MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c
SHA3-384 hash: 56588f1858fe9cbc968e3ecf4a4fb9b6b87b0711f3b71485064de577dc3ed636ea756255c79949351f40162999094f32
SHA1 hash: 66e9027b0d4d223315af4ffb4579b4763c9a281e
MD5 hash: aa8c860b523bd4cbcf9fa48074c73489
humanhash: nebraska-enemy-connecticut-hydrogen
File name:helper1.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:225'752 bytes
First seen:2024-01-21 17:30:40 UTC
Last seen:2024-01-21 19:27:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e1ed1b87d365b2ea75670bba09649dc7 (11 x AZORult)
ssdeep 3072:YmLd2f5yZBRE34J8Quhn0o2lGPetr2MVlGjtB257XNITvPv1RpGFI58tf3m4sf+h:x5EOb38QS2/ZlGPq7W7vElXqfNp
TLSH T1BD246C99B0E6D431FBB01E304CA3B56B767CF9347FA29E63224C07765E662C094325DA
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter rmceoin
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
359
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472082/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.42360.736.27404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult overlay packed zusy
Link:
https://www.filescan.io/uploads/65ad54d72719859bc7924e1c/reports/80368516-a14d-4066-b5db-b74a7ca76526/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b6e7b6b-5cf6-437d-a923-9573c6365d90
Result
Threat name:
AZORult++
Create hunting rule
Detection:
malicious
Classification:
bank.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1378323
Signature
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Detected AZORult++ Trojan
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking mutex)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2024-01-19 17:41:42 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4osamyd7txqlicjvwcbywqhwbxxfr5r6nfeq67ozgigq4mutcu6a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/240121-v3pkwsffg2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
1a06c11cd356c402f74b3d69c62220c0e2ec9f17779d2302118ec1d5bc3cd0ca
MD5 hash:
cf05cdfd2e97c6e2dba85de01c651ee4
SHA1 hash:
fec9b29e59051c40b5b78ebce0325b853e74274d
Link:
https://www.unpac.me/results/9dcdc14d-2d98-4016-bdc9-cde830c49045/
SH256 hash:
e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c
MD5 hash:
aa8c860b523bd4cbcf9fa48074c73489
SHA1 hash:
66e9027b0d4d223315af4ffb4579b4763c9a281e
Link:
https://www.unpac.me/results/9dcdc14d-2d98-4016-bdc9-cde830c49045/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AZORult

zip dd4612be6e9a57ea8b9ac95cfc1db5bf7b4b05b3ac837c582cddbd7f1e7aed93

AZORult

Shortcut (lnk) lnk 9b1a84b656f463c30a9e69bdd88c8e268354b3b3eccdd72725779517c016e464

AZORult

Java Script (JS) js 2fc9c32a7a88ad193cf3d24d25a93ddec1f20141a2d50fd68f5c77115abff5e8

AZORult

PowerShell (PS) ps1 f61e953b18744be06991184c5d58a618ebcdb53c4a64ed0236e9e9300eb2aacf

AZORult

Executable exe e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c

(this sample)

  
Dropped by
SHA256 f61e953b18744be06991184c5d58a618ebcdb53c4a64ed0236e9e9300eb2aacf
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/472082/
  
Dropped by
MD5 6fffe8bb1d9464d007d32d886bce0817

Comments


Avatar
commented on 2024-01-21 19:37:18 UTC

E-mail link was hXXps://docs2.e-fax[.]org/file_download/20053234343365/eFax_statement_Jan_2024.pdf