Azorult

16
Global rank
34
Month rank
27
Week rank
98075
IOCs

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Stealer
Type
ex-USSR
Origin
1 January, 2016
First seen
1 June, 2023
Last seen
Also known as
PuffStealer
Rultazo

How to analyze Azorult with ANY.RUN

Stealer
Type
ex-USSR
Origin
1 January, 2016
First seen
1 June, 2023
Last seen

IOCs

IP addresses
104.26.8.44
188.114.96.3
104.26.0.109
35.205.61.67
45.33.30.197
66.254.114.41
194.36.191.196
23.202.231.167
75.2.18.233
87.240.129.133
185.53.177.54
141.8.192.151
1.1.1.1
81.17.29.146
171.22.30.147
104.21.55.111
171.22.30.164
204.11.56.48
103.224.212.222
143.204.98.126
Hashes
2f1ce37fbd7da669e6bafd0f666a77f2a5e84fcaaf46238cbe7607fe0939ad99
d141daa3182e623f38cf2e26a9c9565db9ef7bb76b6c5f295815aa60e81cb727
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
71b1e17a2aa5eb3f0c6b51671ad2a1bc705042152c4ab74db3e15d4e5a68d0d8
98616e850f074d330a9bcbda5a0dcbdedc5a083b251598c009d717ae83601046
38c78ebf970f2fc711eddcfa9ab6562c8ccbcfb053e5ececaa695650cf7d8727
a3a588b7260264b1850f13ffd1e1d7eb390666a16907bbb45e0958ad0caadb72
fc8f41c94888951c2d00e2aedd992df8fd6e67382e7b9dc2212bc217003dd837
d9d149954cd130fcab001db9a191bac89c5cebe94744cc8a7ef64b9f1a8a81a8
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
6b448fb67632a98df81c0dd29d39e9229f27f5a49c6020ec82e5ffe06b4d04b8
6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327
5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
59cbb99d4b9653328917caceb177e1cf7dd27176c3afd4ff9eb3701ac805d40d
f3626b892a978274c9de67efe8625b10ddfac9c1a0410c6d39ab04593ec62e23
f4b43bbc941d68dd3f835a9fc776c5b3e4e0e7442836bcd845d31c87acf64be7
760d1df67b31599e46ae064d183e44f511acfa7c2d5f6241fe96bf6e484e7dab
811140c68e752bc03869f4ec33aacd3f50c92de61af0ab67d0a58457330cba3f
baad4799f2c076b17cbfdbf41f430af17daaa4236d75115d6f54d72f21453e61
0978c6e9a1e62df2bf68b5cebd60dd4b8ac1ead3077c561bf420bfaf8d7be2ee
Domains
vcctggqm3t.dattolocal.net
bzsistwke.pefivefi.tk
yes82669177.ldslot.com
ruai9964799.krslot.com
luckyniki.npslot.com
hose138739868.nhslot.com
k9win7.nqslot.com
m881.oeslot.com
jack998.lqslot.com
fb88.mqslot.com
fb88256.nrslot.com
fun883482.lhslot.com
aw89.lwslot.com
96acethai58776.ndslot.com
f8win.lfslot.com
nhslot.com
jmzuhz04q6642247f57db4d.docsni.ru
01.wowthta.com
ministrate.life
shamblier.life
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 308
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5384
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3237
comments 3

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult stealer was discovered, analyzed, and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomware were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades to the functions of both the stealer and the loader of the virus, additionally allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3. This strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing function.

General description of AZORult malware

A trojan type malware originated in one of the ex-USSR countries. AZORult spyware searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history, and more.

Interestingly, to get into a machine, the virus, in some cases, requires secondary malware like HawkEye or Seamless. Notably, after every bit of useful data is obtained in campaigns with Hermes and Aurora, user files are encrypted, and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution, the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened, and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A kendriknk8523.exe file is then launched, which after a sleep create child process with same name;
  • A child process then proceeds to steal the personal data and connect to the CnC server.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN sandbox.

azorult execution process tree

Figure 1: Illustrates the life cycle of malware. Process tree generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that the attackers sent carried largely employment-related subjects and included an infected and password-protected resume file that triggered the download of the virus.

AZORult malware execution process

text report of the azorult malware analysis

Figure 2: A text report generated by ANY.RUN

AZORult stealer uses a clever technique to trick various antivirus engines. Particularly, the version of the stealer Trojan distributed in the July 2018 spam campaign was activated after unlocking a password-protected document. Since a password protected the document that was attached to the email, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed, with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed several malicious OLE objects into a document and executes arbitrary code on a machine, and even download any file from a remote server and execute it.

How to share your AZORult malware analysis with others?

If you want to share your virus analysis with others, you can create a text report and send it to anyone you want. Just click the "Text report" button. You can save it by using a printer icon in the upper-right corner of the report, or using your browser function by clicking the "Save page as..." or "Print..." buttons. You can also download or share other malware investigations, for example Adwind or Remcos. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking in the checkbox "Add for printing" on the right side of the sections. On the illustration below, the second section won't be included in the report.

text report for azorult Figure 3: Text report

Conclusion

AZORult remains to be a hazardous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangers than during the first days of its lifespan. Particularly, most recent versions of AZORult are distributed in bundles with ransomware and can steal cryptocurrency from the victims.

AZORult's distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. The interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy