win.azorult (Back to overview)

Azorult

aka: PuffStealer, Rultazo
URLhaus        

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

References
https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/
https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers
https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html
https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update
https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/
https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/
https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/
https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside
Yara Rules
[TLP:WHITE] win_azorult_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_azorult_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 59 8bd8 85db 7504 }
            // n = 4, score = 3000
            //   59                   | pop                 ecx
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7504                 | jne                 0x410221

        $sequence_1 = { 59 8b5510 8902 33c0 }
            // n = 4, score = 3000
            //   59                   | pop                 ecx
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8902                 | mov                 dword ptr [edx], eax
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { 59 8944bb0c 837cbb0c00 750a }
            // n = 4, score = 3000
            //   59                   | pop                 ecx
            //   8944bb0c             | mov                 dword ptr [ebx + edi*4 + 0xc], eax
            //   837cbb0c00           | cmp                 dword ptr [ebx + edi*4 + 0xc], 0
            //   750a                 | jne                 0x412a11

        $sequence_3 = { 53 56 8b5d08 8b33 }
            // n = 4, score = 3000
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   8b33                 | mov                 esi, dword ptr [ebx]

        $sequence_4 = { 7508 837df800 731d eb02 }
            // n = 4, score = 3000
            //   7508                 | jne                 0x43ea5e
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   731d                 | jae                 0x43ea79
            //   eb02                 | jmp                 0x43ea60

        $sequence_5 = { 7e04 33c0 eb26 837df400 }
            // n = 4, score = 3000
            //   7e04                 | jle                 0x40f226
            //   33c0                 | xor                 eax, eax
            //   eb26                 | jmp                 0x40f24c
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0

        $sequence_6 = { 837dfc00 0f94c0 83e001 59 }
            // n = 4, score = 3000
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   0f94c0               | sete                al
            //   83e001               | and                 eax, 1
            //   59                   | pop                 ecx

        $sequence_7 = { 83c018 83d200 52 50 }
            // n = 4, score = 3000
            //   83c018               | add                 eax, 0x18
            //   83d200               | adc                 edx, 0
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_8 = { 33db eb1c 8bc3 c1e004 }
            // n = 4, score = 3000
            //   33db                 | xor                 ebx, ebx
            //   eb1c                 | jmp                 0x4260e6
            //   8bc3                 | mov                 eax, ebx
            //   c1e004               | shl                 eax, 4

        $sequence_9 = { 7502 b303 3cff 7507 }
            // n = 4, score = 3000
            //   7502                 | jne                 0x40e6be
            //   b303                 | mov                 bl, 3
            //   3cff                 | cmp                 al, 0xff
            //   7507                 | jne                 0x40e6c9

    condition:
        7 of them
}
[TLP:WHITE] win_azorult_w0   (20170930 | Match first two bytes, strings, and parts of routines present in Azorult)
rule win_azorult_w0 {
    meta:
        author = "Xylitol xylitol@temari.fr"
        date = "2017-09-30"
        description = "Match first two bytes, strings, and parts of routines present in Azorult"
        reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
        malpedia_version = "20170930"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    // May only the challenge guide you
    strings:
        $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
        $string2 = "SYSInfo.txt"
        $string3 = "CookieList.txt"
        $string4 = "Passwords.txt"

        $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
        $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
    condition:
      (all of ($string*) and ($constant1 or $constant2))
}
Download all Yara Rules