SYMBOLCOMMON_NAMEaka. SYNONYMS
win.azorult (Back to overview)

Azorult

aka: PuffStealer, Rultazo

Actor(s): The Gorgon Group

URLhaus        

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

References
2020-09-02paloalto Networks Unit 42Zhanhao Chen, Janos Szurdi
@online{chen:20200902:cybersquatting:b5f5a8f, author = {Zhanhao Chen and Janos Szurdi}, title = {{Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers}}, date = {2020-09-02}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cybersquatting/}, language = {English}, urldate = {2020-09-03} } Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers
Azorult
2020-09-01nvisoDidier Stevens, Maxime Thiebaut, Dries Boone, Bart Parys, Michel Coene
@online{stevens:20200901:epic:038897f, author = {Didier Stevens and Maxime Thiebaut and Dries Boone and Bart Parys and Michel Coene}, title = {{Epic Manchego – atypical maldoc delivery brings flurry of infostealers}}, date = {2020-09-01}, organization = {nviso}, url = {https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/}, language = {English}, urldate = {2020-09-01} } Epic Manchego – atypical maldoc delivery brings flurry of infostealers
Azorult NjRAT
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-11Talos IntelligenceKendall McKay, Joe Marshall
@online{mckay:20200611:tor2mine:ee5dda6, author = {Kendall McKay and Joe Marshall}, title = {{Tor2Mine is up to their old tricks — and adds a few new ones}}, date = {2020-06-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html}, language = {English}, urldate = {2020-06-12} } Tor2Mine is up to their old tricks — and adds a few new ones
Azorult Remcos
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-04-29FR3D.HKFred HK
@online{hk:20200429:gazorp:3aef446, author = {Fred HK}, title = {{Gazorp - Thieving from thieves}}, date = {2020-04-29}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/gazorp-thieving-from-thieves}, language = {English}, urldate = {2020-05-06} } Gazorp - Thieving from thieves
Azorult
2020-04-15ZscalerSudeep Singh
@online{singh:20200415:multistage:c0330fa, author = {Sudeep Singh}, title = {{Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult}}, date = {2020-04-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat}, language = {English}, urldate = {2020-06-08} } Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult
Azorult Nanocore RAT
2020-04-02Cisco TalosVanja Svajcer
@online{svajcer:20200402:azorult:97b15f2, author = {Vanja Svajcer}, title = {{AZORult brings friends to the party}}, date = {2020-04-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html}, language = {English}, urldate = {2020-04-07} } AZORult brings friends to the party
Azorult Remcos
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-26Max Kersten's BlogMax Kersten
@online{kersten:20200326:azorult:5d5ee1f, author = {Max Kersten}, title = {{Azorult loader stages}}, date = {2020-03-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/}, language = {English}, urldate = {2020-03-26} } Azorult loader stages
Azorult
2020-02-21KELARaveed Laeb
@online{laeb:20200221:exploring:179689d, author = {Raveed Laeb}, title = {{Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology}}, date = {2020-02-21}, organization = {KELA}, url = {https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/}, language = {English}, urldate = {2020-02-26} } Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology
Azorult
2020-02-19Team CymruTeam Cymru
@online{cymru:20200219:azorult:de72301, author = {Team Cymru}, title = {{Azorult – what we see using our own tools}}, date = {2020-02-19}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/}, language = {English}, urldate = {2020-02-26} } Azorult – what we see using our own tools
Azorult
2020-02-12Twitter (@DrStache_)DrStache
@online{drstache:20200212:manabotnet:9a3d3c6, author = {DrStache}, title = {{Tweet on ManaBotnet}}, date = {2020-02-12}, organization = {Twitter (@DrStache_)}, url = {https://twitter.com/DrStache_/status/1227662001247268864}, language = {English}, urldate = {2020-02-27} } Tweet on ManaBotnet
Azorult
2020-02-06PrevailionDanny Adamitis
@online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } The Triune Threat: MasterMana Returns
Azorult Loki Password Stealer (PWS)
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Ransomware vidar
2020-02-03SANS ISCJan Kopriva
@online{kopriva:20200203:analysis:c531bd3, author = {Jan Kopriva}, title = {{Analysis of a triple-encrypted AZORult downloader}}, date = {2020-02-03}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/}, language = {English}, urldate = {2020-02-10} } Analysis of a triple-encrypted AZORult downloader
Azorult
2020-01-19360kate
@online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-08-10Check PointOmer Gull
