MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4
SHA3-384 hash: 5afc5c84310bc77e90bed4a41eb320846975434bfd5810c07b1d7690702bf285d8a398e456364a0e3575fb74d3082e8e
SHA1 hash: 8a30920e87cdb9710158c2e98c01d2493da2d166
MD5 hash: f584ef2a91ec8d00f9b994e179739507
humanhash: london-xray-orange-jig
File name:Inkooporders voor factuur 28-09-22.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:546'646 bytes
First seen:2022-09-28 10:58:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 12288:DToPWBv/cpGrU3yppoSw7omim9MesGI1BE2Znk:DTbBv5rUOpMom3MesGIk
Threatray 1'596 similar samples on MalwareBazaar
TLSH T1BAC4C042F6C188F2D46216729D36AA11553EBD305FB4CE9F63897528DF332C29232E5B
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3319196121000008 (2 x AZORult, 1 x Formbook)
Reporter lowmal3
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
453
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314318/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39713/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
anti-vm azorult greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/633428f778d4acb349f358af/reports/688316b4-16b4-4e53-84fb-d1527d59d453/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7c545769-80e1-4b0b-b0e8-da974cd689ed
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079153
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 10:59:10 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vv5grhs5fsqxjw66m2axrnmezds5jqvorftq6dnkrc2owqokg2a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0c22e8ea0ba6fc4f77bd273a12dd319e991899499b4bea8422d146d447034505
AZORult
0c3e2f384b19e296f638c91f22b05f663ec9b0519c0a66efedf4690f0e22ef97
AZORult
1a37f5980dfaccf82f357074e3d3013e6280e14ddb291ff49b539393daa9da6d
AZORult
301a3e665000c99ab655a74dbf9408de24875866528be4f6d28e83490c19305b
AZORult
339539d03ce22693c391b3141e6c20b2403da4efe6e25247c87c81a2e2fe1530
AZORult
432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239
AZORult
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e
AZORult
ce349034ea5373d13d5fa3adaf34a3ecffff799fe9044d4a2c98bd8a16f0e9ed
AZORult
+ 1'586 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/220928-m3d56affe5/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Azorult
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/49a87308-039f-424b-b799-2a03c928fd22
Unpacked files
SH256 hash:
51979636e1487a8a36e033dae5df4bc8706c52f46890f82441d66479651ef90d
MD5 hash:
8244f9005e1aab533a214c7d044ef85b
SHA1 hash:
93840a13ed8f427c09145e35922a05c337e7f895
Detections:
win_azorult_auto
Create hunting rule
win_azorult_g1
Create hunting rule
Link:
https://www.unpac.me/results/818328c6-58c8-4331-a727-d61c23176504/
Parent samples :
134488a4700a7deda589f0015dbd0c23a0cebd5b0a47d02c77cab3e8d4d0578b
f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4
SH256 hash:
136286d102d52c17edb793af24e530f42d1b84aa74d6cf6c692595b7a1735acd
MD5 hash:
0e68d041ce65b06fa60d3dd7f11b1188
SHA1 hash:
266df930bea25faec71c51d2f7a612e42d3f26c0
Link:
https://www.unpac.me/results/818328c6-58c8-4331-a727-d61c23176504/
SH256 hash:
f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4
MD5 hash:
f584ef2a91ec8d00f9b994e179739507
SHA1 hash:
8a30920e87cdb9710158c2e98c01d2493da2d166
Link:
https://www.unpac.me/results/818328c6-58c8-4331-a727-d61c23176504/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

Executable exe f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314318/

Comments