MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5045e67b9bae79bd7ccb537c73a3013b4ed00a71ea8c6970a7b199965785d42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 3 File information Comments

SHA256 hash:	f5045e67b9bae79bd7ccb537c73a3013b4ed00a71ea8c6970a7b199965785d42
SHA3-384 hash:	1138c42e1caf74c4937219a2521543322d1ff8f4e16b4395db00c829f661f8e0f5081116f691f802c74722de94289c52
SHA1 hash:	41a6fe50b280b3ec7c1ac2255a854f19535e94ff
MD5 hash:	6b1db77aede2ac5b9a409b46e4389e5c
humanhash:	quiet-five-bluebird-whiskey
File name:	6B1DB77AEDE2AC5B9A409B46E4389E5C.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	115'200 bytes
First seen:	2021-09-01 23:21:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6d1f2b41411eacafcf447fc002d8cb00 (140 x AZORult)
ssdeep	3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEYnE/Wxg/:Zzx7ZApszolIo7lf/ipT/W
Threatray	948 similar samples on MalwareBazaar
TLSH	T187B3197AF6C19272E02808BDCD46D1B6912D76302D3918B6B6DA4F8CD5F95C26E2C3C7
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://azobotupdatestea.duckdns.org/en/FTP/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://azobotupdatestea.duckdns.org/en/FTP/index.php	https://threatfox.abuse.ch/ioc/207710/

Intelligence

File Origin

# of uploads :

# of downloads :

1'078

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6B1DB77AEDE2AC5B9A409B46E4389E5C.exe

Verdict:

Malicious activity

Analysis date:

2021-09-01 23:22:57 UTC

Tags:

trojan rat azorult

Link:

https://app.any.run/tasks/da404af6-171a-47e1-8d57-c92eb398cdb6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/184596/

Detection(s):

Win.Ransomware.Delf-6651871-0

Win.Malware.Delf-6957976-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6297d8c1-3cd9-45c4-b8ab-ed10edc74018

Result

Threat name:

Azorult

Detection:

malicious

Classification:

troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843689

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Uses dynamic DNS services

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/f5045e67b9bae79bd7ccb537c73a3013b4ed00a71ea8c6970a7b199965785d42/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2021-08-30 16:38:00 UTC

AV detection:

27 of 28 (96.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ucf4z5zxltzxv6mwu34oorqco2o2afhd2umnfykpmmzszlylvba._file

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer trojan

Link:

https://tria.ge/reports/210901-3z1hyxmlr2/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Checks installed software on the system

Azorult

Malware Config

C2 Extraction:

http://azobotupdatestea.duckdns.org/en/FTP/index.php

Unpacked files

SH256 hash:

f5045e67b9bae79bd7ccb537c73a3013b4ed00a71ea8c6970a7b199965785d42

MD5 hash:

6b1db77aede2ac5b9a409b46e4389e5c

SHA1 hash:

41a6fe50b280b3ec7c1ac2255a854f19535e94ff

Detections:

win_azorult_auto

win_azorult_g1

Link:

https://www.unpac.me/results/5d3dc9b3-e991-456a-8557-6aa899688ad1/

Malware family:

AZORult

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f5045e67b9ba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5045e67b9bae79bd7ccb537c73a3013b4ed00a71ea8c6970a7b199965785d42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Azorult Create hunting rule
Author:	kevoreilly
Description:	Azorult Payload

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	win_azorult_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/184596/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample