MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 3


Intelligence 3 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521
SHA3-384 hash: 3300661ec7e62866d19583d93dfc3d01ca8545dc65fc3743b006553be7e626d7ae8f0bd7bf1b7acff1b47ee177b86e4c
SHA1 hash: 6c7039f29a2a25fa0eee8069336d75e9bdb5980a
MD5 hash: d2bf1c6195e07a2c063e3dbb686301d4
humanhash: whiskey-king-xray-steak
File name:eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521
Download: download sample
Signature AZORult
Create hunting rule
File size:719'360 bytes
First seen:2020-03-23 15:57:50 UTC
Last seen:2020-03-23 16:17:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 712f4a29c405ecb576101d367b2180fb (14 x Smoke Loader, 2 x AZORult, 1 x Formbook)
ssdeep 12288:McXUN973paI/F9jpUpBzTAJNUdglNURD1x6IosrjFwBj2/y3JSvVvICiZYXjEdMX:xEN973phvt8tmUdkw1xVosluq/yIvIwj
Threatray 430 similar samples on MalwareBazaar
TLSH 3BE433597B76CB36C186567D3079B9942C065C3E8F51EFB728FEF24C92391782E8201A
Reporter Marco_Ramilli
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Autoit-6877130-0
Create hunting rule

Win.Malware.Score-6877137-0
Create hunting rule

Win.Malware.Autoit-6877140-0
Create hunting rule

Win.Malware.Autoit-6952607-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2019-02-27 07:19:52 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
12fa05928175822dc4f3aacc86b8dcdab77e5f35d1a4a2f54b8762dbc6f8a236
AZORult
1e0cc4051f5ea6cb75b0df551bc5be60abc54ca51cd1611dc760aa245a0055dd
AZORult
2002e2506e59be859c12de94b1d9ddbfeeee31373684ce15f4e5b952da036a69
AZORult
4fed79d044df2a4c1c7fe6261a9b557de0c8940f5b92d853892a619537bd989f
AZORult
6998249e77f7c33821b3678fbdbc0a843ca39d80d49aa55335b48ef7c4011ad2
AZORult
6c08295f40c3b798331023edf5166fc3dc159f120eaf02db0991f6d682c7df13
AZORult
7a2d34cab8578b5d2dd57a8be38c063a0d15f5eecee558f9efc6153e2b1c7de0
AZORult
b01d0e871f96ddcf4df2358b7a452c488d628829d14d5ede0a58243cdd1dbdc7
AZORult
cad851d943cb185cb15220b74b66ba5f60058d0b155c020db6b71315183f940c
AZORult
e3ec188cee8aedebacb4156103cebe176b3521415be6de03ec98304d94963498
AZORult
+ 420 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_ave_maria_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/148441/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments