MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaa1f617bd66b443082d5e7f5476edb2b07f62d36c90cc2326543a233c5bca7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaa1f617bd66b443082d5e7f5476edb2b07f62d36c90cc2326543a233c5bca7d
SHA3-384 hash: 36a4b017df7571ae2fdc178bf63564439b81157014d95ce7f67732664eb214e5b91df62bf026f0de2917e33c37d99be0
SHA1 hash: 663210dab424acc9e108d784f34aa65f1d0329b4
MD5 hash: 1e7e80dd0880c34fa847e38c07b6db18
humanhash: massachusetts-lima-july-robin
File name:SecuriteInfo.com.Variant.Bulz.265210.19728.32500
Download: download sample
Signature AZORult
Create hunting rule
File size:590'336 bytes
First seen:2020-12-15 02:34:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:T9KfkCDv0cdWDwbMjE6lu9GYzNJ1bpQZMkYrXMs0Ma0cWe:UzDv6D3jM0YzpFwjs0Mjc
Threatray 1'487 similar samples on MalwareBazaar
TLSH 6EC4E0323245B912D27E4E72C82220400E217F775A75E64B6DC521DE64FF778BA92FA3
Reporter SecuriteInfoCom
Tags:AZORult

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Bulz.265210.19728.32500
Verdict:
Malicious activity
Analysis date:
2020-12-15 02:37:22 UTC
Tags:
trojan rat azorult
Link:
https://app.any.run/tasks/47d1ae6a-1e6c-4f7c-b2e3-e785d3fd4074

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108068/
Detection(s):
SecuriteInfo.com.Variant.Bulz.265210.19728.32500.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/562813
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330496 Sample: SecuriteInfo.com.Variant.Bu... Startdate: 15/12/2020 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 8 other signatures 2->37 6 SecuriteInfo.com.Variant.Bulz.265210.19728.exe 3 2->6         started        process3 file4 19 SecuriteInfo.com.V...65210.19728.exe.log, ASCII 6->19 dropped 39 Detected AZORult Info Stealer 6->39 41 Injects a PE file into a foreign processes 6->41 10 SecuriteInfo.com.Variant.Bulz.265210.19728.exe 62 6->10         started        15 SecuriteInfo.com.Variant.Bulz.265210.19728.exe 6->15         started        17 SecuriteInfo.com.Variant.Bulz.265210.19728.exe 6->17         started        signatures5 process6 dnsIp7 29 158.101.17.239, 49716, 49722, 80 ORACLE-BMC-31898US United States 10->29 21 C:\Users\user\AppData\...\vcruntime140.dll, PE32 10->21 dropped 23 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 10->23 dropped 25 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 10->25 dropped 27 45 other files (none is malicious) 10->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->43 45 Tries to steal Instant Messenger accounts or passwords 10->45 47 Tries to steal Mail credentials (via file access) 10->47 49 2 other signatures 10->49 file8 signatures9
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eaa1f617bd66b443082d5e7f5476edb2b07f62d36c90cc2326543a233c5bca7d/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-12 23:02:45 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kq7mf55m22egcbnlz7vi5xnwkyh6ywtnsimyizgkq5cgpc3zj6q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0551fabde9ea1dec88af8ba81606bc58d4a5c0dded60543cc5bcfeec0fe96d2b
AZORult
2c80f61e5c61bb87be9e2d60e69093bcb5082fc690fcd751be787dbd118d5e57
AZORult
62ddfbbb9039c0671aa08af5d0fdd0fe949eb96e435c631a57e931e4b19743a9
AZORult
655455e4c04c7fd6e624b752797305264093264c08b0ab45ebfceee5f7abbc66
AZORult
a42efc31e09f7b51c6f7038b4d12f2fa66b233dfe8e2edf811d439617246d03e
AZORult
bca4b6e9f14cb4d84674d2f4db286e0ea692f68e8b1d906d04ced807556c6174
AZORult
ce06efe2c18c75da9d9535b4328677f4136a3f04ea666d037bf55dce7c9b7c57
AZORult
ed15459a7fd8570fc69235cac35dbe1617fa919c6c09a1978df30952b2af53b1
AZORult
ff0dbe5f85b9f46b03fbfe6feef5c0130faf814614e7280ca0d55eb23948a4eb
AZORult
ff2a69d6c6bf6bce9060d0570e2aec5f88a964c46736e3860152895cf94449f2
AZORult
+ 1'477 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/201215-91f7hvvb1x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Azorult
Malware Config
C2 Extraction:
http://158.101.17.239/index.php
Unpacked files
SH256 hash:
eaa1f617bd66b443082d5e7f5476edb2b07f62d36c90cc2326543a233c5bca7d
MD5 hash:
1e7e80dd0880c34fa847e38c07b6db18
SHA1 hash:
663210dab424acc9e108d784f34aa65f1d0329b4
Link:
https://www.unpac.me/results/0322f24f-06a4-4050-aa97-68de4ee61419/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/0322f24f-06a4-4050-aa97-68de4ee61419/
SH256 hash:
54e4c4fe7865c82e0618412a20f7c91c1caecfbc83bfec9511760024c4fe696d
MD5 hash:
755574dd14a5ff8b2c8318dfbc51f402
SHA1 hash:
6be056f47bc145c9c830587d589f8b9e9fec4b8b
Link:
https://www.unpac.me/results/0322f24f-06a4-4050-aa97-68de4ee61419/
SH256 hash:
23f2da1994037bd82afbb16d4951adb987d408142ef664d2f6c7a7623ed7ee01
MD5 hash:
0b9034574c3e33c749f19ff22320f210
SHA1 hash:
ba66f5f1c127984d7c8a285bc21f628aa68fc29d
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/0322f24f-06a4-4050-aa97-68de4ee61419/
Parent samples :
7f40a863463fc20c605514cc5e1f26a0f2a122aebd1bf9a442e92ef562545c12
eaa1f617bd66b443082d5e7f5476edb2b07f62d36c90cc2326543a233c5bca7d
6e6e0aaffbc70afb34b5413bdbbaa51271e5d369e11174e0173fb0f58d227a21
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaa1f617bd66b443082d5e7f5476edb2b07f62d36c90cc2326543a233c5bca7d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe eaa1f617bd66b443082d5e7f5476edb2b07f62d36c90cc2326543a233c5bca7d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/108068/
  
URLhaus
https://urlhaus.abuse.ch/url/919165/
  
Delivery method
Distributed via web download

Comments