BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
15
Global rank
41 infographic chevron month
Month rank
40 infographic chevron week
Week rank
3029
IOCs

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Stealer
Type
ex-USSR
Origin
1 January, 2016
First seen
11 July, 2024
Last seen
Also known as
PuffStealer
Rultazo

How to analyze Azorult with ANY.RUN

Type
ex-USSR
Origin
1 January, 2016
First seen
11 July, 2024
Last seen

IOCs

IP addresses
172.67.152.15
162.240.230.249
23.229.191.64
192.119.110.244
181.215.235.180
77.91.77.81
185.43.220.45
4.184.236.127
31.210.20.167
23.227.193.33
94.103.94.25
3.36.173.8
185.29.9.113
185.178.45.193
45.63.60.194
141.98.6.72
84.38.130.165
45.88.66.207
45.137.22.58
23.146.242.85
Hashes
6f6118dc6bb9697ec63089a47544165ee74bd90e91c5769e6b38fbc62cc8622f
b6a906d0ebcffbc5400eb7d199e8a4002dcfd28b8f115a31677178080d0ea5d6
68b5f994f6e7d486f31e6259f0088e8e95f5db4a86457d321c141d94bb72e6b0
383f832947919f6fd9a512ffd689a03c8f7cef4a328398038fe8df6a6d2bc6b1
5feb9c60d2bce546754b23e4c82ad0fc3e507c32c3068a103aa5af5b848c94e0
530e35d68b61fafdf64deff557d7ec78209a56d9c49d10c4f58a3b24ad077f07
a71e52e50140ba2639a1d1c72cf0df821673652a5e1c10b8639b85327f681b01
53bfc00d98174bf63cd2784bb9f9ceea17cb39bbd6dcb0fe8eb348e0ed274e45
21a3feee6f44d5a03971e5aced1f93b6bc28950d2729f411a477fdec605ec156
f55e3eb12fec7716b9e57e503759013af028205ae1797f2da58ea2ce312cfc66
f659031b488c5c105016d60cfc9da09ea0a68f43b957e8b264461e75bcbf6f4b
c6e6ac05a991d12c28d6c57d49378e2a1c1a42bba6fdf686e9ccc8885a6ae8c8
056b1b056504fbd03dc32668dbf3fa52900685da42d1d47a75e9d150a8f23713
c33105209acd4b1f2cf3280624beb53cf5ca7232bea0ab225089fa976e8660f7
faa87f7a8cb33ce4d523a4927dcdba6c13044af4aa2609bea22df58f1afbdcb6
58c0b3141d67f967cb229079845100362bcdbd72b9711a829df91a82e6e6f5e9
7ea33c91dc1a98b9ab5229455e951d38f4d4563130f87d3fa290b9b01b2337dd
ac36c5174ef7ba76a704baeaa713ad6630fc79db52bb904a5b41e15316e7d353
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5
daf8cd6f6c9c7973e5a877510d38b7f71ed45fd41b408ee341e42281cf7419b1
Domains
5desconcertais.sa.com
ehzwq.shop
sh1000816.had.su
whyuneedcrackfakesitehaha.000webhostapp.com
veritynova.com
tragee.000webhostapp.com
emails-blockchain.com
incorporatebelize.org
perrr01.pro
smdbaba.monster
razvalina.xyz
spursg.shop
finlzzm.com
ppdb.smkn1cilegon.sch.id
hellthrash.temp.swtest.ru
ggg-cl.biz
f0528018.xsph.ru
blsrs.shop
jfghhwscxsa.ug
system-update.us
URLs
http://prepepe.ac.ug/freebl3.dll
http://prepepe.ac.ug/vcruntime140.dll
http://prepepe.ac.ug/nss3.dll
http://prepepe.ac.ug/sqlite3.dll
http://prepepe.ac.ug/msvcp140.dll
http://prepepe.ac.ug/mozglue.dll
http://prepepe.ac.ug/softokn3.dll
http://pretorian.ac.ug/index.php
http://mnbgba.ac.ug/index.php
http://www.pastrasasca.ug/net.exe
http://mail.timebound.ug/native.exe
http://www.qwerty12346.ru/ghjkl.exe
http://ns2.mistitis.ug/ghjk.exe
http://lastimaners.ug/zxcv.EXE
http://lastimaners.ug/asdf.EXE
http://lastimaners.ug/asdfg.exe
http://lastimaners.ug/zxcvb.exe
http://hqt3.shop/HQK341/index.php
http://195.245.112.115/index.php
http://hqt3.shop/PL341/index.php
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 149
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 161
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1630
comments 0

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult stealer was discovered, analyzed, and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomware were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades to the functions of both the stealer and the loader of the virus, additionally allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3. This strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing function.

General description of AZORult malware

A trojan type malware originated in one of the ex-USSR countries. AZORult spyware searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history, and more.

Interestingly, to get into a machine, the virus, in some cases, requires secondary malware like HawkEye or Seamless. Notably, after every bit of useful data is obtained in campaigns with Hermes and Aurora, user files are encrypted, and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution, the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened, and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A kendriknk8523.exe file is then launched, which after a sleep create child process with same name;
  • A child process then proceeds to steal the personal data and connect to the CnC server.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN sandbox.

azorult execution process tree

Figure 1: Illustrates the life cycle of malware. Process tree generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that the attackers sent carried largely employment-related subjects and included an infected and password-protected resume file that triggered the download of the virus.

AZORult malware execution process

text report of the azorult malware analysis

Figure 2: A text report generated by ANY.RUN

AZORult stealer uses a clever technique to trick various antivirus engines. Particularly, the version of the stealer Trojan distributed in the July 2018 spam campaign was activated after unlocking a password-protected document. Since a password protected the document that was attached to the email, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed, with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed several malicious OLE objects into a document and executes arbitrary code on a machine, and even download any file from a remote server and execute it.

How to share your AZORult malware analysis with others?

If you want to share your virus analysis with others, you can create a text report and send it to anyone you want. Just click the "Text report" button. You can save it by using a printer icon in the upper-right corner of the report, or using your browser function by clicking the "Save page as..." or "Print..." buttons. You can also download or share other malware investigations, for example Adwind or Remcos. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking in the checkbox "Add for printing" on the right side of the sections. On the illustration below, the second section won't be included in the report.

text report for azorult Figure 3: Text report

Conclusion

AZORult remains to be a hazardous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangers than during the first days of its lifespan. Particularly, most recent versions of AZORult are distributed in bundles with ransomware and can steal cryptocurrency from the victims.

AZORult's distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. The interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy