MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0
SHA3-384 hash: 96c60926b3397aa43518fa0d70b05b0a8a0de65e7cfb583471dec6003d2503a3d25a2dbcf76573261035a5b48ee99b34
SHA1 hash: 7c457b442892daaaeefbf5eedf3a9df3e8aa9127
MD5 hash: c74af86427ba05578a646a4efe43bc84
humanhash: september-beryllium-moon-harry
File name:Quotation.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:3'615'744 bytes
First seen:2021-04-26 06:17:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:j/e+1svKv6jU4Ff9gDmw7eldvH31vRNRyR92KaWs:De+2vJUGOevHFvRHWs
Threatray 20 similar samples on MalwareBazaar
TLSH 6BF5F1AC730454E1DE4618B6E3CB4D16423C5F7477269A0B8B903F7A3D63E732A39989
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.exe
Verdict:
Malicious activity
Analysis date:
2021-04-26 06:19:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f1e7ac00-3922-49eb-a10f-27b7361f2a60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144213/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Blocking the User Account Control
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697373
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-26 06:18:14 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vaml3622slmmah2vesqbvdtyqhsfjeys7ysvtumb55lbhg64gya._file
Verdict:
suspicious
Similar samples:
1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd
AZORult
4f3d500dc26e8a87fe7361064a50b7715731c378ec019e4643986f1e5c524cee
AZORult
7cf016920f62f4cd984f9fdc9c9976b07888c891b52a8c6c95c47cc3628bde21
AZORult
932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a
AZORult
c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a
AZORult
d68a5a2bf92f0f08b8eb6f39351462f81d65d54085c1c7ae3aa81b2d3018434e
AZORult
d6b229f25b3f185395e58f98c048cad58d929c7a25e6b95319d27da5f5292588
AZORult
d7105dfaf2690af5ecb82d31c891c8b6e36af889ddf4c10af513f4d0efd2d073
AZORult
e582696b2f3c980a6d81be401fc5da4c24a4b0c490ff6764516a0aa3e3aae23b
AZORult
f40a960ed96e9a20965c184a7f798a5c2510f5673fde3b2274e4ea7ab463a324
AZORult
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210426-vnh37e8eyj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UAC bypass
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/3650dc2f-7f55-4a5f-9da5-d53638ba05e3/
SH256 hash:
4f81423775292523785bd75838941c478cd93bfd851b58b745d1255f8e9b8021
MD5 hash:
3a80987d3532caa1fa6ceb165c7a2fe8
SHA1 hash:
e5d37174338f835bf93fa9aa42fbcc87fccbbf76
Link:
https://www.unpac.me/results/3650dc2f-7f55-4a5f-9da5-d53638ba05e3/
SH256 hash:
e95ad7fcf973468da2fd494f64ba942e8c080ec93d0c2117a001c0950625bed9
MD5 hash:
e34ee20d06c3e65376a79ab8cf9cca07
SHA1 hash:
6c734655264caa2a87859576743fcefa247a4531
Link:
https://www.unpac.me/results/3650dc2f-7f55-4a5f-9da5-d53638ba05e3/
SH256 hash:
4e97a7e6544f4e4d75652b7812376dda06274c21ad94e67b2ba912d49927dd5a
MD5 hash:
2bad87d1bb6c9804705c81b56731aa43
SHA1 hash:
303f30103acdff64c7b6343fe08259775fde776d
Link:
https://www.unpac.me/results/3650dc2f-7f55-4a5f-9da5-d53638ba05e3/
SH256 hash:
f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0
MD5 hash:
c74af86427ba05578a646a4efe43bc84
SHA1 hash:
7c457b442892daaaeefbf5eedf3a9df3e8aa9127
Link:
https://www.unpac.me/results/3650dc2f-7f55-4a5f-9da5-d53638ba05e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f540c5efdad496c600faa92500d473c40f22a49897f12ace8c0f7ab09cdee1b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144213/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-26 07:17:32 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection