MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 18


Intelligence 18 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b
SHA3-384 hash: 0a5eb8e7bb566beb16bcefee8dd71eeb19d1608415581df7db006e35e81e2742bffee1e2ec915ef603a535e31fa6c1a9
SHA1 hash: f410048ce061a747048dee6166ef001a6448871d
MD5 hash: 043fe9d1a841d94435f8882125769b0c
humanhash: magnesium-queen-avocado-sierra
File name:cHSzTDjVl.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:114'688 bytes
First seen:2025-02-04 05:11:56 UTC
Last seen:2025-02-21 18:14:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d1f2b41411eacafcf447fc002d8cb00 (141 x AZORult)
ssdeep 3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeheWgin8q:faZ1tme+1winj
Threatray 1'140 similar samples on MalwareBazaar
TLSH T1F1B3196EF7C19277D02408BDCD45A1B9907975302E391822F7E64F6CD8F96C2AA6C2C7
TrID 34.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
23.4% (.EXE) Win32 Executable (generic) (4504/4/1)
10.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
10.5% (.EXE) OS/2 Executable (generic) (2029/13)
10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter lontze7
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
541
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
cHSzTDjVl.exe
Verdict:
Malicious activity
Analysis date:
2025-02-04 05:27:19 UTC
Tags:
azorult loader
Link:
https://app.any.run/tasks/a862b508-1111-40c4-bca9-7ed0c7a15869

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Delf-6957976-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a1a2e62dcee78dd8194921
Tags:
gandcrab azorult delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult azorult borland_delphi config-extracted fingerprint obfuscated stealer
Link:
https://www.filescan.io/uploads/67a1a1acb72e1314bcda0e09/reports/d2abd451-3475-48ef-9310-fc6ec94657c3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f00dc3d2-1e2c-4635-b5f0-588d97c992e9
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1606208
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b/
Threat name:
Win32.Infostealer.CoinStealer
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 02:03:45 UTC
File Type:
PE (Exe)
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3hza7p3ec4gwlunb6l6wnkmxse6kxdo3coe57cy72ht24dy5bnnq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
084fec54089b798a4eafa125383f09f1cdad29740f811fb531910ada45e240b4
AZORult
3741262cdeb955637773e8bd3523fd293bdaca536a526d49c904d059fb050ec4
AZORult
51576193c87090f830b90827e9266565e9b7dd293d4818ea92e9538d68386e2b
AZORult
59fd177d8ed9ec3a4d49921b01a4735f1570b30fce0ea4da72ba08ab3c71c33f
AZORult
62eae1f670683a10909351d0dba4c6cbdadd53c056fe54d1c11198a7b9f967e5
AZORult
79a6964806cf9e832360392ab362f4d8017952a270aefa427e66dd418772bc6b
AZORult
7f2270d10eb36c07d9b7d52ca7e5e7a863db20902636441de143b90358eec19f
AZORult
857fdcbc6dc3c73177aab9f4dab6ea755bdbebdcddee233202b11bf02df919ed
AZORult
a4c57df59f0c85eebcb7b40263d8c3de037f41b7d2d43b6d34e7baf72a2e1448
AZORult
d8533da46ecbcdce04357af7dfcc97417efc0f3e223a2718814bf76fc26c979a
AZORult
+ 1'130 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer trojan
Link:
https://tria.ge/reports/250204-fvx5qswpgs/
Behaviour
System Location Discovery: System Language Discovery
Azorult
Azorult family
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
Verdict:
Malicious
Tags:
stealer azorult Win.Malware.Delf-6957976-0
YARA:
malware_Azorult Azorult_Payload Windows_Trojan_Azorult_38fce9ea EXE_Stealer_Azorult_March2024 JPCERTCC_Azorult_1
Link:
https://app.threat.zone/submission/466dfef2-af4a-4beb-849d-1abe8cfbf41a
Unpacked files
SH256 hash:
d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b
MD5 hash:
043fe9d1a841d94435f8882125769b0c
SHA1 hash:
f410048ce061a747048dee6166ef001a6448871d
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Azorult
Create hunting rule
Link:
https://www.unpac.me/results/379852bc-1eb2-41fe-928f-b6bae8663ed1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:azorult
Create hunting rule
Author:c3rb3ru5
Description:Azorult Configuration Extractor
Rule name:Azorult
Create hunting rule
Author:kevoreilly
Description:Azorult Payload
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:EXE_Stealer_Azorult_March2024
Create hunting rule
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Rule name:malware_Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:Windows_Trojan_Azorult_38fce9ea
Create hunting rule
Author:Elastic Security
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3427293/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileW
kernel32.dll::CreateDirectoryW
kernel32.dll::DeleteFileW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA

Comments