MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
SHA3-384 hash: a8ba2bcf91237479fab0a0774ff1e29ec0d44dbbd9921fd2baf033817257872c63e43d83138941b6b63738f80caf9307
SHA1 hash: 727421a8ea79d0c0562870c33d055224c7c9a4bc
MD5 hash: 837547af8d2a1f60f8bbe09066f0ffa2
humanhash: papa-avocado-mirror-carbon
File name:837547af8d2a1f60f8bbe09066f0ffa2.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:708'608 bytes
First seen:2022-04-12 12:37:47 UTC
Last seen:2022-04-12 13:59:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 17b4b1fe70fbbdccbba7c09889838934 (3 x AZORult, 2 x Worm.Ramnit, 1 x RedLineStealer)
ssdeep 12288:M0sFGCY9CJFLnrZlZ7f0sFGm45w1s16RlXz2UOFoJjjy3Mkx2lXz2UOFoJjjL3MB:M0F9EFBl1f0uc6TsFodydx2sFodLdxw
Threatray 10'694 similar samples on MalwareBazaar
TLSH T1ADE4021D4DBA0373F20A467127D284D4577EACA7399DE85FEB402E882BA7D1102477BB
Reporter abuse_ch
Tags:AZORult exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'605
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
837547af8d2a1f60f8bbe09066f0ffa2.exe
Verdict:
Malicious activity
Analysis date:
2022-04-13 03:30:20 UTC
Tags:
trojan rat redline arkei stealer vidar
Link:
https://app.any.run/tasks/61d25382-d45f-498e-a281-5440b40e3abe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263067/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.9752.27042.21835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm control.exe greyware hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/625572b9ffe27d5119b57d61/reports/c0c0dcda-0760-4208-b3bc-9f010619000f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc65584b-f3b3-4ecc-8e98-0c401ebf32f0
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975332
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607816 Sample: Dvb2p8F67a.exe Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 8 other signatures 2->50 8 Dvb2p8F67a.exe 15 2->8         started        process3 file4 38 C:\Users\user\AppData\Local\...\dcaqbmme.exe, PE32 8->38 dropped 58 Detected unpacking (creates a PE file in dynamic memory) 8->58 60 Found evasive API chain (may stop execution after checking mutex) 8->60 62 Self deletion via cmd delete 8->62 64 5 other signatures 8->64 12 dcaqbmme.exe 4 8->12         started        15 Dvb2p8F67a.exe 75 8->15         started        signatures5 process6 dnsIp7 70 Antivirus detection for dropped file 12->70 72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 82 3 other signatures 12->82 18 RegAsm.exe 15 8 12->18         started        42 62.204.41.69, 49779, 49792, 49793 TNNET-ASTNNetOyMainnetworkFI United Kingdom 15->42 76 Self deletion via cmd delete 15->76 78 Tries to harvest and steal browser information (history, passwords, etc) 15->78 80 Tries to steal Crypto Currency Wallets 15->80 23 cmd.exe 1 15->23         started        signatures8 process9 dnsIp10 40 62.204.41.166, 27688, 49781 TNNET-ASTNNetOyMainnetworkFI United Kingdom 18->40 34 C:\Users\user\AppData\Local\Temp\kaxfds.exe, PE32 18->34 dropped 36 C:\Users\user\AppData\Local\...\kaxfcfdds.exe, PE32 18->36 dropped 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->52 54 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->54 56 Tries to harvest and steal browser information (history, passwords, etc) 18->56 25 kaxfcfdds.exe 14 2 18->25         started        28 kaxfds.exe 18->28         started        30 conhost.exe 23->30         started        32 timeout.exe 1 23->32         started        file11 signatures12 process13 signatures14 66 Detected unpacking (overwrites its own PE header) 25->66 68 Machine Learning detection for dropped file 25->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 07:05:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7m3isj6zauna5vjgccwuhbe5dmgn6kwo4o5rx6emmpr7zzkkj4hq._file
Verdict:
malicious
Similar samples:
0b7410c41dd49a7a43487fa0e56f5b336951609e67b873d5cdd70632a954b4a8
AZORult
175b071e0af990176bee9c03654353b1ace449489048941e7c567a7f897814e5
AZORult
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9
AZORult
33d9ff922b2b34291e7e84fee8cb11062f4e1eb56cff714fca88f8fa5b507c09
AZORult
4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6
AZORult
94e022cc268feee9f2a1a08260ecbb9767bfc0383ccabfb12330c30b5edf4933
AZORult
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
AZORult
+ 10'684 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline botnet:04062022 botnet:default discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/220412-pt2wzabdek/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Arkei
RedLine
RedLine Payload
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - %APPDATA% M4
Malware Config
C2 Extraction:
http://62.204.41.69/p8jG9WvgbE.php
62.204.41.166:27688
Unpacked files
SH256 hash:
33c13f39cedaceb3b819806d15ae95d78216af888701c7456cda0f1624da278f
MD5 hash:
95957193082f6a11792e23636c33dbf3
SHA1 hash:
130a0e568005f876ed461c3fa64a0896d6c8837f
Link:
https://www.unpac.me/results/195666aa-d3ea-4e8f-95f2-61f47564d0da/
SH256 hash:
36f22bc069c6816c24415c22b22953851e13344c85050c62e83f5ff7dd97d741
MD5 hash:
a546aaee3663d9315bc4273c43479778
SHA1 hash:
e673cb43c79c1b7201b0a925b05b74de0b9633ce
Link:
https://www.unpac.me/results/195666aa-d3ea-4e8f-95f2-61f47564d0da/
SH256 hash:
fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f
MD5 hash:
837547af8d2a1f60f8bbe09066f0ffa2
SHA1 hash:
727421a8ea79d0c0562870c33d055224c7c9a4bc
Link:
https://www.unpac.me/results/195666aa-d3ea-4e8f-95f2-61f47564d0da/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fb368927d905/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe fb368927d9051a0ed52610ad43849d1b0cdf2acee3bb1bf88c63e3fce54a4f0f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1746813/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/2141169/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
Cape
Cape
https://www.capesandbox.com/analysis/263067/

Comments