MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
SHA3-384 hash: a517a81a528d4e01fc6994c78cb79a7d638b6d7d2ecdbb6851d16642238887a3ebd7c8ad7155a26c973f3172a14e6497
SHA1 hash: 9c39dd8abdc8ca70ddef39d66fa18d1ac43776a4
MD5 hash: a5f5f00fb8fa9f4403b5d666698a5a17
humanhash: single-queen-johnny-network
File name:a5f5f00fb8fa9f4403b5d666698a5a17.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:1'403'904 bytes
First seen:2022-10-06 06:46:34 UTC
Last seen:2023-08-27 08:54:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:BnjoxXIB0nWZQzjFeM6DJOjB9sTTHyDErTTFyxhRz3Zws3OOiotlt1pXRW:AIqnYQb6VO3Er2hXt
TLSH T154553AF4A0AB44E5F80BADC1297CBDD2567231F38DD90D30337DBA444FAAD696D0894A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://193.106.191.150/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.106.191.150/ https://threatfox.abuse.ch/ioc/871831/
http://maripos.ac.ug/index.php https://threatfox.abuse.ch/ioc/871832/

Intelligence

File Origin
# of uploads :
2
# of downloads :
393
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/317130/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint packed stealer
Link:
https://www.filescan.io/uploads/633e79e90d3d21420ccaa635/reports/e07c21ed-67c7-4432-a787-00b64d640475/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93aabf3c-54b1-47f1-a067-21e4601d998b
Result
Threat name:
Azorult, Raccoon Stealer v2, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084682
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer v2
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 717241 Sample: ATrdcQgnPG.exe Startdate: 06/10/2022 Architecture: WINDOWS Score: 100 54 tuekisaa.ac.ug 2->54 56 parthaha.ac.ug 2->56 58 3 other IPs or domains 2->58 68 Snort IDS alert for network traffic 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 11 other signatures 2->74 9 ATrdcQgnPG.exe 1 2->9         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\ATrdcQgnPG.exe.log, ASCII 9->34 dropped 80 Injects a PE file into a foreign processes 9->80 13 ATrdcQgnPG.exe 29 9->13         started        18 ATrdcQgnPG.exe 9->18         started        signatures6 process7 dnsIp8 60 193.106.191.150, 49702, 80 BOSPOR-ASRU Russian Federation 13->60 62 maripos.ac.ug 193.106.191.169, 49703, 49705, 80 BOSPOR-ASRU Russian Federation 13->62 64 marcaka.ac.ug 13->64 38 C:\Users\user\AppData\Roaming\s9ppME8t.exe, PE32 13->38 dropped 40 C:\Users\user\AppData\Roaming\WZby6H9X.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\Roaming\UQQT6897.exe, PE32+ 13->42 dropped 44 8 other files (1 malicious) 13->44 dropped 82 Tries to harvest and steal browser information (history, passwords, etc) 13->82 84 Tries to steal Crypto Currency Wallets 13->84 20 WZby6H9X.exe 1 13->20         started        23 Hb28N5Ai.exe 13->23         started        25 UQQT6897.exe 13->25         started        28 s9ppME8t.exe 13 13->28         started        file9 signatures10 process11 file12 76 Multi AV Scanner detection for dropped file 20->76 78 Injects a PE file into a foreign processes 20->78 30 WZby6H9X.exe 12 20->30         started        36 C:\Users\user\AppData\Roaming\...\Ivrmwfo.exe, PE32+ 25->36 dropped signatures13 process14 dnsIp15 66 maripos.ac.ug 30->66 46 C:\Users\user\AppData\...\vcruntime140.dll, PE32 30->46 dropped 48 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 30->48 dropped 50 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 30->50 dropped 52 45 other files (none is malicious) 30->52 dropped file16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-10-06 01:10:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qrh5so5efmsem2cbgpa5v6vlqdjd7thpkzpyuj4csnbg7sqz3ma._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
asyncrat
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:raccoon family:remcos botnet:0ec468673cadb705e7aab6a7b0bb3906 botnet:10052022 discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221006-hj7k5sgee8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Raccoon
Remcos
Malware Config
C2 Extraction:
http://193.106.191.150/
http://195.245.112.115/index.php
nikahuve.ac.ug:6969
kalskala.ac.ug:6969
tuekisaa.ac.ug:6969
parthaha.ac.ug:6969
37.0.14.204:6969
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/faea369f-0660-4c15-b1ff-5415915bce65
Unpacked files
SH256 hash:
de6d685ca0236277c6a2654b3d9c5326f82baf5af448d3f1d2e6335386492cd4
MD5 hash:
d78fd0aa0b539b1ee1c231ef87673ca5
SHA1 hash:
e95ac26e64c448add2cd76c56f047a318279a121
Link:
https://www.unpac.me/results/0253b370-bb53-4a29-abec-0a9c6979936b/
SH256 hash:
3e4dd36589c9f8a72f559480b8de2f37ff12eeea683dbc7a74a6fcddebb983b0
MD5 hash:
3c283474428ee4529e4bf95489566233
SHA1 hash:
d615b0f2b66f8fb258d91760e5a45a302231d795
Link:
https://www.unpac.me/results/0253b370-bb53-4a29-abec-0a9c6979936b/
SH256 hash:
bee45131fed75a71e0d1c45b6a1da8e6f9a454869581d9e61f108dd824fe8ce4
MD5 hash:
0516e0a5ad13cf4f218049a1a53cb8cc
SHA1 hash:
8fc2579a4ab306c17f2651c809f2d8bc89ef7e7a
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/0253b370-bb53-4a29-abec-0a9c6979936b/
SH256 hash:
d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
MD5 hash:
a5f5f00fb8fa9f4403b5d666698a5a17
SHA1 hash:
9c39dd8abdc8ca70ddef39d66fa18d1ac43776a4
Link:
https://www.unpac.me/results/0253b370-bb53-4a29-abec-0a9c6979936b/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4227ec9dd21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:recordbreaker_win_generic
Create hunting rule
Author:_kphi
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1746812/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2264644/
  
URLhaus
https://urlhaus.abuse.ch/url/1746810/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/2257588/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/2223030/
Cape
Cape
https://www.capesandbox.com/analysis/317130/

Comments