MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef634a53dfb00589d513ce13cc9332fef2749255093f4874ef40b809e353b040. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef634a53dfb00589d513ce13cc9332fef2749255093f4874ef40b809e353b040
SHA3-384 hash: 270b10b9eea3ddee04094999fdfb7fab65de037e90a076f121ef073a713f13615e0f7acdf65c6a6306c180fd784550dc
SHA1 hash: 678be3a679bf84bf3e1b91fe3ef5d6fb6bd9b93c
MD5 hash: e5687426519282a5472bcf08e181d537
humanhash: lamp-mexico-football-hot
File name:EF634A53DFB00589D513CE13CC9332FEF2749255093F4.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:294'912 bytes
First seen:2021-06-20 12:45:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 89bce6aaef4189bf0baf363795e303e4 (1 x AZORult)
ssdeep 3072:CWEJcL+ovqjo+0BErZNdusIKU3bLfeRo5Jn4lBbW26uFlhhhRq3Li5tgWEJc:CWZqovqxrbQs5mJ4lBbNRlhbI3+sWZ
Threatray 1'972 similar samples on MalwareBazaar
TLSH 3754CFF0B5A4F5F0E4420A316587D8276E2A2E1949A1140BF5043AADF8F7C768A9D73F
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://hise.us/chekwa/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://hise.us/chekwa/index.php https://threatfox.abuse.ch/ioc/137662/

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EF634A53DFB00589D513CE13CC9332FEF2749255093F4.exe
Verdict:
Malicious activity
Analysis date:
2021-06-20 12:46:30 UTC
Tags:
trojan rat azorult
Link:
https://app.any.run/tasks/eb040d8d-9f77-4100-9f8e-83e6e2fe0d69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167181/
Detection(s):
Win.Malware.Fareit-6812097-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/860dc785-90a3-4fd6-8f71-e2c2b0941cae
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804915
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected AZORult Info Stealer
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ef634a53dfb00589d513ce13cc9332fef2749255093f4874ef40b809e353b040/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2019-01-13 04:19:26 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=55ruuu67wacytvitzyj4zezs73zhjesvbe7uq5hpic4aty2twbaa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
01006d50a9052ffee3ea3dc6429aeb86e4d361d1ffe69a455bb00a1e03962166
AZORult
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
AZORult
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
AZORult
6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
AZORult
8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
AZORult
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
AZORult
aa70c51a1df950f7b8406f4599a7e3bb89bc61fec570fc0e3a53826d42cbf13c
AZORult
b59374ff4efaa214c04a353aa3cf500ca22c43b63f27d0c3fb0495bd942ac734
AZORult
e1108eed1eab9e6eac2d48139776a585b56ec575b1f8e41ed40099e8d6c93778
AZORult
f8da3ee80f71b994d8921f9d902456cbd5187e1bdcd352a81f1d76e0f50ca0b8
AZORult
+ 1'962 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer persistence trojan
Link:
https://tria.ge/reports/210620-pzdbaqqmgx/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://hise.us/chekwa/index.php
Unpacked files
SH256 hash:
ef634a53dfb00589d513ce13cc9332fef2749255093f4874ef40b809e353b040
MD5 hash:
e5687426519282a5472bcf08e181d537
SHA1 hash:
678be3a679bf84bf3e1b91fe3ef5d6fb6bd9b93c
Link:
https://www.unpac.me/results/00c7fd21-a997-4ae2-8435-04a0fb9da369/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/ef634a53dfb00589d513ce13cc9332fef2749255093f4874ef40b809e353b040

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167181/

Comments