@online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20190711:recent:bd25d5a, author = {Brad Duncan}, title = {{Recent AZORult activity}}, date = {2019-07-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/25120}, language = {English}, urldate = {2020-01-10} } Recent AZORult activity
Azorult
2019-06-04CylanceCylance Threat Research Team
@online{team:20190604:threat:c448cf8, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Analyzing AZORult Infostealer Malware}}, date = {2019-06-04}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html}, language = {English}, urldate = {2020-02-10} } Threat Spotlight: Analyzing AZORult Infostealer Malware
Azorult
2019-03-22Kaspersky LabsAlexander Eremin
@online{eremin:20190322:azorult:3080ee5, author = {Alexander Eremin}, title = {{AZORult++: Rewriting history}}, date = {2019-03-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/azorult-analysis-history/89922/}, language = {English}, urldate = {2019-12-20} } AZORult++: Rewriting history
Azorult
2019-02-07BluelivBlueliv Labs Team
@online{team:20190207:sales:c48c8d0, author = {Blueliv Labs Team}, title = {{Sales of AZORult grind to an AZOR-halt}}, date = {2019-02-07}, organization = {Blueliv}, url = {https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/}, language = {English}, urldate = {2019-11-20} } Sales of AZORult grind to an AZOR-halt
Azorult
2019-01-28Minerva LabsAsaf Aprozper, Gal Bitensky
@online{aprozper:20190128:azorult:78563e2, author = {Asaf Aprozper and Gal Bitensky}, title = {{AZORult: Now, as A Signed “Google Update”}}, date = {2019-01-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update}, language = {English}, urldate = {2019-12-04} } AZORult: Now, as A Signed “Google Update”
Azorult
2018-10-17Check PointIsrael Gubi
@online{gubi:20181017:emergence:670b6fd, author = {Israel Gubi}, title = {{The Emergence of the New Azorult 3.3}}, date = {2018-10-17}, organization = {Check Point}, url = {https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/}, language = {English}, urldate = {2020-01-07} } The Emergence of the New Azorult 3.3
Azorult
2018-08-18Bleeping ComputerVishal Thakur
@online{thakur:20180818:azorult:e096002, author = {Vishal Thakur}, title = {{AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys}}, date = {2018-08-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/}, language = {English}, urldate = {2019-12-20} } AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-07-30ProofpointProofpoint Staff
@online{staff:20180730:new:07c5e76, author = {Proofpoint Staff}, title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}}, date = {2018-07-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside}, language = {English}, urldate = {2019-12-20} } New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes Hermes Ransomware
2018-05-17Minerva LabsGal Bitensky
@online{bitensky:20180517:analyzing:c25d2ac, author = {Gal Bitensky}, title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}}, date = {2018-05-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers}, language = {English}, urldate = {2019-10-14} } Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers
Azorult
2017-11-12MalwareBreakdown
@online{malwarebreakdown:20171112:seamless:0a1c207, author = {MalwareBreakdown}, title = {{Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.}}, date = {2017-11-12}, url = {https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/}, language = {English}, urldate = {2019-12-17} } Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.
Azorult
2017-07-24Malware BreakdownMalware Breakdown
@online{breakdown:20170724:seamless:7e55e6a, author = {Malware Breakdown}, title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}}, date = {2017-07-24}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/}, language = {English}, urldate = {2020-01-10} } The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.
Azorult
2017-07-24Vitali Kremez BlogVitali Kremez
@online{kremez:20170724:lets:8b64c6c, author = {Vitali Kremez}, title = {{Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'}}, date = {2017-07-24}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'
Azorult
2016-07-26ProofpointProofpoint
@online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_azorult_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_azorult_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d858cfdffff e8???????? 8d8590fdffff ba03000000 e8???????? 8d45f4 ba03000000 }
            // n = 7, score = 1100
            //   8d858cfdffff         | lea                 eax, [ebp - 0x274]
            //   e8????????           |                     
            //   8d8590fdffff         | lea                 eax, [ebp - 0x270]
            //   ba03000000           | mov                 edx, 3
            //   e8????????           |                     
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   ba03000000           | mov                 edx, 3

        $sequence_1 = { e8???????? ffb580fdffff 68???????? 8d8584fdffff ba04000000 e8???????? 8b8584fdffff }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   ffb580fdffff         | push                dword ptr [ebp - 0x280]
            //   68????????           |                     
            //   8d8584fdffff         | lea                 eax, [ebp - 0x27c]
            //   ba04000000           | mov                 edx, 4
            //   e8????????           |                     
            //   8b8584fdffff         | mov                 eax, dword ptr [ebp - 0x27c]

        $sequence_2 = { 8d4df4 8b45fc 0fb64418ff ba02000000 }
            // n = 4, score = 1100
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fb64418ff           | movzx               eax, byte ptr [eax + ebx - 1]
            //   ba02000000           | mov                 edx, 2

        $sequence_3 = { ff75fc 68???????? 8d8594fdffff 8d562c b904010000 e8???????? }
            // n = 6, score = 1100
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   68????????           |                     
            //   8d8594fdffff         | lea                 eax, [ebp - 0x26c]
            //   8d562c               | lea                 edx, [esi + 0x2c]
            //   b904010000           | mov                 ecx, 0x104
            //   e8????????           |                     

        $sequence_4 = { 8b55f8 8a543201 885001 c60001 }
            // n = 4, score = 1100
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8a543201             | mov                 dl, byte ptr [edx + esi + 1]
            //   885001               | mov                 byte ptr [eax + 1], dl
            //   c60001               | mov                 byte ptr [eax], 1

        $sequence_5 = { b102 e8???????? 8d55e8 8d45dc e8???????? 8b45dc e8???????? }
            // n = 7, score = 1100
            //   b102                 | mov                 cl, 2
            //   e8????????           |                     
            //   8d55e8               | lea                 edx, [ebp - 0x18]
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   e8????????           |                     

        $sequence_6 = { e8???????? 8bd0 8d45f8 59 e8???????? }
            // n = 5, score = 1100
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   59                   | pop                 ecx
            //   e8????????           |                     

        $sequence_7 = { 8b55f8 e8???????? 85c0 75c1 85db }
            // n = 5, score = 1100
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75c1                 | jne                 0xffffffc3
            //   85db                 | test                ebx, ebx

        $sequence_8 = { 7506 ff05???????? 56 e8???????? 59 }
            // n = 5, score = 800
            //   7506                 | jne                 8
            //   ff05????????         |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_9 = { e8???????? 59 8b45f4 40 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   40                   | inc                 eax

        $sequence_10 = { 85db 7404 8bc3 eb07 }
            // n = 4, score = 400
            //   85db                 | test                ebx, ebx
            //   7404                 | je                  6
            //   8bc3                 | mov                 eax, ebx
            //   eb07                 | jmp                 9

        $sequence_11 = { 57 ff15???????? 85db 7405 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85db                 | test                ebx, ebx
            //   7405                 | je                  7

        $sequence_12 = { 33db 8d4514 53 33d2 8bce 50 42 }
            // n = 7, score = 100
            //   33db                 | xor                 ebx, ebx
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   53                   | push                ebx
            //   33d2                 | xor                 edx, edx
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   42                   | inc                 edx

        $sequence_13 = { 0f84ef000000 391d???????? 0f84e3000000 8d044502000000 50 e8???????? 8bf8 }
            // n = 7, score = 100
            //   0f84ef000000         | je                  0xf5
            //   391d????????         |                     
            //   0f84e3000000         | je                  0xe9
            //   8d044502000000       | lea                 eax, [eax*2 + 2]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_14 = { 8945f4 3bc3 8b45f0 72b5 33c0 5f }
            // n = 6, score = 100
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   3bc3                 | cmp                 eax, ebx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   72b5                 | jb                  0xffffffb7
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi

        $sequence_15 = { ff7510 ff15???????? 85ff 7405 }
            // n = 4, score = 100
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff15????????         |                     
            //   85ff                 | test                edi, edi
            //   7405                 | je                  7

    condition:
        7 of them and filesize < 1753088
}
[TLP:WHITE] win_azorult_w0   (20170930 | Match first two bytes, strings, and parts of routines present in Azorult)
rule win_azorult_w0 {
    meta:
        author = "Xylitol xylitol@temari.fr"
        date = "2017-09-30"
        description = "Match first two bytes, strings, and parts of routines present in Azorult"
        reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20170930"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    // May only the challenge guide you
    strings:
        $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
        $string2 = "SYSInfo.txt"
        $string3 = "CookieList.txt"
        $string4 = "Passwords.txt"

        $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
        $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
    condition:
      (all of ($string*) and ($constant1 or $constant2))
}
Download all Yara Rules