MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ddbfb1a2ca2a24afe477e841d9bf6ccfd98a1ed0193ea237c31269f26284faa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AZORult
Vendor detections: 11
| SHA256 hash: | ddbfb1a2ca2a24afe477e841d9bf6ccfd98a1ed0193ea237c31269f26284faa1 |
|---|---|
| SHA3-384 hash: | 6c32e1f142eddde8823dc472280a3e30ec5edf63d619ff0de40e19b580a061d33bc3d1c6c4fe9288700d196d24eaf92c |
| SHA1 hash: | fc3174321e809b915d052c618949bc51a2ac2fe7 |
| MD5 hash: | 5f90d4fdcfcbc0aec08a72cf0f9d1f89 |
| humanhash: | bravo-zulu-dakota-winter |
| File name: | Linea de credito mensual,pdf.com |
| Download: | download sample |
| Signature | AZORult |
| File size: | 663'384 bytes |
| First seen: | 2020-10-20 14:59:42 UTC |
| Last seen: | 2020-10-26 09:09:00 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 3072:qQUj9rve8l46B11Xjc6VmlVwv943imCR0tFKTXS/de7++LmYcs2:qVjNh5md |
| Threatray | 345 similar samples on MalwareBazaar |
| TLSH | 01E4443CADD9223786BBD6B6CAF555CBF915798331266C4E90DB03820A03B677DC211E |
| Reporter |  abuse_ch |
| Tags: | AZORult com |
abuse_ch
Malspam distributing AZORult:HELO: box0.viajesancecilio.xyz
Sending IP: 137.74.254.14
From: Banco de Chile <info@viajesancecilio.xyz>
Subject: Cartola mensual de línea de crédito
Attachment: Linea de credito mensual,pdf.001 (contains "Linea de credito mensual,pdf.com")
AZORult C2:
http://45.137.22.58/231/index.php
Intelligence
File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Stealing user critical data
Result
Threat name:
Azorult
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Signature
.NET source code contains very large strings
Binary contains a suspicious time stamp
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Detection:
azorult
Threat name:
Win32.Infostealer.Azorult
Status:
Malicious
First seen:
2020-10-20 11:39:02 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
azorult
Similar samples:
+ 335 additional samples on MalwareBazaar
Result
Malware family:
azorult
Score:
10/10
Tags:
spyware discovery trojan infostealer family:azorult
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Unpacked files
SH256 hash:
ddbfb1a2ca2a24afe477e841d9bf6ccfd98a1ed0193ea237c31269f26284faa1
MD5 hash:
5f90d4fdcfcbc0aec08a72cf0f9d1f89
SHA1 hash:
fc3174321e809b915d052c618949bc51a2ac2fe7
SH256 hash:
b49c72f13ee8bce0cd9605b3ae25edfd4d140bd88cca11dc822c22beab9872f8
MD5 hash:
fdb619f37a93bb3330e32fb259c10919
SHA1 hash:
251de9a3c354ad14489eeabdbed0e27e6a8bad40
Detections:
win_azorult_g1
win_azorult_auto
SH256 hash:
dc7719033b0579becddf109771141b4917da409b6454b5374875a957ed36214f
MD5 hash:
b7ff92098df8f6ffc9016d20e970bd84
SHA1 hash:
4910bef6340c706df1d9ebf48031ab64a41e1ef0
SH256 hash:
e608da0d4f37f9197bc23de86536f03f2011e4b2b7ab7b2c5f5551a639e13a8b
MD5 hash:
ed6eb937deec7dbd389936ceabf4d203
SHA1 hash:
9fc3064487feb50312d5b9c1c3fc32115cc19fd1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.