MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6a7ac6ef3bd624f8bb3f19e8904331211c6d37b64d1e1a40bf0246b8f301314. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	e6a7ac6ef3bd624f8bb3f19e8904331211c6d37b64d1e1a40bf0246b8f301314
SHA3-384 hash:	2ca5d73b0953e57c16f29e3d92a37479e35e05a4f7da8f62a8846d4578dccabc89bf07c9ffc46c12661cc0fc86913d66
SHA1 hash:	193d52cd2f859edcba26e429e8794366f6a16822
MD5 hash:	4563d090652511869535ca150032d8cd
humanhash:	timing-xray-mobile-aspen
File name:	SecuriteInfo.com.W32.AIDetectNet.01.12259.24805
Download:	download sample
Signature	AZORult Create hunting rule
File size:	532'992 bytes
First seen:	2022-05-10 05:41:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	6144:YmW47RRWXKiIHHmzTqyrei4ZC7rY1ZncsaZTBgaYkISUOaB9VqnKuZt+:YaiyHIGAe7ZO873asStGfqG
Threatray	266 similar samples on MalwareBazaar
TLSH	T19AB4499AB784AA21C1BE7A70B67C3170C3B150D75BA1C35F588294E97B763C93BC06D2
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

1'381

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

azorult

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.12259.24805

Verdict:

Malicious activity

Analysis date:

2022-05-10 05:44:26 UTC

Tags:

azorult

Link:

https://app.any.run/tasks/5ad1f033-c522-4fc8-b1cf-dfbc27b16e60

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.12259.24805.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/6279fb6a4b517e213c28238f/reports/3cde332d-b065-4d60-b055-dac8362b3650/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2f8e2cd2-3c98-4c3e-b6a1-869d90d18e48

Result

Threat name:

Azorult

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/990716

Signature

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e6a7ac6ef3bd624f8bb3f19e8904331211c6d37b64d1e1a40bf0246b8f301314/

Threat name:

ByteCode-MSIL.Trojan.ClipBanker

Status:

Malicious

First seen:

2022-05-10 05:42:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=42t2y3xtxvre7c5t6gpisbbtcii4nu33mti6djal6asgxdzqcmka._file

Verdict:

malicious

Label(s):

azorult

AZORult

21b45cf293c8b1587d29f4a641b448ff3f817d6c99fa114841858208a0e2ae0a

AZORult

48d29a8519bd574b03306f6c5e47cc9918d204a4a492acf654ce3acafa59498c

AZORult

6e46c37c824f13c573fea62962c995f2e614c4751db1102e842033c176014378

AZORult

abefceafcf523eefa54d0dcbf7911bd1d1e4245d223ed43297a862b3d0d78a90

AZORult

d1ad5fd5f6ed1ca6556b80636b019b020755c7b3586c683fcddeb9688ed0017e

AZORult

+ 256 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult infostealer suricata trojan

Link:

https://tria.ge/reports/220510-gd1d7saabr/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Azorult

suricata: ET MALWARE AZORult Variant.4 Checkin M2

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4

Malware Config

C2 Extraction:

https://www.ausvanlines.com.au/cloudflare/index.php

Unpacked files

SH256 hash:

c611a6ceb263401ed18ff93961bd6d0cdf8757e48d8e76b13943e85b9d3b5a0b

MD5 hash:

f9b293305bd04eee511c0ffd0e7f29d7

SHA1 hash:

fd981a9537a903422311f582defc1c8fd97248af

Link:

https://www.unpac.me/results/de918429-835b-4b71-950e-62e96fe56ed0/

SH256 hash:

7d170109f352f251d7ac012882e005b059b0db5ecce7520acf7be2ba8f13792a

MD5 hash:

72403055ee098f50bcc8a238fdbef878

SHA1 hash:

eb5ed9b38f5a23bb00b221acf3f7233aa2e9299d

Link:

https://www.unpac.me/results/de918429-835b-4b71-950e-62e96fe56ed0/

SH256 hash:

de946071f5ce37d7bd121d1d7123a795c6111bb37715139a956110b97b0ba98a

MD5 hash:

ee5770ede963b3444343d074820acf46

SHA1 hash:

8863ca4d0e2f49f93c5325135931a163d652ab73

Link:

https://www.unpac.me/results/de918429-835b-4b71-950e-62e96fe56ed0/

SH256 hash:

53648f78fc66ab620f274d74c0589e5ec211e0b9633cf531ded33ac6f6bb1692

MD5 hash:

b340852cde4e789659e3f53d65954672

SHA1 hash:

5aa775d85110817541c1800d46d2595ef24ae08d

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/de918429-835b-4b71-950e-62e96fe56ed0/

SH256 hash:

e6a7ac6ef3bd624f8bb3f19e8904331211c6d37b64d1e1a40bf0246b8f301314

MD5 hash:

4563d090652511869535ca150032d8cd

SHA1 hash:

193d52cd2f859edcba26e429e8794366f6a16822

Link:

https://www.unpac.me/results/de918429-835b-4b71-950e-62e96fe56ed0/

Malware family:

AZORult

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e6a7ac6ef3bd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e6a7ac6ef3bd624f8bb3f19e8904331211c6d37b64d1e1a40bf0246b8f301314

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Azorult Create hunting rule
Author:	kevoreilly
Description:	Azorult Payload

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	pe_imphash Create hunting rule

Rule name:	Redline_Stealer_Monitor Create hunting rule
Description:	Detects RedLine Stealer Variants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_azorult_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample