MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
SHA3-384 hash: 523b77f5cf0e52c4c8f5f4dff4632ae885307806f3ffc0b27dadc2f51e877d3bea772e232d395a31d2cd55c2b289d727
SHA1 hash: 13a09e2dcd38a2466428692b884cd0873f3563f1
MD5 hash: 2df827a178fcfa149a64046339868665
humanhash: tango-california-april-fourteen
File name:2df827a178fcfa149a64046339868665.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'177'088 bytes
First seen:2021-11-02 14:45:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:1FC4x1nvqSJipXrPZ+FBxEai7Hj0WcZbkHG3t8x9tj6:a0niSmXrPYFn3iX0WcZwet8x
TLSH T1054501177307450AF82C6BB8EFB77B110B64F6B29566030793C6796D502E6FA3AC0726
File icon (PE):PE icon
dhash icon f0f0e47171bad4e0 (2 x ArkeiStealer, 2 x RedLineStealer, 1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://colonna.ug/index.php https://threatfox.abuse.ch/ioc/241702/
http://colonna.ac.ug/ https://threatfox.abuse.ch/ioc/241703/

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2df827a178fcfa149a64046339868665.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 15:36:34 UTC
Tags:
trojan rat azorult stealer vidar
Link:
https://app.any.run/tasks/7d2ef3d0-6c41-42ac-9d80-c01edd477824

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201487/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint obfuscated packed stealer
Link:
https://www.filescan.io/uploads/61814f2f9982ff7c3f7b0ec5/reports/d60ef16d-6a37-4de8-9d6e-01f34bd264a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3aa13bb5-176f-4312-8ad6-5aa54362d368
Result
Threat name:
Azorult DBatLoader Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/881426
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected DBatLoader
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 513868 Sample: k7u4May8sn.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 106 www.uplooder.net 2->106 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for URL or domain 2->130 132 12 other signatures 2->132 13 k7u4May8sn.exe 3 6 2->13         started        signatures3 process4 file5 94 C:\Users\user\AppData\...\k7u4May8sn.exe, PE32 13->94 dropped 96 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe, PE32 13->96 dropped 98 C:\Users\...\k7u4May8sn.exe:Zone.Identifier, ASCII 13->98 dropped 100 3 other files (2 malicious) 13->100 dropped 144 Writes to foreign memory regions 13->144 146 Allocates memory in foreign processes 13->146 148 Injects a PE file into a foreign processes 13->148 17 wscript.exe 1 13->17         started        19 k7u4May8sn.exe 68 13->19         started        24 k7u4May8sn.exe 13->24         started        26 k7u4May8sn.exe 13->26         started        signatures6 process7 dnsIp8 28 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 4 17->28         started        108 91.219.236.97, 49786, 80 SERVERASTRA-ASHU Hungary 19->108 110 t.me 149.154.167.99, 443, 49782 TELEGRAMRU United Kingdom 19->110 112 3 other IPs or domains 19->112 72 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 19->72 dropped 74 C:\Users\user\AppData\...\vcruntime140.dll, PE32 19->74 dropped 76 C:\Users\user\AppData\...\ucrtbase.dll, PE32 19->76 dropped 78 50 other files (none is malicious) 19->78 dropped 134 Tries to steal Mail credentials (via file / registry access) 19->134 136 Contains functionality to steal Internet Explorer form passwords 24->136 file9 signatures10 process11 file12 92 C:\Users\...\Dxndvkhrxwosconsoleapp14.exe, PE32 28->92 dropped 142 Injects a PE file into a foreign processes 28->142 32 Uxqcrfgglyzuwogibeigruaconsoleapp12.exe 28->32         started        37 wscript.exe 1 28->37         started        signatures13 process14 dnsIp15 102 colonna.ac.ug 185.215.113.77, 49750, 49752, 49799 WHOLESALECONNECTIONSNL Portugal 32->102 104 colonna.ug 32->104 64 C:\Users\user\AppData\Local\Temp\pm.exe, PE32+ 32->64 dropped 66 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 32->66 dropped 68 C:\Users\user\AppData\...\vcruntime140.dll, PE32 32->68 dropped 70 47 other files (none is malicious) 32->70 dropped 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->118 120 Tries to steal Instant Messenger accounts or passwords 32->120 122 Tries to steal Mail credentials (via file / registry access) 32->122 124 4 other signatures 32->124 39 pm.exe 32->39         started        42 cmd.exe 32->42         started        44 cc.exe 32->44         started        46 Dxndvkhrxwosconsoleapp14.exe 37->46         started        file16 signatures17 process18 file19 88 C:\Users\user\AppData\Roaming\winda.exe, PE32+ 39->88 dropped 90 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32+ 39->90 dropped 49 conhost.exe 42->49         started        51 timeout.exe 42->51         started        150 Injects a PE file into a foreign processes 46->150 53 Dxndvkhrxwosconsoleapp14.exe 46->53         started        signatures20 process21 dnsIp22 114 192.168.2.1 unknown unknown 53->114 116 colonna.ac.ug 53->116 80 C:\ProgramData\vcruntime140.dll, PE32 53->80 dropped 82 C:\ProgramData\sqlite3.dll, PE32 53->82 dropped 84 C:\ProgramData\softokn3.dll, PE32 53->84 dropped 86 4 other files (none is malicious) 53->86 dropped 138 Tries to harvest and steal browser information (history, passwords, etc) 53->138 140 Tries to steal Crypto Currency Wallets 53->140 58 cmd.exe 53->58         started        file23 signatures24 process25 process26 60 conhost.exe 58->60         started        62 taskkill.exe 58->62         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255/
Threat name:
ByteCode-MSIL.Spyware.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 14:46:07 UTC
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qhgwp2el3gic7fxbp4hpd2js645v7lajolcebvetmz2rwyvojkq._file
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:32365171a31c4583d6e3b7aad1690e41cefc38eb collection discovery infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211102-r5ayqshhcp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
colonna.ac.ug
Unpacked files
SH256 hash:
dd321aae28033ade0769df766274b88ed14844afa81c499c998c2e3c13c7e4b5
MD5 hash:
afeb45adc979d75348af285a522d2cc0
SHA1 hash:
efb4e489363caee2ef25c0e0fe1e59b3d8888fd1
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
Parent samples :
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
SH256 hash:
1e0eaa5c959ee28ea10016e8cc7a86a763424c30d22f4ad340df81b3442d9272
MD5 hash:
ad8d041c927d022d36e9ef54e6df6187
SHA1 hash:
de1f85d4ed1e3493430fb7b041ca3aad3d820a24
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
SH256 hash:
c0eab5eccd1496f1c85e7aa8c3c256782ffae10e483058ca82570e07197f48a4
MD5 hash:
c37fbfd592bcfd931f52afde84880f9d
SHA1 hash:
154a5fc376677acc816f8ef7262502cced4f25e8
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
SH256 hash:
86f9233207afdb678ef6cf7a5aff4e58d1c5ca9a6e0fa775c78a106466d16a50
MD5 hash:
31f4b4ba153154ce7aecfa53090b4ab6
SHA1 hash:
e7772dee87cc722728ed581bb7292c66877cca0b
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
SH256 hash:
221fe863ab322c36b15bf3b4c6641258610bb746780277b1ffcc25d63004e036
MD5 hash:
c53711fdc2cd5585cd5910b6169f56b8
SHA1 hash:
c49462dde0cfde4471e53b639820967765c73958
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
Parent samples :
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
SH256 hash:
d297db861aa879da5c428393c8eebbe897da9bba4b871297eae782e77feeec31
MD5 hash:
10529c3f61b9fd38729b72919ad5fb00
SHA1 hash:
4d0cdfa0809f8813789f7dbed28645cf3bc34910
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
SH256 hash:
d48b11aac0f80129ecb35151ae0edaafbf0f5b74c3b0cbe73647d7ab6fa7fed0
MD5 hash:
b8fa4ca93c644d64b117b18c990c7cea
SHA1 hash:
4da1765a451b54aa425a404c1bcb6ecd337f6eed
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
SH256 hash:
215f0cd73257fd96c4372553b17df0f1793ce4a2a3d23d339a4384ac2168b1cf
MD5 hash:
7d8f0a33eab2b66799dfd580ef68ca9e
SHA1 hash:
430dde103b4bae17fa8ddcc5d1dc84841e13e056
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
SH256 hash:
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
MD5 hash:
2df827a178fcfa149a64046339868665
SHA1 hash:
13a09e2dcd38a2466428692b884cd0873f3563f1
Link:
https://www.unpac.me/results/1e4dad80-5adb-42db-b1be-b01bfa48451a/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d40e6b3f445e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
Cape
Cape
https://www.capesandbox.com/analysis/201487/

Comments