MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AZORult


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630
SHA3-384 hash: 1cab8da5c88bcab5677ada55d2829395c8f7b7f8fad53f00c36102892901559309f3d3123b0ea23ecb2f7ff1a5f4c24e
SHA1 hash: b0a9762ebb47ece6f99840079d7db1d031797de1
MD5 hash: 9f121b2a173affdaf0a04694032589c8
humanhash: louisiana-mexico-coffee-lamp
File name:fgherty.exe
Download: download sample
Signature AZORult
Create hunting rule
File size:441'856 bytes
First seen:2020-11-03 14:12:03 UTC
Last seen:2020-11-03 16:04:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:7nu2Mo+Efv8I1zd5wIJH5y5bvF0tQ44xRITQH3YMrmDsyUsLFSJ0W7CMh:7uHet1p5ZXylFSWxyU39isVSPM
Threatray 427 similar samples on MalwareBazaar
TLSH ED949FB27D52586ECAAF077541A981C1FABA16C73F608B0D71AF430C0F11A1BEB5365B
Reporter JAMESWT_WT
Tags:AZORult

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82060/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44322509.25128.15237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
DNS request
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519234
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 01:51:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1469f4fc2b5656138640f57204d26e8a956193323d839b8f74350d45e1cdb69b
AZORult
267df514019cdb3d9c9d29ea27726fefc397c0ed5804a91999af97f2d10e070e
AZORult
268a8cd2e1be94fb5124930ed021ef9cda228d8366efef29884f7affc47f936d
AZORult
3e740fea889c9009f592cd53d244363e2095601ed8b88aa5225b46643b955c5e
AZORult
84402b111a9e126f52c2ddff7e8d4ac2730bb4ed39409a83ace0a1ded0b4e982
AZORult
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
AZORult
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
AZORult
b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f
AZORult
e3d729ca42f1fccc448853dfd71bdd9e95b7427467a1cbda56326d17cc44f922
AZORult
e812ca08bf2f1a1ea83facfaab349a8fa9d9fd88607d2b61a81423bb3f992175
AZORult
+ 417 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult discovery infostealer spyware trojan
Link:
https://tria.ge/reports/201103-3y42wy2q7n/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://alhelli.com/babtest/temp/mem/index.php

Unpacked files
SH256 hash:
ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630
MD5 hash:
9f121b2a173affdaf0a04694032589c8
SHA1 hash:
b0a9762ebb47ece6f99840079d7db1d031797de1
Link:
https://www.unpac.me/results/8a987a67-55ae-455d-83aa-7dd3b32f129d/
SH256 hash:
85149b884607f6bb7317c7fb893b8cabc550422ecd62bd59509a3d5fcf44b56d
MD5 hash:
a5baef204b1c2470b3692ead91645bcc
SHA1 hash:
636c826cd651b6817711353b140d7960731daec5
Link:
https://www.unpac.me/results/8a987a67-55ae-455d-83aa-7dd3b32f129d/
SH256 hash:
df504068d5d3ad938d2acefc117b3a5b6415945370b0d22d6b8472c287e6825a
MD5 hash:
cdae731c4b802f8f44972466cbc0c340
SHA1 hash:
7043b1d9a9f6568a252d41b853e244eb946be3be
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/8a987a67-55ae-455d-83aa-7dd3b32f129d/
Parent samples :
ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630
4ffa1fd1556f580d5a96587d425635f3e54650219a48524a98b1c57b86dd7c7f
1ffacc4d949c3b5ee5b3ec2d967ecd6858b9f1d0593ddcd13c9cf635f6e709bd
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/8a987a67-55ae-455d-83aa-7dd3b32f129d/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd
MD5 hash:
a92da98ff6f5ae608503d074617bcc2a
SHA1 hash:
d3eafcccca011bb3a7a5ae52dd9704ceafcde472
Link:
https://www.unpac.me/results/8a987a67-55ae-455d-83aa-7dd3b32f129d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Trojan_W32_Gh0stMiancha_1_0_0
Create hunting rule
Rule name:win_azorult_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_azorult_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AZORult

Executable exe ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/82060/
  
URLhaus
https://urlhaus.abuse.ch/url/782946/
  
Delivery method
Distributed via web download

Comments