MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5d3b0111c816adcf54d9913228c28d4f0923f902fdb58a8a0410eb39145f06f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5d3b0111c816adcf54d9913228c28d4f0923f902fdb58a8a0410eb39145f06f
SHA3-384 hash: 24752a3a2fa78660813e8f6517987897d77704b66653887eafea7d263e522a1f7671096e9372b6753dda3dba2f0e31f4
SHA1 hash: f8b2cdd74a0f3fabde7eff5045202af4f1da9540
MD5 hash: dd9aa37faba1afb315381ec81a5fe73b
humanhash: mirror-hydrogen-sixteen-blossom
File name:Payment Details,pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:329'712 bytes
First seen:2022-09-27 19:04:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:PoYaziS8sdQtovkUSRys7IWzBekDNh8LqRyKmecUSRC+9wqY+mhhhmitqOT8q:gYuqov/Vs7jBb8LLKmUsCKi
Threatray 236 similar samples on MalwareBazaar
TLSH T1DE64B5E0317C93CFD0A68DB15FC98A7079F135ACA8C0560DA0F6AB2D93D6395189C5FA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon d4a6a494a48484a4 (65 x AgentTesla, 39 x Formbook, 8 x RemcosRAT)
Reporter TeamDreier
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
460
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/314096/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.50.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63334963665fcdb8807a3b09/reports/0439c7ec-7671-4efe-aebc-e75a74062927/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad4d8846-83f2-45c7-afd9-8703dd54e553
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078615
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5d3b0111c816adcf54d9913228c28d4f0923f902fdb58a8a0410eb39145f06f/
Threat name:
ByteCode-MSIL.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 08:28:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xj3aei4qfvnz5kntejsfdbi2tyjep4qf7nvrkfaiehlhekf6bxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0bad4225836db30f6301e890e4da0fe01d9178cabf7be6f62bdfa4f590050346
AZORult
13c9ec087b8177e95285fd90ddffb04a3858dbf7316bb1bddc0ab32e38f1c806
AZORult
53867ae1994d09f07b882ff96d80fc9d38b50e3aae70054985e07b20634ac14f
AZORult
6f65bc7ad58ce2f17dec79d9dda14c31d73587552b72e7d90b5b827c1a80c9c6
AZORult
a4e136e1ed1c634f0e0d8a11d7fdfa2fd1a316d90c1f2f18d92af62cb1a2f924
AZORult
b886242723bd9c498d27270a8b539c074b47682307b74d2c8cc91007c07bfa28
AZORult
bdaf2cc27694475beaef6b0945e952e41e3ab6972bae7243b3656c6a87d2bb0e
AZORult
c923b5976862e86bd94180a0f141ff001715eed24b895c1e4e2b066107c40412
AZORult
f2c121b416fc3e961b271733a3e269b1227d0579676c60da524b80c15dbf33ac
AZORult
+ 226 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/220927-xrhdjsfchp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Azorult
Malware Config
C2 Extraction:
http://blsrs.shop/PL341/index.php
Unpacked files
SH256 hash:
234aa4ea77cfe0a36f0fa87b5a9b3a8e2e991afdd8afe08b350af8fcd05943fc
MD5 hash:
4e3ff954dffb18b82a52d566cba903db
SHA1 hash:
cc4f642fa194cd1d055793c309daf9a99a7b666b
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/94355e8b-6ef0-41a2-8c8c-fdde565e8429/
Parent samples :
eea2a192c80e6d01051766e7f06213f6870d45c4be44f47ba09f7ef51e1581f1
d5d3b0111c816adcf54d9913228c28d4f0923f902fdb58a8a0410eb39145f06f
SH256 hash:
426b819152bba3056e4ecdc68c5348206853eb3a7d33fcaa6a688ed26c88efb7
MD5 hash:
2c002f24fc66c24edaa06bea2aa95535
SHA1 hash:
b7fd6b9632e216ae8acf733854450323b660ebd1
Link:
https://www.unpac.me/results/94355e8b-6ef0-41a2-8c8c-fdde565e8429/
SH256 hash:
d49fb56947ce01c399848707865024c37177d124a1dd9d1ab86de1312df56153
MD5 hash:
02601bf98ca13991e18cbf2750225b20
SHA1 hash:
2e186c8b09679f7b73dc2bce4de5d723795a17a2
Link:
https://www.unpac.me/results/94355e8b-6ef0-41a2-8c8c-fdde565e8429/
SH256 hash:
d5d3b0111c816adcf54d9913228c28d4f0923f902fdb58a8a0410eb39145f06f
MD5 hash:
dd9aa37faba1afb315381ec81a5fe73b
SHA1 hash:
f8b2cdd74a0f3fabde7eff5045202af4f1da9540
Link:
https://www.unpac.me/results/94355e8b-6ef0-41a2-8c8c-fdde565e8429/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5d3b0111c816adcf54d9913228c28d4f0923f902fdb58a8a0410eb39145f06f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe d5d3b0111c816adcf54d9913228c28d4f0923f902fdb58a8a0410eb39145f06f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314096/

Comments