MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7aa1d8f05edf7ad03526c1038de354125fa7dda30ada3393a0c08b8f66e53d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	d7aa1d8f05edf7ad03526c1038de354125fa7dda30ada3393a0c08b8f66e53d4
SHA3-384 hash:	57aa3fffce0e7f0dbe44052c50101e2338948b4ae2a0a6d4dbca7a40679e062af2cd33a9398bbe519d4800e101725a9e
SHA1 hash:	be733b0d2e33982e448bb95ecbe51ef8bbbde978
MD5 hash:	c525402f254b542b634faf39f7cd0b8c
humanhash:	high-salami-magazine-network
File name:	DHL_pdf.bat
Download:	download sample
Signature	AZORult Create hunting rule
File size:	741'552 bytes
First seen:	2020-10-21 14:14:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	3072:3GURHdHJaYZ6F9IzZyuiV97LdV0im2keZdQ2k9Hc3/nl6LAHkzI1UfgEA6IIyRQy:3G6RwDk96kADP
Threatray	347 similar samples on MalwareBazaar
TLSH	4BF4723C9ED92637C6BAD676CAF559CBF91179433126AC4E90D703820A03BA77DC211E
Reporter	Racco42
Tags:	AZORult bat

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/74168/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Creating a file

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Result

Threat name:

Azorult

Detection:

malicious

Classification:

phis.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/505986

Signature

.NET source code contains very large strings

Binary contains a suspicious time stamp

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7aa1d8f05edf7ad03526c1038de354125fa7dda30ada3393a0c08b8f66e53d4/

Threat name:

ByteCode-MSIL.Trojan.Startun

Status:

Malicious

First seen:

2020-10-21 09:05:20 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=26vb3dyf5x322a2snqidrxrvies7u7o2gcw2goj2bqelr5tokpka._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

spyware discovery trojan infostealer family:azorult

Link:

https://tria.ge/reports/201021-jds1q155aa/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

Unpacked files

SH256 hash:

d7aa1d8f05edf7ad03526c1038de354125fa7dda30ada3393a0c08b8f66e53d4

MD5 hash:

c525402f254b542b634faf39f7cd0b8c

SHA1 hash:

be733b0d2e33982e448bb95ecbe51ef8bbbde978

Link:

https://www.unpac.me/results/5a4f363c-3653-440e-834e-10d94b6655d8/

SH256 hash:

5834dcc10df75e4e0e4d089e5aa11e1879adc62a3440038da727aceaf1e2da3c

MD5 hash:

8631fd8ac0d4912622b2c4eec1dc9d3c

SHA1 hash:

22ee783c691c288616c3c8b37c5585b9fb233309

Link:

https://www.unpac.me/results/5a4f363c-3653-440e-834e-10d94b6655d8/

SH256 hash:

69723266d9b97a7ef854facaff0a0c91fbe27b0a0dc52e6cedf59c8e4c668024

MD5 hash:

211c46070a2db4d1f45bee0d2948b33a

SHA1 hash:

9552343cf6e26511b1132912d9e709cc2bfd51a5

Link:

https://www.unpac.me/results/5a4f363c-3653-440e-834e-10d94b6655d8/

SH256 hash:

05054e7a82be6c347dab76c5fdc5a2afc0b343797c5554b635f7a21654c6a3b8

MD5 hash:

af225a2034e83e341a382d00ad21e4ff

SHA1 hash:

ad7ca2cfb338ac49b5d23a30055e653e4fc12b18

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/5a4f363c-3653-440e-834e-10d94b6655d8/

Parent samples :

8e9ebe1cdcabac2e6820fa7a6a7702846adecdb18cd1e83700007e2dc745f5ce
d7aa1d8f05edf7ad03526c1038de354125fa7dda30ada3393a0c08b8f66e53d4

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

exe d7aa1d8f05edf7ad03526c1038de354125fa7dda30ada3393a0c08b8f66e53d4

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/74168/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample