MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe117521cd5f1653cebc4d6a3bfd85dfd273e4df7d8e0204205779a951e421bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe117521cd5f1653cebc4d6a3bfd85dfd273e4df7d8e0204205779a951e421bc
SHA3-384 hash: a439edaf3c65341a99ab4dd0d7cd4c19c11f90db644cccddccd209bbd1d014424a38a5565dd5683aafa3c5f1c2052a63
SHA1 hash: 261532f47c7467e35b1b6d405c1a0748182f768f
MD5 hash: 0127bfef7d4408d3384e5792da7384d0
humanhash: juliet-sixteen-kansas-mobile
File name:Dekont.pdf.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:420'352 bytes
First seen:2021-01-07 14:07:09 UTC
Last seen:2021-01-07 15:32:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:8Vr0/a1IPbEbT7tLfKrdQojdC+D2Eb3ZQFWL3rygW2SatjBeXaZ:ErQa1IP4bQJQojoJEFQY3rygxSatFeG
Threatray 567 similar samples on MalwareBazaar
TLSH 0994D442B38CCB94DA9071BB5BD5A62D5343F0D7F610CAA5631A8AF164B31C27D8F398
Reporter abuse_ch
Tags:AZORult exe geo Halkbank TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.gmdsa.us
Sending IP: 45.141.37.223
From: Halkbank Internet Subesi <internet.subesi@halkbank.com.tr>
Subject: 7.01.2021 TARİHLİ DEKONT
Attachment: Dekont..pdf.img (contains "Dekont.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
363
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dekont.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-07 14:51:19 UTC
Tags:
trojan rat azorult stealer
Link:
https://app.any.run/tasks/21cca962-ab38-4ee1-a7de-021ffde3d759

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110841/
Detection(s):
SecuriteInfo.com.Generic.mg.0127bfef7d4408d3.1570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/575880
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336993 Sample: Dekont.pdf.exe Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Yara detected Azorult 2->36 38 5 other signatures 2->38 8 Dekont.pdf.exe 5 2->8         started        process3 file4 26 C:\Users\user\Desktop\yes.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->28 dropped 30 C:\Users\user\...\yes.exe:Zone.Identifier, ASCII 8->30 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->42 12 yes.exe 3 8->12         started        15 cmd.exe 1 8->15         started        signatures5 process6 signatures7 44 Writes to foreign memory regions 12->44 46 Allocates memory in foreign processes 12->46 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->48 50 Injects a PE file into a foreign processes 12->50 17 AddInProcess32.exe 12->17         started        19 reg.exe 1 1 15->19         started        22 conhost.exe 15->22         started        process8 signatures9 24 WerFault.exe 23 9 17->24         started        40 Creates an undocumented autostart registry key 19->40 process10
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe117521cd5f1653cebc4d6a3bfd85dfd273e4df7d8e0204205779a951e421bc/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 14:08:11 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7yixkionl4lfhtv4jvvdx7mf37jhhzg7pwhaebbak542supeeg6a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
02f2ef392aadd8b486f022e3cd6bad2e6d0a2b6d39d2371b7d528e9ea6607a00
AZORult
3cc4cb75641d291b4ea472ae93239c0d11aa00ff6d30d867c04f5d8215fd981c
AZORult
4551d06a33be96c8808d2e180d6cf35c50cbf2dc114a51e90aa49bb4597e2936
AZORult
62ddfbbb9039c0671aa08af5d0fdd0fe949eb96e435c631a57e931e4b19743a9
AZORult
712570e39e1f912cebe3d6522f2df4077ec0958d3ea3b0797e2492c4923db8f5
AZORult
71c6cb7973a0fdb717141cfcbd86fdea022406af54156501c21f73078a200161
AZORult
72cdab689d7d8015c3c033cb824a95148664662ad100735ca09bdd0da5cf139d
AZORult
aee6577ef4a0d538fecd2596cedc2cdcd8eed86e9267c1bb40b0a17fbb5e51a3
AZORult
db781b43713924c2e6611681440591724c6184adbdfe9be1c53c955752f1dd10
AZORult
ff0dbe5f85b9f46b03fbfe6feef5c0130faf814614e7280ca0d55eb23948a4eb
AZORult
+ 557 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer persistence spyware trojan
Link:
https://tria.ge/reports/210107-kv3xcynav2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
http://blkgrupdoom.info/scgn/index.php
Unpacked files
SH256 hash:
fe117521cd5f1653cebc4d6a3bfd85dfd273e4df7d8e0204205779a951e421bc
MD5 hash:
0127bfef7d4408d3384e5792da7384d0
SHA1 hash:
261532f47c7467e35b1b6d405c1a0748182f768f
Link:
https://www.unpac.me/results/d2beb53d-f114-49d9-97d4-e4f444aebcac/
SH256 hash:
49dc26861fffee2f6440e56a10b7086ea305d2f16bb9e27ba3e08b9893557f86
MD5 hash:
e732cd6decfed3503b4020899d5a56f9
SHA1 hash:
024c1bf147c698e92aae340bbee323601d02a787
Link:
https://www.unpac.me/results/d2beb53d-f114-49d9-97d4-e4f444aebcac/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/d2beb53d-f114-49d9-97d4-e4f444aebcac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe117521cd5f1653cebc4d6a3bfd85dfd273e4df7d8e0204205779a951e421bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_azorult_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AZORult

img 8b45712feea82b6c42076de610a00aa62c1a2d9fae892df9396e6dc9db75bb54

AZORult

Executable exe fe117521cd5f1653cebc4d6a3bfd85dfd273e4df7d8e0204205779a951e421bc

(this sample)

  
Dropped by
MD5 9803ba35815f4581bcd9c91947b8e35c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110841/
  
Dropped by
SHA256 8b45712feea82b6c42076de610a00aa62c1a2d9fae892df9396e6dc9db75bb54

Comments