MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eba13d2d3a2217296afb54dce9203015253967359181ddee11f7c456a4521c43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eba13d2d3a2217296afb54dce9203015253967359181ddee11f7c456a4521c43
SHA3-384 hash: f9290b32ec6b8f3eb08055b1f3e51557a9c39ec4805567845cda5d2e93ca6fd5fcd0d8488a739cddf6f9f3a1351671a8
SHA1 hash: a36dcbdcc914cfcc7fce2e0587d597b9b1710227
MD5 hash: a1a37dc2bab00e0e4c125b068de78371
humanhash: london-william-july-texas
File name:Scan01.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:563'473 bytes
First seen:2021-06-03 14:43:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:GQqmyrZ4n/vFUyXD/QAD20ZC5kBYnx6YDZLSNzqzM2sCp:7yrZ4n/dUG/QAVZjYnQSuL2sCp
Threatray 1'274 similar samples on MalwareBazaar
TLSH C0C49EC8A788A891E8148DB804B1BE18537F5D5DEA5E4887119CF39F8BF1E8152CDDBC
Reporter James_inthe_box
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan01.exe
Verdict:
Malicious activity
Analysis date:
2021-06-03 14:44:47 UTC
Tags:
installer trojan rat azorult
Link:
https://app.any.run/tasks/925be730-b3e9-4d28-9349-8242055c6285

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164434/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Launching a process
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796769
Signature
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eba13d2d3a2217296afb54dce9203015253967359181ddee11f7c456a4521c43/
Threat name:
Win32.Trojan.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 14:43:47 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5oqt2lj2eilss2x3ktoosibqcustszzvsga533qr67cfnjcsdrbq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
49c21b1c59f065d20fa66d292d4fd2709620449d422aef8d39fe4d4bd69f1d31
AZORult
58b8457797f88443a07f9c033039776fa7c5834eeee4d4b5af353ab159bd85e8
AZORult
5af2bcd6e1359e4f5ff0b1f0d91397edb7dfeb3b6e5fef9cb73fd0bbf907b161
AZORult
62bcad1a08b9645f0b2bd969e31e3beda41ce828387eb60ce07b0749deee4c59
AZORult
65d873e82fc6d0e63a224589cdee5551f2d98c313e19adbc9799ef17ae493a8f
AZORult
6707f8585bc86cee81fa957414be0bcfc707b1786d372b057de4cc0f30d2af08
AZORult
89957f203fda93c39ff56e0f80b615df42bf4ed87fd0488c07581e4e3a14bb05
AZORult
db127ccf5ea69c0bc3888efe5ae2a532c5f5590a2f589f049139fcf63f5e8062
AZORult
dec7973b7b46dc29aed45c6eb5919f31abe3b5efe17f73c01f506faf06e80e00
AZORult
f1ab8e352e53ee2d4aa8625e789682ca1a5ef4adaba22b1ba7ce3d68664bcb2e
AZORult
+ 1'264 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210603-xf6577br6n/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads local data of messenger clients
Loads dropped DLL
Azorult
Malware Config
C2 Extraction:
http://ppdb.smkn1cilegon.sch.id/huPl/index.php
Unpacked files
SH256 hash:
eba13d2d3a2217296afb54dce9203015253967359181ddee11f7c456a4521c43
MD5 hash:
a1a37dc2bab00e0e4c125b068de78371
SHA1 hash:
a36dcbdcc914cfcc7fce2e0587d597b9b1710227
Link:
https://www.unpac.me/results/fdbea582-f251-41a7-9a73-5ffe10bb1c29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eba13d2d3a2217296afb54dce9203015253967359181ddee11f7c456a4521c43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/164434/

Comments