MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d
SHA3-384 hash: 0e36b05263547374cc3dbc7a408d40c211b67410fea4a22dbbf01a04203ba6e8eaf5907a481ab9a6e0d5c2357cbc6ae9
SHA1 hash: ce260393460fa5d4cbfa17d3329fd33594810add
MD5 hash: 131a32033cf88976a8df48361b90207d
humanhash: steak-zulu-texas-thirteen
File name:131a32033cf88976a8df48361b90207d.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:600'064 bytes
First seen:2022-07-11 02:55:14 UTC
Last seen:2022-08-10 12:02:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:469NfBfi4Nw7wLTHPxIdhBeY4rW/QdCJlwZqgNdljwFy:4gNX+c3HPxIdhBe1oiE+ZqgNPMF
Threatray 827 similar samples on MalwareBazaar
TLSH T1E4D423D7011E0AF5D12BEB711508DDBA874D3F129C862B1DAD2AB2EF0964197D3E362C
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eaa98b5c243d8ab6 (4 x AZORult, 3 x RemcosRAT, 2 x XFilesStealer)
Reporter abuse_ch
Tags:AZORult dropped exe goldrushaw-ug


Avatar
abuse_ch
AZORult C2:
http://goldrushaw.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://goldrushaw.ac.ug/index.php https://threatfox.abuse.ch/ioc/824172/

