MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 19

Intelligence 19 IOCs 1 YARA 4 File information Comments

SHA256 hash:	d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e
SHA3-384 hash:	1c4f94baf74b53e96dcb42fe269faa83965b436dc078de92de830f062ab54a884af5f9258d9e838be93122915794104b
SHA1 hash:	29d8bc04b2cfbb26d3374c855b799570eb4cd39f
MD5 hash:	d6fe1a58905a8d6477536a988f73333b
humanhash:	avocado-colorado-william-march
File name:	D6FE1A58905A8D6477536A988F73333B.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	1'098'736 bytes
First seen:	2026-04-10 22:15:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a0822070808cff2c8d9180fd81953fb0 (1 x AZORult)
ssdeep	12288:kVwTHFSU1ToX7miuBO3dSlZ476dxbCtlzb3b2BLUkEJ++aDpK5jMrqNmX/NoiBgU:YwTHJ1MX6iKdxCyBLUo+akpu/NWtui8h
Threatray	180 similar samples on MalwareBazaar
TLSH	T1C1356CC2DD9E5EC9DC430279C6656CBBE9220C7C53F1548713AB7EA10B3229AB1D3C66
TrID	33.0% (.EXE) Win32 Executable (generic) (4504/4/1) 15.1% (.ICL) Windows Icons Library (generic) (2059/9) 14.9% (.EXE) DOS Executable Borland Pascal 7.0x (2035/25) 14.6% (.EXE) Generic Win/DOS Executable (2002/3) 14.6% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
dhash icon	2141950d35111515 (1 x RedLineStealer, 1 x AZORult)
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://www.gpsindia.biz/crm/kha/32/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://www.gpsindia.biz/crm/kha/32/index.php	https://threatfox.abuse.ch/ioc/1784033/

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

azorult

ID:

File name:

D6FE1A58905A8D6477536A988F73333B.exe

Verdict:

Malicious activity

Analysis date:

2026-04-10 22:18:26 UTC

Tags:

auto-reg azorult loader stealer

Link:

https://app.any.run/tasks/6c39280b-3de2-417c-8f6b-0e0503c39274

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/61082/

Detection(s):

Win.Trojan.Johnnie-7735227-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69d9769e6a61012f6ad0c733

Tags:

azorult lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

astralpe crypt lolbin obfuscated overlay packed packed packed stealer vbc xpack

Link:

https://www.filescan.io/uploads/69d97695d920e19044f6c473/reports/ff7264cd-e252-4a6d-a3ac-94d1eb225dd5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-12T18:14:00Z UTC

Last seen:

2026-01-12T19:05:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Azorult.a.sb Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Androm Trojan.Win32.Inject.sb Trojan-PSW.Win32.Azorult.sb Trojan-PSW.Coins.HTTP.ServerRequest Trojan-PSW.Azorult.HTTP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.Win32.Generic

Link:

https://opentip.kaspersky.com/d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e/results?tab=lookup

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20027006-a093-4980-9399-77bd644d1d6e

Result

Threat name:

AZORult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1896764

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected AZORult Info Stealer

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has nameless sections

Sample uses process hollowing technique

Suricata IDS alerts for network traffic

Writes to foreign memory regions

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e/

Verdict:

Malicious

Threat:

Family.AZORULT

Link:

https://tip.neiki.dev/file/d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2026-01-12 19:00:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=26jnauokui5zr5kgzjpk4uqa6fyu2wktswdst6gyihvdpi3broha._file

Verdict:

malicious

Label(s):

azorult

AZORult

4e31ec8d34e7b2c7b80eae6a9e956e5e6c71c9119f5babefc8ac77025c96560c

AZORult

5b15cd544d3b9bc4cab21814d46fb1eae2b9ec92a6865fb35fd5eb37cd9cebba

AZORult

69e0540c46b5141c635e4ee54e5dd13af1943a0371116b3ee72d2455efdbd867

AZORult

error

AZORult

+ 170 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer persistence trojan

Link:

https://tria.ge/reports/260410-16mtcsfw5v/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Uses the VBS compiler for execution

Azorult

Azorult family

Malware Config

C2 Extraction:

https://www.gpsindia.biz/crm/kha/32/index.php

Unpacked files

SH256 hash:

d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e

MD5 hash:

d6fe1a58905a8d6477536a988f73333b

SHA1 hash:

29d8bc04b2cfbb26d3374c855b799570eb4cd39f

Link:

https://www.unpac.me/results/da12b749-3e2e-4744-b7d3-b5f535ef4b89/

Malware family:

AZORult

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d792d051caa2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/61082/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample