MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6
SHA3-384 hash: e667dca584e3484e553dbb1876fb4b92b79d964f4ce1d5ebb45996b2270eaf8c25dbdaf27225b186d2d29861a5240fc7
SHA1 hash: eca4fbcfc90a74b9255a41df0737a6d93926a887
MD5 hash: 467f9bbcd515b904d2707b3b710cf4ab
humanhash: pizza-oranges-montana-low
File name:PO 12501.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:821'760 bytes
First seen:2021-09-08 14:17:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:pO7FJLgG863eaijn4ITXYhYYc6TU+sorc5ETOzada/fiMdWbt:pihp4IideRPARf/BWp
Threatray 3'269 similar samples on MalwareBazaar
TLSH T1CF05632DF5BD9226926DCEE9C7D35417E381559A3322992017B7031EA212B83F483F6F
Reporter abuse_ch
Tags:AZORult exe


Avatar
abuse_ch
AZORult C2:
http://smdglo.xyz/panel1/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://smdglo.xyz/panel1/index.php https://threatfox.abuse.ch/ioc/218057/

Intelligence

File Origin
# of uploads :
1
# of downloads :
881
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 12501.exe
Verdict:
Malicious activity
Analysis date:
2021-09-08 14:18:37 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/45e11a35-86ea-4735-b89c-1405ce8026b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186404/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Sending an HTTP POST request
Reading critical registry keys
Running batch commands
Stealing user critical data
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd31bac9-cd0f-47b4-ac0d-72a06741a3b8
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847486
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Detected AZORult Info Stealer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 479921 Sample: PO 12501.exe Startdate: 08/09/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 14 other signatures 2->49 8 PO 12501.exe 7 2->8         started        process3 file4 27 C:\Users\user\AppData\Local\...\tmp1A9A.tmp, XML 8->27 dropped 29 C:\Users\user\AppData\...\PO 12501.exe.log, ASCII 8->29 dropped 31 C:\Users\user\AppData\...\oazoWYbpent.exe, PE32 8->31 dropped 51 Injects a PE file into a foreign processes 8->51 12 PO 12501.exe 67 8->12         started        17 schtasks.exe 1 8->17         started        signatures5 process6 dnsIp7 41 smdglo.xyz 31.210.20.16, 49741, 49744, 80 PLUSSERVER-ASN1DE Netherlands 12->41 33 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->33 dropped 35 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 12->35 dropped 37 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 12->37 dropped 39 45 other files (none is malicious) 12->39 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->53 55 Tries to steal Instant Messenger accounts or passwords 12->55 57 Tries to steal Mail credentials (via file access) 12->57 59 5 other signatures 12->59 19 cmd.exe 1 12->19         started        21 conhost.exe 17->21         started        file8 signatures9 process10 process11 23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 06:40:34 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kuh66umwm6ojvjdusjh3tn2nqjqisxuvitatpvcfx2y6gx33s3a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
trickbot
Create hunting rule
Similar samples:
0978c6e9a1e62df2bf68b5cebd60dd4b8ac1ead3077c561bf420bfaf8d7be2ee
AZORult
25668bb8b209e29ad8ee4f1083283224271223d5de207449192b19ec07022418
AZORult
61adff4631db24263951338bc5d2fce316abad6def0f37bd27319875c7ce25f2
AZORult
68d578b9e811bf90bb6c88c092e033470e6ee439bfa9de02f9a36afad08895ff
AZORult
700c14171b4bc7eb9af680f74b9bf681da5988e07fa2f7ead4f3f71289d0a4c5
AZORult
737ff2b259449c91d68130a8508b51544310a6e6b50891fdc5682e7d242a79b4
AZORult
902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8
AZORult
bfabca4f85e2741a8261d288f37a72ca122cc7d470496a27841f50bea84d3344
AZORult
d286ce0a72c3053c61909e492d314b3008ca872a80ea60e29b9d0ec728e6dc62
AZORult
f73579603fda08d484fd111ba5c0f00ea57d25c79365608995dedb0cd037c66b
AZORult
+ 3'259 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210908-rlp9baefa7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://smdglo.xyz/panel1/index.php
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/7d152236-3329-437b-9f25-c61b95afd81a/
SH256 hash:
a203253a6b21a1f7f9ed44205718e8127e88a035095929744cd637613da98143
MD5 hash:
950fc9edd0e2cf98aaf6bcc71e2a3cf2
SHA1 hash:
b22a4ba84f8cc4d6547c55bb03f9c6c306aa696a
Link:
https://www.unpac.me/results/7d152236-3329-437b-9f25-c61b95afd81a/
SH256 hash:
0e866009320de38f6646dd4849a4430b04648b4e8b3e37389ce3a1b9006c5978
MD5 hash:
725dcd14a2009274329c4a24ceeaa62e
SHA1 hash:
13e090efcbc578d62cc020dd9695ea08edb5b3d2
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/7d152236-3329-437b-9f25-c61b95afd81a/
Parent samples :
faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6
603ecc649a2beb1e7c9ae57e9ff5d67e97b827c2afccb7b6253ee0a2e0c81dd2
baad4799f2c076b17cbfdbf41f430af17daaa4236d75115d6f54d72f21453e61
07c88db437007f63707266efdc16363c6ddc6def76cdef5e35674f3e9283e3df
SH256 hash:
faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6
MD5 hash:
467f9bbcd515b904d2707b3b710cf4ab
SHA1 hash:
eca4fbcfc90a74b9255a41df0737a6d93926a887
Link:
https://www.unpac.me/results/7d152236-3329-437b-9f25-c61b95afd81a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186404/

Comments