MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7d7a77ee726e6e169a7371f007a0eb2f391f00a3d15bd9bd83b3b523880e850. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	f7d7a77ee726e6e169a7371f007a0eb2f391f00a3d15bd9bd83b3b523880e850
SHA3-384 hash:	270c5a015bff231b748e29eb0eac9173ce7ccd0f3766763dd077b9b9fafed76f079e488e66c5862d68eaa056fc47d0e5
SHA1 hash:	49940690a1f4797e295f5e2584e0fb629cf6cd45
MD5 hash:	a637f5ca146837c0b02180931aa54141
humanhash:	enemy-cardinal-music-mike
File name:	a637f5ca146837c0b02180931aa54141.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	291'840 bytes
First seen:	2020-11-19 06:09:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'833 x AgentTesla, 19'771 x Formbook, 12'296 x SnakeKeylogger)
ssdeep	6144:cOUm7AbR979jy2VgY83p41Q2AMreHaXj7KkH77z:cOYR9NVxhHrDXvKM
Threatray	901 similar samples on MalwareBazaar
TLSH	BC54BF733D56487DCAAE0B3600B586C0F97B26C73F919B1E725A430C5E11A2FAB5361B
Reporter	abuse_ch
Tags:	AZORult exe

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic.mg.a637f5ca146837c0.25495.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Creating a process from a recently created file

DNS request

Sending an HTTP POST request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Azorult

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/542699

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7d7a77ee726e6e169a7371f007a0eb2f391f00a3d15bd9bd83b3b523880e850/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-11-18 11:52:34 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Verdict:

malicious

Label(s):

azorult

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult discovery infostealer spyware trojan

Link:

https://tria.ge/reports/201119-1dn749v2ax/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

JavaScript code in executable

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Azorult

Malware Config

C2 Extraction:

http://195.245.112.115/index.php

Unpacked files

SH256 hash:

f7d7a77ee726e6e169a7371f007a0eb2f391f00a3d15bd9bd83b3b523880e850

MD5 hash:

a637f5ca146837c0b02180931aa54141

SHA1 hash:

49940690a1f4797e295f5e2584e0fb629cf6cd45

Link:

https://www.unpac.me/results/c3f6769e-e6a1-4695-9c9c-d09a56162812/

SH256 hash:

b2daba8bd9bd8180b3a3f99be8b5c5341cf5393d09c3975eaf8cc25fd6c004fe

MD5 hash:

157dbc7d2a3ff1c46eeddea60af1a3b4

SHA1 hash:

4c501dec940f11fb180224faceff33617f5b98f4

Link:

https://www.unpac.me/results/c3f6769e-e6a1-4695-9c9c-d09a56162812/

SH256 hash:

0343143a918a628ee0553a7ad9f03b8a54170f82fdd26a387f626307caf7192a

MD5 hash:

2c31768fba89ea9e43e877c2a5a017ab

SHA1 hash:

9a6b2997db4b54d5c9bb9675a01a86561238d89f

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/c3f6769e-e6a1-4695-9c9c-d09a56162812/

SH256 hash:

6e7156ff4287bf6a83d88eaff1c4e9ff586b2ed9a6265d6e98c5e074eb025282

MD5 hash:

8778cdc547a743aed714afea5d1227af

SHA1 hash:

b12215c2b847aea0aa5e1158fa69072bad2a985d

Link:

https://www.unpac.me/results/c3f6769e-e6a1-4695-9c9c-d09a56162812/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/c3f6769e-e6a1-4695-9c9c-d09a56162812/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

exe f7d7a77ee726e6e169a7371f007a0eb2f391f00a3d15bd9bd83b3b523880e850

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/828981/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/829474/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample