MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f778f63fc96c1d88e5328dcc0e9f4ee95d11ba3b5654a4fef0f2fb754fd885bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f778f63fc96c1d88e5328dcc0e9f4ee95d11ba3b5654a4fef0f2fb754fd885bc
SHA3-384 hash: 68bc838f0d63cf50be2e1f9996e4f114cee50ef8b4af3a7b42ec6b9cb45035df7492eb7aeef7b384dfa6ab76f941f4a3
SHA1 hash: 411c28be93a8b584ae79012800ef058906c808c5
MD5 hash: a1b0b2a44972694c3263ce465c72b22e
humanhash: lamp-nuts-muppet-carpet
File name:SKMB_C364e19061115070.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:438'272 bytes
First seen:2020-08-17 14:04:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:1dYYtkm04l/R/5+hcGupImfpdvkj9hSIYDZblEsJU3IqHOBqLbZ2zKq/gec+qHtM:1uA15+GDfeSJ+3IquBsXCgec+qa
Threatray 553 similar samples on MalwareBazaar
TLSH 3F94026379E4CA05C1771977C94A275C26F8BAC3B491FB3D7C8823AD59913D29282FC2
Reporter abuse_ch
Tags:AZORult exe GoDaddy


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sg2nlshrout02.shr.prod.sin2.secureserver.net
Sending IP: 182.50.132.194
From: Giang Sophia <sophia.hiipc@gmail.com>
Subject: FW: swift payment Notification
Attachment: SKMB_C364e19061115070_pdf.r18 (contains "SKMB_C364e19061115070.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47090/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/433721
Signature
.NET source code contains potential unpacker
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f778f63fc96c1d88e5328dcc0e9f4ee95d11ba3b5654a4fef0f2fb754fd885bc/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 05:43:54 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=654pmp6jnqoyrzjsrxga5h2o5fordor3kzkkj7xq6l5xkt6yqw6a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
4639769fea49849bb1a85d41d7dc9f4975e0945b3e5b0622503a71b8a97faccf
AZORult
556078f7b9c9cc0472e000c38af7b5285ebc9e9e70282c5fa9e8b9063bcd16ac
AZORult
655455e4c04c7fd6e624b752797305264093264c08b0ab45ebfceee5f7abbc66
AZORult
7580b583ccf57526e5a5ca40651ec5a95abe64b77a7c223f037443e480fbe185
AZORult
90006ca498f8b95df09f017dc722da49302813fd5c483f9aec3a1f444fbad87f
AZORult
e53cd448b2fad21583ddd160f9b6cdfacbec7a8c9c7ae9712c4c39972daa4c18
AZORult
eb30ea1ed2ee540189bb11ebdf0cbe4a5f84ce64adcea3658af5842b6bf3d14d
AZORult
eb96ab93249a86be52aa53a58fb8667b4c54f6b6dbc899fd23ea56b12b52a001
AZORult
eece64fe2e9e21564eb410e0d750e9cc605f0b4c437c5b90d9d2ae0ed10ceed9
AZORult
f158be721fb34c71dedeb65d051c18da565e0aa8e1e2bf1f86e585e93c22a739
AZORult
+ 543 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
evasion trojan infostealer family:azorult
Link:
https://tria.ge/reports/200817-kbzbktp8ea/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Azorult
Malware Config
C2 Extraction:
https://aneeskhan.me/wp/index.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f778f63fc96c1d88e5328dcc0e9f4ee95d11ba3b5654a4fef0f2fb754fd885bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

rar 01b9605daa92122393650a975b83ac0294fda987ab4cb7318083a7f8cf029413

AZORult

Executable exe f778f63fc96c1d88e5328dcc0e9f4ee95d11ba3b5654a4fef0f2fb754fd885bc

(this sample)

  
Dropped by
MD5 1cb80f3e7b042e534dc741d5f3348737
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47090/
  
Dropped by
SHA256 01b9605daa92122393650a975b83ac0294fda987ab4cb7318083a7f8cf029413

Comments