MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a
SHA3-384 hash: 40ebdf44b03c2ce8e12826b7e576d4c32e4534dcf8cf0b43b959a76b6b4688e2cc2bd904cd942b2c1299ed904e0145f3
SHA1 hash: 153527e59a49afb100e44e12b8089259b4c3e2a6
MD5 hash: 5c128e469d5a71bcb5bee16147ad407b
humanhash: iowa-low-apart-butter
File name:5c128e469d5a71bcb5bee16147ad407b
Download: download sample
Signature AZORult
Create hunting rule
File size:742'400 bytes
First seen:2023-03-22 16:53:28 UTC
Last seen:2023-03-22 19:29:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:cTnUmCnfM4kA7BgsRb8feoaEgmcGZWGHt9JNTMVzcBCv6oNjvSkeKh/xU/:oCnkEdRYmKgOZWGBmVzcBCbNjvDnU/
Threatray 673 similar samples on MalwareBazaar
TLSH T106F41211B299CB24C16C57BEE9C2496007F7A34A3573E30A3EC906DA6F167E44B11BDB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b8b4dcecf2b4c6c8 (13 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter zbetcheckin
Tags:32 AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
Remittance Advice.doc
Verdict:
Malicious activity
Analysis date:
2023-03-22 16:19:29 UTC
Tags:
exploit cve-2017-11882 loader trojan rat azorult
Link:
https://app.any.run/tasks/39e059a9-b503-4a16-871a-5ff9683a837a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376560/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% directory
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/641b32ad3b01ade53e70717d/reports/f08aecb0-c176-4316-a17a-ba6e34c084e2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd26ae75-ed8e-4917-9471-e76f738cec90
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1199625
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 16:54:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vku6r25sxwmvchallygyhlgvm2mrw3pdd2djfv4knp5rg7eqcfa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
345b8e5f00f4098adb7da24313f6ec5a5b62ef848a8174c179097a7129850f64
AZORult
37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452
AZORult
3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76
AZORult
69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a
AZORult
8ebca92cff949147d2dc62e0848458e51dba3063d18e370fe6ec5f6e985b7565
AZORult
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
AZORult
+ 663 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230322-vejdzaab76/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://171.22.30.164/standright/index.php
Unpacked files
SH256 hash:
7d958b3964c6689883f4fcbb7e02ef1a7036e5bca2cd16c1c4455955fcd64774
MD5 hash:
ba34aa6f520d3e6dcca947abfc8ae8ff
SHA1 hash:
eb56bc94087b3b6d46fee10eea2f3d54cd85b42b
Detections:
Azorult
Create hunting rule
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/b897da5e-3f31-4e94-b384-3066520cd8c9/
Parent samples :
37d4d7a7b84e4f6ead2e950ba252c23fa360a3176f49184942da3046fa693452
d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a
1994253973e360af9b9632c4bcd735e13beb88e8283f7c97eba22ddf3b03d564
a6f625e40e8b7523312b9a40ce6f3080b3475b9ff349e17785bdf7b6e0cd78c1
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/b897da5e-3f31-4e94-b384-3066520cd8c9/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
9041d7265324d88292cdfcd36df6e049a3b475bc0870317b356585f1001dbc58
MD5 hash:
5b010577a647f54af043c21b741dca03
SHA1 hash:
8cfed720da39978ace489d238f2d91a2a979b1cd
Link:
https://www.unpac.me/results/b897da5e-3f31-4e94-b384-3066520cd8c9/
SH256 hash:
c5a4043fb47278db678a43171c7d36b032080e64d5dcdf451e8a5df947e9c925
MD5 hash:
4a384f8af27756981369b33204428921
SHA1 hash:
6e9d34b2a9c93b6448025f6fdc75a40884049b57
Link:
https://www.unpac.me/results/b897da5e-3f31-4e94-b384-3066520cd8c9/
SH256 hash:
f07b5f30dd3d765bce627a4ec2702f6cb6b10e09f90314eb6b64165770e7b2a2
MD5 hash:
dadd3c7b9a777af1793fbe703316c858
SHA1 hash:
1718492843d16a5d0b44fb505ddc4988a77e5100
Link:
https://www.unpac.me/results/b897da5e-3f31-4e94-b384-3066520cd8c9/
SH256 hash:
d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a
MD5 hash:
5c128e469d5a71bcb5bee16147ad407b
SHA1 hash:
153527e59a49afb100e44e12b8089259b4c3e2a6
Link:
https://www.unpac.me/results/b897da5e-3f31-4e94-b384-3066520cd8c9/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5554f475d95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe d5554f475d95ecca88e05af06c1d66ab34c8db6f18f43496bc535fd89be4808a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2581120/
Cape
Cape
https://www.capesandbox.com/analysis/376560/

Comments


Avatar
zbet commented on 2023-03-22 16:53:30 UTC

url : hxxp://208.67.105.179/standrightzx.exe