MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AZORult

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e
SHA3-384 hash:	b79c75509ea960e97ede5055b9e12113cd225f284cbd130721fee6c7b5f7a2b7d57340558a7c075ce799304f485ae584
SHA1 hash:	0a7f0528da4ef476c96b6f3d33320add4dbd1eec
MD5 hash:	d6a9b0467cefd7faf593cfd666edd3a2
humanhash:	illinois-echo-illinois-stairway
File name:	d6a9b0467cefd7faf593cfd666edd3a2.exe
Download:	download sample
Signature	AZORult Create hunting rule
File size:	753'152 bytes
First seen:	2022-02-10 04:31:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:eEyQkZ3WiL5/UNXXQuG2YOi57+afzsi/o9OpRr84FrYqYu2:lmtz5eXXLGPLB/o9Y
Threatray	4'484 similar samples on MalwareBazaar
TLSH	T159F4F12457AC8729E87A57F86834823607B93C9A7062DE4E4EF1BDCF39367814421F5B
File icon (PE):
dhash icon	68686cdcc6a6d2e1 (13 x AgentTesla, 5 x Formbook, 4 x AZORult)
Reporter	abuse_ch
Tags:	AZORult exe

abuse_ch

AZORult C2:
http://australiadish.bar/kendrick/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://australiadish.bar/kendrick/index.php	https://threatfox.abuse.ch/ioc/384548/

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Sending an HTTP POST request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/62049546942573cad44e4788/reports/5969ffed-3ab4-483e-b52d-04b012149f75/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/04e86087-90b2-405c-a782-7c1db8b4cda1

Result

Threat name:

Azorult

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/937531

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Azorult

Yara detected Azorult Info Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e/

Threat name:

Win32.Trojan.Strictor

Status:

Malicious

First seen:

2022-02-10 04:32:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

8 of 43 (18.60%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7vpgtcp7d2he54slxmvwoamo7cw334g2lvejzukc7whbuaz45exa._file

Verdict:

malicious

Label(s):

azorult

AZORult

6320a3e177b12f514785a1b9b84c830758a3d99625172c0a5c925dd84b6be9e7

AZORult

6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929

AZORult

78fd4e091b66540f612e7c3bd324d4bfa1abeebac2487d192f672686d09ed1a1

AZORult

7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd

AZORult

d12ed131337f7c91df923f4c677ac2a50359836a60aee94bed3d1e7e09528a27

AZORult

e21841343a1c7c4fef6fdb074428316618b2a42b8b6f0bd0f3ab2bb6ad5c0055

AZORult

e325188649a8eef76951cc308fd75f0d0101887f482dc45a4a6f2a920c71d3c6

AZORult

e9ac2483e5d8c2b182d7f5059a1110b69c338242e19d153bc25499990ec62083

AZORult

+ 4'474 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

family:azorult collection discovery infostealer spyware stealer suricata trojan

Link:

https://tria.ge/reports/220210-e5hbladggl/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Azorult

suricata: ET MALWARE AZORult v3.3 Server Response M2

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

Malware Config

C2 Extraction:

http://australiadish.bar/kendrick/index.php

Unpacked files

SH256 hash:

658c80f34df29800e29a4112d11cda1f861c5622cff223d43c026ee191473fc0

MD5 hash:

024c4790ae1fee2b1280f5b26da2bc6b

SHA1 hash:

e9e34165a3ffaad39aaec159387b333f3cff378a

Detections:

win_azorult_g1

win_azorult_auto

Link:

https://www.unpac.me/results/4ced46d9-1ee2-4420-a3b0-9d921d4546c0/

Parent samples :

3ca1b9b8c365e7329e540d4e84320f0bf61e50a4bab5be54460d0c3e2f320ce1
fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e
10fed6bb7e0d98d4c39fecce52838efecad2e6d836ceabaf40b438e6790e8abf
d8c4fb5e1c854c9362c4129efbaa6b72435b8e93df66fd418f288650d360ff22
fb253ba653005c97ec369d37d3ef234e85989984c77296bc8f763b53cbb07ab9
f188d2c47c9f395e6063a2fe69edf5830c4d520e11f21421a1814d3202503c45
85e16c4fe21b79d748d246527b80cacb62c90b75f331e774d7cef90d3f3764f5
5c52d01a13034d617c28365f534c392ec264c3d755dc36ff188082081af05688

SH256 hash:

f365b92b11041eed57b6f7534e83e04167fce1cfacc570e79335292f3c0ea8aa

MD5 hash:

9147a2ef317fe384182d1281e5af8110

SHA1 hash:

bbe360e6eca29a32e1f787e1416ddad4d35dcf1a

Link:

https://www.unpac.me/results/4ced46d9-1ee2-4420-a3b0-9d921d4546c0/

SH256 hash:

72b2eb7aed52a19330d8dd5b2eaa574d96c8e4e641a5ea24f591c3061399173b

MD5 hash:

75394f8f9230d64ebde28f3d6a10ec5a

SHA1 hash:

437d6ec65f303c7d966fcb59d9f51973cd51bc32

Link:

https://www.unpac.me/results/4ced46d9-1ee2-4420-a3b0-9d921d4546c0/

SH256 hash:

b57e2ab243ac0cdad358a2b75ceaaf97f1789c3c1a344190b45a3bf236b3b760

MD5 hash:

d6c5f17cefd256870f50de4967f02d02

SHA1 hash:

2f19482e06291d6bdc62e50f60ecb71d1e73e492

Link:

https://www.unpac.me/results/4ced46d9-1ee2-4420-a3b0-9d921d4546c0/

SH256 hash:

fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e

MD5 hash:

d6a9b0467cefd7faf593cfd666edd3a2

SHA1 hash:

0a7f0528da4ef476c96b6f3d33320add4dbd1eec

Link:

https://www.unpac.me/results/4ced46d9-1ee2-4420-a3b0-9d921d4546c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

exe fd5e6989ff1e8e4ef24bbb2b67018ef8adbdf0da5d489cd142fd8e1a033ce92e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2038758/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample