MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9
SHA3-384 hash: ee2cdd8e46d9ef66c914979596a9c2d557d2f78edc7ca60554864ab6d568233d4f3b52e82ce17c2ebc5740a9c0a15552
SHA1 hash: 7df14f3f58d8303e88a560f8ac39788ce3a61f50
MD5 hash: af895604b36ff7795f8d5df80a446b11
humanhash: tennessee-carolina-november-cold
File name:af895604b36ff7795f8d5df80a446b11.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:808'448 bytes
First seen:2022-02-16 18:55:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:tnxaVTHAvGd8FmoyAlqb5bFLhlwVtLeGl4yoW/3qwSDSbXZFgQuDutGG:2HiG8moLqb5phlwVtLv/hrb0QGiGG
Threatray 4'776 similar samples on MalwareBazaar
TLSH T16A054A7631EF1056D772EAF20BD8ECBF8A5AF173120E753A31915B8683269429982371
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
679
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
settlement swift865755688.doc
Verdict:
Malicious activity
Analysis date:
2022-02-17 02:20:21 UTC
Tags:
exploit CVE-2017-11882 loader trojan rat azorult stealer
Link:
https://app.any.run/tasks/da274d9b-4c11-4dbb-8fdc-6b3714c96726

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242028/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.26075.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620d4896a2660f3bb9e89467/reports/30719901-b064-4fbd-9ef1-db11846f7845/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa4689d7-f4f1-4bfa-b8d6-036e8c4daede
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941103
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 18:55:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mstxjstabojp3bwtu35h3zdj2czrgmey5zjnpepoy5vhs5qpk4q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
085a718e0222d25850a008efc3d5b88827b501d6b1093cb09f53fe9c3609a281
AZORult
10fed6bb7e0d98d4c39fecce52838efecad2e6d836ceabaf40b438e6790e8abf
AZORult
3960204da1cfdd0ed4c762617a42b045e802aff8c382bf357afb707de43a4991
AZORult
42d9b223bd595579d838b2a890386ad150b10ede5d57e33bc06f69be41f6b0bf
AZORult
7f24773d411236705d09adba6b9b52a10b8f2f9d1963abb1b243d4eb72bfba9c
AZORult
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
AZORult
fa9e912f4548b0952e0c2fcf223562d6d715c13b0f54986c049f98f1680ccd6f
AZORult
fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e
AZORult
+ 4'766 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220216-xks7gacba3/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Azorult
Malware Config
C2 Extraction:
http://australiadish.bar/kendrick/index.php
Unpacked files
SH256 hash:
658c80f34df29800e29a4112d11cda1f861c5622cff223d43c026ee191473fc0
MD5 hash:
024c4790ae1fee2b1280f5b26da2bc6b
SHA1 hash:
e9e34165a3ffaad39aaec159387b333f3cff378a
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/cc7f86d1-97c8-4c09-9fa3-0beef72945b0/
Parent samples :
3ca1b9b8c365e7329e540d4e84320f0bf61e50a4bab5be54460d0c3e2f320ce1
fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e
10fed6bb7e0d98d4c39fecce52838efecad2e6d836ceabaf40b438e6790e8abf
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9
f188d2c47c9f395e6063a2fe69edf5830c4d520e11f21421a1814d3202503c45
85e16c4fe21b79d748d246527b80cacb62c90b75f331e774d7cef90d3f3764f5
5c52d01a13034d617c28365f534c392ec264c3d755dc36ff188082081af05688
SH256 hash:
7e623a713356b13c183b532963081acd20665027f2ea0a80a3109e6ed0e2f09d
MD5 hash:
9843ed5238f7732da080d90b3a74f5ef
SHA1 hash:
bd0880cae1f98bb9b5bef551f14116b038622d26
Link:
https://www.unpac.me/results/cc7f86d1-97c8-4c09-9fa3-0beef72945b0/
SH256 hash:
0cc272835ee6d12502dba4fdc6de0bd36de736e26d87c4666a6b70521fbc3bd6
MD5 hash:
353c0b656ffb7e7405135feffff90bf2
SHA1 hash:
8d0524f36290eb0b2df0b8f9cf287ac27bb8abd4
Link:
https://www.unpac.me/results/cc7f86d1-97c8-4c09-9fa3-0beef72945b0/
SH256 hash:
c1c23e10150eeee65b095c444c545d57692453c08bdb7f037f93859ed7505089
MD5 hash:
b7fe83ed1c2c29b728d92774fdf1446d
SHA1 hash:
652d5ff26f28653d0e8345e40265496e036113f0
Link:
https://www.unpac.me/results/cc7f86d1-97c8-4c09-9fa3-0beef72945b0/
SH256 hash:
fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9
MD5 hash:
af895604b36ff7795f8d5df80a446b11
SHA1 hash:
7df14f3f58d8303e88a560f8ac39788ce3a61f50
Link:
https://www.unpac.me/results/cc7f86d1-97c8-4c09-9fa3-0beef72945b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Azorult
Create hunting rule
Author:kevoreilly
Description:Azorult Payload
Rule name:malware_Azorult
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Azorult in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.azorult.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/242028/
  
URLhaus
https://urlhaus.abuse.ch/url/2038758/
  
Delivery method
Distributed via web download

Comments