MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221
SHA3-384 hash: d0616648b9f3f5844e735c1daf6a52673cba269ca860a8b89f639cd2dede0b414834cb931aa0c5e706f42c74edd57962
SHA1 hash: 9c13ea485984c9e75196c4d0bd871b1b7dc72017
MD5 hash: a3cc781be4a0cc75f14ce69b59f8c99f
humanhash: virginia-wyoming-august-kilo
File name:a3cc781be4a0cc75f14ce69b59f8c99f
Download: download sample
Signature AZORult
Create hunting rule
File size:1'056'768 bytes
First seen:2021-11-13 18:05:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 38bbd7b6af738c50eec8bb509ccc9556 (3 x RaccoonStealer, 1 x AZORult)
ssdeep 24576:FgPhv3voosHbE01/LrSxgIvEoTJ4mS/Xr5XrHS:SvoDbX9k4oTJ4mSY
Threatray 7'178 similar samples on MalwareBazaar
TLSH T1282501152CBB0163E01649B04FA185FA2B7EFC2375655D0FE784FD4814A3A4AA8E277F
Reporter zbetcheckin
Tags:32 AZORult exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.175/ https://threatfox.abuse.ch/ioc/247972/

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205467/
Detection(s):
Win.Trojan.VBGeneric-9903884-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Launching the default Windows debugger (dwwin.exe)
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware hacktool obfuscated packed raccoon razy
Link:
https://www.filescan.io/uploads/618ffe8da00afa9663a66862/reports/b3d95aca-07a6-4ac3-a0bf-e574a2d9f97d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7895a1b3-dd73-4038-bdd5-d5cac98ec1de
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888575
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 521047 Sample: tHQK2oxFRw Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 38 colonna.ac.ug 2->38 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 10 other signatures 2->50 8 tHQK2oxFRw.exe 16 2->8         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\fsacvbe.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\...\cbvdsme.exe, PE32 8->32 dropped 52 Contains functionality to steal Internet Explorer form passwords 8->52 54 Maps a DLL or memory area into another process 8->54 12 fsacvbe.exe 4 8->12         started        15 cbvdsme.exe 4 8->15         started        17 tHQK2oxFRw.exe 8->17         started        signatures6 process7 dnsIp8 56 Antivirus detection for dropped file 12->56 58 Multi AV Scanner detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 62 Maps a DLL or memory area into another process 12->62 20 fsacvbe.exe 12 12->20         started        23 cbvdsme.exe 15->23         started        34 91.219.236.162, 80 SERVERASTRA-ASHU Hungary 17->34 36 185.163.47.176, 80 MIVOCLOUDMD Moldova Republic of 17->36 signatures9 process10 dnsIp11 40 colonna.ac.ug 185.215.113.77, 49759, 49766, 80 WHOLESALECONNECTIONSNL Portugal 20->40 42 colonna.ug 20->42 26 C:\ProgramData\sqlite3.dll, PE32 23->26 dropped 28 C:\ProgramData\softokn3.dll, PE32 23->28 dropped file12
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 13:36:47 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rsjyw2ffv22ulg73of773m523cvru6lcis4q557k4flw6yqmiqq._file
Verdict:
malicious
Similar samples:
4da160dc1a5e5f2f2e0dee7ab9ccd3a522e34bbef2d602f35525b788f3afee2a
AZORult
5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8
AZORult
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
AZORult
bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
AZORult
ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
AZORult
d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7
AZORult
e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb
AZORult
+ 7'168 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:7632dffeb03da57edca98c8bfb2611868e8eb0a7 discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211113-wprc1accek/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
Malware Config
C2 Extraction:
colonna.ac.ug
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
4acfde54e2434bf24274d261fca413da9add6370e6f5b44cac84686e62da4dc2
MD5 hash:
efea80259558bc1341214c08ad137b7f
SHA1 hash:
3259c60bb7be918f53c22b5cea3e4f388f943699
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb5deecb-ce4b-4fa1-842d-3ca67a97a98f/
Parent samples :
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221
9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
SH256 hash:
de935307fbbc804ea6b95dc49e26202e340b00f62430d5a06fca57a12fd951d3
MD5 hash:
cfd5e90c10536c9803ead21ddfc6fe5b
SHA1 hash:
e0ce84a3b6bcc72dfa247d4c31cc7e8e2a826a1d
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb5deecb-ce4b-4fa1-842d-3ca67a97a98f/
SH256 hash:
30a1a2f6f5e2f7a43d995134158e2d502dd8a0c9abb36bcd360cde3f47fc4c22
MD5 hash:
8a5e38c72e3cbdc04ea66e5bcd7b369f
SHA1 hash:
c19fc4ae4e91d03f1b94e6d60de2d84193630c2b
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb5deecb-ce4b-4fa1-842d-3ca67a97a98f/
SH256 hash:
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221
MD5 hash:
a3cc781be4a0cc75f14ce69b59f8c99f
SHA1 hash:
9c13ea485984c9e75196c4d0bd871b1b7dc72017
Link:
https://www.unpac.me/results/eb5deecb-ce4b-4fa1-842d-3ca67a97a98f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/1746814/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/1746813/
  
URLhaus
https://urlhaus.abuse.ch/url/1746815/
  
URLhaus
https://urlhaus.abuse.ch/url/1746806/
  
URLhaus
https://urlhaus.abuse.ch/url/1746807/
Cape
Cape
https://www.capesandbox.com/analysis/205467/

Comments


Avatar
zbet commented on 2021-11-13 18:05:16 UTC

url : hxxp://matisaas.ac.ug/asdf.EXE