Intelligence

File Origin
# of uploads :
9
# of downloads :
790
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
131a32033cf88976a8df48361b90207d.exe
Verdict:
Malicious activity
Analysis date:
2022-07-12 00:06:56 UTC
Tags:
loader stealer arkei trojan rat azorult vidar remcos
Link:
https://app.any.run/tasks/6d635991-467d-4679-a4fc-d3dbe13e705f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285961/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39967992.12254.27972.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a file
Sending an HTTP POST request
Sending an HTTP GET request
Reading critical registry keys
DNS request
Creating a process with a hidden window
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Unauthorized injection to a recently created process
Stealing user critical data
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint packed stealer
Link:
https://www.filescan.io/uploads/62cb9147bbcf6baf27924503/reports/1ad92885-bcfc-4c26-a0a4-25d5791d6a7b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb93c33c-a86f-4b44-b41b-58cfedfe8f44
Result
Threat name:
Azorult, Clipboard Hijacker, Raccoon Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028211
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
DLL side loading technique detected
Encrypted powershell cmdline option found
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected Remcos RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 660707 Sample: 7bqiIpAAE3.exe Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 94 tuekisaa.ac.ug 2->94 96 parthaha.ac.ug 2->96 98 2 other IPs or domains 2->98 132 Snort IDS alert for network traffic 2->132 134 Multi AV Scanner detection for domain / URL 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 17 other signatures 2->138 11 7bqiIpAAE3.exe 5 2->11         started        15 Yjlgdlfzs.exe 2->15         started        17 oobeldr.exe 2->17         started        19 Yjlgdlfzs.exe 2->19         started        signatures3 process4 file5 90 C:\Users\user\AppData\...\Mccegjkqnoydj.exe, PE32 11->90 dropped 92 C:\Users\user\AppData\...\7bqiIpAAE3.exe.log, ASCII 11->92 dropped 162 Writes to foreign memory regions 11->162 164 Injects a PE file into a foreign processes 11->164 21 InstallUtil.exe 30 11->21         started        26 Mccegjkqnoydj.exe 3 11->26         started        28 InstallUtil.exe 11->28         started        166 Allocates memory in foreign processes 15->166 30 InstallUtil.exe 15->30         started        32 InstallUtil.exe 19->32         started        signatures6 process7 dnsIp8 100 193.106.191.146, 49741, 80 BOSPOR-ASRU Russian Federation 21->100 102 wiwirdo.ac.ug 21->102 82 C:\Users\user\AppData\Local\...\siVVfKgt.exe, PE32 21->82 dropped 84 C:\Users\user\AppData\Local\...\q17zp5tf.exe, PE32 21->84 dropped 86 C:\Users\user\AppData\Local\...\DGQa5ptH.exe, PE32 21->86 dropped 88 8 other files (4 malicious) 21->88 dropped 142 Tries to harvest and steal browser information (history, passwords, etc) 21->142 144 DLL side loading technique detected 21->144 146 Tries to steal Crypto Currency Wallets 21->146 34 DGQa5ptH.exe 21->34         started        37 q17zp5tf.exe 21->37         started        40 8Wx0FQ22.exe 21->40         started        42 siVVfKgt.exe 21->42         started        148 Writes to foreign memory regions 26->148 150 Allocates memory in foreign processes 26->150 152 Injects a PE file into a foreign processes 26->152 44 InstallUtil.exe 75 26->44         started        154 Found evasive API chain (may stop execution after checking mutex) 28->154 156 Found evasive API chain (may stop execution after checking computer name) 28->156 158 Found evasive API chain (may stop execution after checking locale) 28->158 160 Contains functionality to detect sleep reduction / modifications 28->160 file9 signatures10 process11 dnsIp12 114 Writes to foreign memory regions 34->114 116 Allocates memory in foreign processes 34->116 118 Injects a PE file into a foreign processes 34->118 47 InstallUtil.exe 34->47         started        80 C:\Users\user\AppData\...\Yjlgdlfzs.exe, PE32 37->80 dropped 51 InstallUtil.exe 37->51         started        120 Antivirus detection for dropped file 40->120 122 Multi AV Scanner detection for dropped file 40->122 124 Encrypted powershell cmdline option found 40->124 54 powershell.exe 40->54         started        126 Uses schtasks.exe or at.exe to add and modify task schedules 42->126 56 siVVfKgt.exe 42->56         started        104 goldrushaw.ug 45.143.201.4, 49745, 49762, 49766 PATENT-MEDIA-ASRU Russian Federation 44->104 128 Tries to harvest and steal browser information (history, passwords, etc) 44->128 130 Tries to steal Crypto Currency Wallets 44->130 58 cmd.exe 44->58         started        file13 signatures14 process15 dnsIp16 106 goldrushaw.ac.ug 47->106 70 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 47->70 dropped 72 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 47->72 dropped 74 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 47->74 dropped 78 41 other files (none is malicious) 47->78 dropped 108 nikahuve.ac.ug 194.5.98.107, 49769, 49774, 49776 DANILENKODE Netherlands 51->108 110 tuekisaa.ac.ug 51->110 112 2 other IPs or domains 51->112 140 Installs a global keyboard hook 51->140 60 conhost.exe 54->60         started        76 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 56->76 dropped 62 schtasks.exe 56->62         started        64 conhost.exe 58->64         started        66 timeout.exe 58->66         started        file17 signatures18 process19 process20 68 conhost.exe 62->68         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d/
Threat name:
Win32.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2022-07-10 16:04:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=25oxwbju75si6fxvoun6pgrmemkywzasu6abqcxmpddxy7uva4oq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
remcos
Create hunting rule
Similar samples:
048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059
AZORult
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0
AZORult
39f1a98ab29664ef492b052c44f6ea76148d75baaf55b7b037cc0575eb8b25d4
AZORult
40daa898f98206806ad3ff78f63409d509922e0c482684cf4f180faac8cac273
AZORult
43656b3aec1f1157f5f3bc34cad394d0653a74417a0203413066e57b39eb940c
AZORult
595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6
AZORult
6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547
AZORult
79352910f5e31ab1c843a5a7230d1f278dda20f721ad03243dd44f8d7806c2ed
AZORult
b7cea1f983cf8ed41120e2d4a17b7fe2ec6693d2d990172568cdbbd6b9fbd319
AZORult
+ 817 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:azorult family:raccoon family:remcos botnet:06192022 botnet:default infostealer persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220711-de16caebak/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Arkei
Azorult
Raccoon
Remcos
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
Unpacked files
SH256 hash:
db03dd5d851b479aea51d1d7a2de9c678e2c623dfefe223d65ca092438498b2c
MD5 hash:
0c8c6adf77b1e1d6f601486761273352
SHA1 hash:
f975e99b0770ffac75247b10adeac0ef8da54161
Link:
https://www.unpac.me/results/24f8853d-ee22-4cfe-a90a-8712db42472e/
SH256 hash:
c5229809b008a514e78d738decc76c55e40985d58f69ba0b6c91dcb521fb9398
MD5 hash:
cc9101c5ddd04c15edcd29617c4e75b7
SHA1 hash:
9f41bed525b707ca28db700d1a6717b0b9191d37
Link:
https://www.unpac.me/results/24f8853d-ee22-4cfe-a90a-8712db42472e/
SH256 hash:
89f6bb07176cc507c22cbec39837e3cc8d49171ada656cc8182629ceecd466ca
MD5 hash:
3a4e79654611708c7d0fcb5db1769cd9
SHA1 hash:
f025fe205f5060d8fb11762186b7dc9846f42e79
Link:
https://www.unpac.me/results/24f8853d-ee22-4cfe-a90a-8712db42472e/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/24f8853d-ee22-4cfe-a90a-8712db42472e/
SH256 hash:
58ca86e49e4dea36ec81072c6e63fb8d6b465447d3c1fc1443d15e897c13d27c
MD5 hash:
e96634c20057c1643a303d6266321035
SHA1 hash:
5f074a2f48911fa04995ab2bad95f6e66f228ebe
Link:
https://www.unpac.me/results/24f8853d-ee22-4cfe-a90a-8712db42472e/
SH256 hash:
533d0e70969aa4f09f7c25b1803f883897e74659f02d40a7738ef0fd5eb976a5
MD5 hash:
2790facb89c6131513e517e5599c7edc
SHA1 hash:
2c62acbe48ebcb030bbaf7bbfb7de21f0ce7dbc6
Link:
https://www.unpac.me/results/24f8853d-ee22-4cfe-a90a-8712db42472e/
SH256 hash:
d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d
MD5 hash:
131a32033cf88976a8df48361b90207d
SHA1 hash:
ce260393460fa5d4cbfa17d3329fd33594810add
Link:
https://www.unpac.me/results/24f8853d-ee22-4cfe-a90a-8712db42472e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d75d7b0534ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe d75d7b0534ff648f16f5751be79a2c23158b6412a780180aec78c77c7e95071d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1746812/
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
URLhaus
https://urlhaus.abuse.ch/url/2223030/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/1797727/
  
URLhaus
https://urlhaus.abuse.ch/url/1746810/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
Cape
Cape
https://www.capesandbox.com/analysis/285961/

Comments