MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7
SHA3-384 hash: dcd236c9280a24bd95490a7b06f10dc91b76aea8a978845f3f864c2bff284c9b81da74a9ae672cd8540c4921b59822dd
SHA1 hash: c6daa783428bc85f48f5b3d906b56e13d10ec7eb
MD5 hash: bc6e81255131133a0f8e9ea4cea63d1a
humanhash: seven-colorado-earth-eighteen
File name:Halkbank_Ekstre_20220421_074418_439888.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:252'687 bytes
First seen:2022-04-21 14:00:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:I1NjcVVnLpPuDBeSLUnDX97XmmmibuDyxP+CXAJ1D2mbdObeZjtw27rpOKyfsP:sNeZgUgUnlmmmcwlCX+qAOYtw2xa+
Threatray 4'979 similar samples on MalwareBazaar
TLSH T19F34E052B26CC293D4E69771CDBFA4F716E83C16C6611D0732E07E2E3872341DA0AB66
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00c4aabab2ca0082 (1 x AZORult)
Reporter abuse_ch
Tags:AZORult exe geo Halkbank TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'460
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265479/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP POST request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/626163bb482f2f41cae0bec5/reports/29ecbb2f-3c77-4540-b29a-6a57d3bea3e0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b14c1d2-da3b-4ccc-9e81-99c57c93c391
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/980762
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 613257 Sample: Halkbank_Ekstre_20220421_07... Startdate: 21/04/2022 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 7 other signatures 2->36 7 Halkbank_Ekstre_20220421_074418_439888.exe 18 2->7         started        process3 file4 18 C:\Users\user\AppData\Local\Temp\lwkcbv.exe, PE32 7->18 dropped 10 lwkcbv.exe 7->10         started        process5 signatures6 38 Performs DNS queries to domains with low reputation 10->38 40 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->40 42 Injects a PE file into a foreign processes 10->42 13 lwkcbv.exe 62 10->13         started        process7 dnsIp8 28 e4v5sa.xyz 104.21.20.176, 49723, 49737, 80 CLOUDFLARENETUS United States 13->28 20 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->20 dropped 22 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 13->22 dropped 24 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 13->24 dropped 26 45 other files (none is malicious) 13->26 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->44 46 Tries to steal Instant Messenger accounts or passwords 13->46 48 Tries to steal Mail credentials (via file / registry access) 13->48 50 4 other signatures 13->50 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-21 14:01:11 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5b4fnta745rvhzokhfl2u2kr7fl4nuexib74yesyvy6xfsgzeo3q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b
AZORult
45c4cb9db8a4df096e2bea7edc05e5e1b5dad5fa753b7c17d260297b6ee6ff6d
AZORult
4a4a4c441355bbf90def9ab2aec89335f93237487e670df04b3d63c65b5be25a
AZORult
9742316e3734c943eed54ea0ab9d8fa857db256aca5c7f7cf5577a9cae79102b
AZORult
d5b6b2bd84328605e8025e1a15a6cbd00a334e0688688ad3217ce0afa010cfcf
AZORult
e325188649a8eef76951cc308fd75f0d0101887f482dc45a4a6f2a920c71d3c6
AZORult
+ 4'969 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/220421-rbjnsaeed6/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://e4v5sa.xyz/PL341/index.php
Unpacked files
SH256 hash:
025e6468ba144f2c0280a2f546f5afda1ec9ee80bc44573beee465dc511cb1cd
MD5 hash:
4c43e33242129a9891324a5f10e8884b
SHA1 hash:
8a81f9bcfe7c25089ca454d420949866499c3e85
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/256c111a-91df-42cb-9cfb-89f7708b4b55/
Parent samples :
546af5248d01e7d2b994944e9dd69ce8de7259515b898f1b8d1f6d811c62b1cc
60ad58a938752fff5d6e9442d529fe21b5ecca6166ba78f68ec5c810f6285649
fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a
6f3fcb5289438681db409f8a18947f00d89c08029bcf44f1b32b1bca33a3995e
7280219358589f5dbfb3cf116f6ad152671b451f210c563fce287959283e8334
e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7
5f72024cc8a15038a120024eda6225ea45982eb8d5f37ab49d0b7b0391e9b8b2
c366d2e91be8589969d0a9ada092f3d1ba5586e2394ce811ba6ce06e00866359
2f81e8b71640e7b5770deccc56c23d75240c34a5914dcb138ec2972e624a0f03
36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e
SH256 hash:
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5
MD5 hash:
aaa2ef7131d588fa6f96a645f0bdb8a2
SHA1 hash:
800a9badf314335ea00e9926b2217a6335b106b7
Link:
https://www.unpac.me/results/256c111a-91df-42cb-9cfb-89f7708b4b55/
SH256 hash:
e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7
MD5 hash:
bc6e81255131133a0f8e9ea4cea63d1a
SHA1 hash:
c6daa783428bc85f48f5b3d906b56e13d10ec7eb
Link:
https://www.unpac.me/results/256c111a-91df-42cb-9cfb-89f7708b4b55/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e87856cc1fe7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265479/

Comments