->104 15 powershell.exe 9->15         started        64 84.38.132.43, 49691, 49693, 49694 DATACLUBLV Latvia 12->64 19 powershell.exe 14 20 12->19         started        21 cmd.exe 1 12->21         started        signatures5 process6 dnsIp7 68 192.168.2.1 unknown unknown 15->68 70 Writes to foreign memory regions 15->70 72 Injects a PE file into a foreign processes 15->72 23 aspnet_compiler.exe 68 15->23         started        27 conhost.exe 15->27         started        29 aspnet_compiler.exe 62 19->29         started        32 conhost.exe 19->32         started        74 Drops VBS files to the startup folder 21->74 76 Drops PE files to the startup folder 21->76 34 conhost.exe 21->34         started        signatures8 process9 dnsIp10 48 C:\Users\user\AppData\...\vcruntime140.dll, PE32 23->48 dropped 50 C:\Users\user\AppData\Roaming\2fda\nss3.dll, PE32 23->50 dropped 52 C:\Users\user\AppData\...\msvcp140.dll, PE32 23->52 dropped 60 45 other files (1 malicious) 23->60 dropped 86 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->86 88 Tries to steal Instant Messenger accounts or passwords 23->88 90 Tries to steal Mail credentials (via file / registry access) 23->90 98 3 other signatures 23->98 36 cmd.exe 23->36         started        66 185.29.10.106, 49709, 49716, 49743 DATACLUB-SE European Union 29->66 54 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 29->54 dropped 56 C:\Users\user\AppData\...\vcruntime140.dll, PE32 29->56 dropped 58 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 29->58 dropped 62 45 other files (none is malicious) 29->62 dropped 92 Detected AZORult Info Stealer 29->92 94 DLL side loading technique detected 29->94 96 Tries to steal Crypto Currency Wallets 29->96 38 cmd.exe 29->38         started        file11 signatures12 process13 process14 40 conhost.exe 36->40         started        42 timeout.exe 36->42         started        44 conhost.exe 38->44         started        46 timeout.exe 38->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d35d564e13ff46a6d1bf48bb7890b2c25586b0201f955847ee314ef8996e54a8/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 23:02:13 UTC
File Type:
Text (VBS)
AV detection:
3 of 42 (7.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2novmtqt75dknun7jc5xrefsyjkynmbad6kvqr7ogfhprgloksua._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/220324-2z57sscceq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Blocklisted process makes network request
Azorult
suricata: ET MALWARE AZORult v3.2 Server Response M3
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
Malware Config
C2 Extraction:
http://185.29.10.106/Panel/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d35d564e13ff46a6d1bf48bb7890b2c25586b0201f955847ee314ef8996e54a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/257425/

Comments