SYMBOLCOMMON_NAMEaka. SYNONYMS
win.azorult (Back to overview)

Azorult

aka: PuffStealer, Rultazo

Actor(s): The Gorgon Group

VTCollection     URLhaus        

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

References
2024-01-12cybleCyble
Sneaky Azorult Back in Action and Goes Undetected
Azorult
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-08-25splunkSplunk Threat Research Team
AppLocker Rules as Defense Evasion: Complete Analysis
Azorult
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-02Recorded FutureInsikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-13KELAKELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-10CheckpointCheckpoint
Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2021-12-02CiscoTiago Pereira
Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension
Azorult RedLine Stealer
2021-11-29Trend MicroJaromír Hořejší
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
AsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos
2021-10-06zimperiumJordan Herman
Malware Distribution with Mana Tools
Agent Tesla Azorult
2021-09-08RiskIQJennifer Grob
Bulletproof Hosting Services: Investigating Flowspec
Azorult Glupteba
2021-09-04cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT
2021-08-18AhnLabASEC Analysis Team
Infostealer Malware Azorult Being Distributed Through Spam Mails
Azorult
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-04-07F5Aditya K. Sood
Dissecting the Design and Vulnerabilities in Azorult C&C Panels
Azorult
2021-02-15Medium s2wlabSojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-06Medium mariohenkelMario Henkel
Decrypting AzoRult traffic for fun and profit
Azorult
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-12-14BluelivAlberto Marín, Blueliv Labs Team, Carlos Rubio
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-12-02DomainToolsJoe Slowik
Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign
Azorult Glupteba
2020-11-18VMRayMateusz Lukaszewski, Pascal Brackmann, VMRay Labs Team
Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-29ZscalerSahil Antil, Sudeep Singh
Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East
Azorult
2020-09-02Palo Alto Networks Unit 42Janos Szurdi, Zhanhao Chen
Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers
Azorult
2020-09-01nvisoBart Parys, Didier Stevens, Dries Boone, Maxime Thiebaut, Michel Coene
Epic Manchego – atypical maldoc delivery brings flurry of infostealers
Azorult NjRAT
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-11Talos IntelligenceJoe Marshall, Kendall McKay
Tor2Mine is up to their old tricks — and adds a few new ones
Azorult Remcos
2020-05-21MalwarebytesMalwarebytes Labs
Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-04-29FR3D.HKFred HK
Gazorp - Thieving from thieves
Azorult
2020-04-15ZscalerSudeep Singh
Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult
Azorult Nanocore RAT
2020-04-13BlackberryMasaki Kasuya, Tatsuya Hasegawa
Threat Spotlight: Gootkit Banking Trojan
Azorult GootKit
2020-04-02Cisco TalosVanja Svajcer
AZORult brings friends to the party
Azorult Remcos
2020-04-01CiscoAndrea Kaiser, Shyam Sundar Ramaswami
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-26TelekomThomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-26Max Kersten's BlogMax Kersten
Azorult loader stages
Azorult
2020-02-26KELALeon Kurolapnik, Raveed Laeb
What’s Dead May Never Die: AZORult Infostealer Decommissioned Again
Azorult
2020-02-21KELARaveed Laeb
Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology
Azorult
2020-02-19Team CymruTeam Cymru
Azorult – what we see using our own tools
Azorult
2020-02-12Twitter (@DrStache_)DrStache
Tweet on ManaBotnet
Azorult
2020-02-06PrevailionDanny Adamitis
The Triune Threat: MasterMana Returns
Azorult Loki Password Stealer (PWS)
2020-02-05CybereasonAssaf Dahan, Lior Rochberger
The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2020-02-03SANS ISCJan Kopriva
Analysis of a triple-encrypted AZORult downloader
Azorult
2020-01-27YoroiLuca Mella, Luigi Martire
Aggah: How to run a botnet without renting a Server (for more than a year)
LokiBot Azorult
2020-01-22Thomas Barabosch
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020-01-19360kate
BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-09-24YoroiAntonio Farina, Luca Mella
APT or not APT? What's Behind the Aggah Campaign
Azorult
2019-08-10Check PointOmer Gull
SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-11InfoSec Handlers Diary BlogBrad Duncan
Recent AZORult activity
Azorult
2019-06-04CylanceCylance Threat Research Team
Threat Spotlight: Analyzing AZORult Infostealer Malware
Azorult
2019-03-22Kaspersky LabsAlexander Eremin
AZORult++: Rewriting history
Azorult
2019-02-07BluelivBlueliv Labs Team
Sales of AZORult grind to an AZOR-halt
Azorult
2019-01-28Minerva LabsAsaf Aprozper, Gal Bitensky
AZORult: Now, as A Signed “Google Update”
Azorult
2018-10-17Check PointIsrael Gubi
The Emergence of the New Azorult 3.3
Azorult
2018-08-18Bleeping ComputerVishal Thakur
AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-07-30ProofpointProofpoint Staff
New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes
2018-05-17Minerva LabsGal Bitensky
Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers
Azorult
2017-11-12MalwareBreakdown
Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.
Azorult
2017-07-24Malware BreakdownMalware Breakdown
The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.
Azorult
2017-07-24Vitali Kremez BlogVitali Kremez
Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'
Azorult
2016-07-26ProofpointProofpoint
Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_azorult_auto (20230808 | Detects win.azorult.)
rule win_azorult_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.azorult."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ba???????? 8d45e8 e8???????? 8d45e4 8b55f8 8a543201 }
            // n = 7, score = 1200
            //   50                   | push                eax
            //   ba????????           |                     
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   e8????????           |                     
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8a543201             | mov                 dl, byte ptr [edx + esi + 1]

        $sequence_1 = { e8???????? 56 8d85a0fdffff b9???????? }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d85a0fdffff         | lea                 eax, [ebp - 0x260]
            //   b9????????           |                     

        $sequence_2 = { b9???????? 8b55fc e8???????? 8b859cfdffff e8???????? }
            // n = 5, score = 1200
            //   b9????????           |                     
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8b859cfdffff         | mov                 eax, dword ptr [ebp - 0x264]
            //   e8????????           |                     

        $sequence_3 = { b80f270000 e8???????? 8945f8 8d55f4 8bc3 }
            // n = 5, score = 1200
            //   b80f270000           | mov                 eax, 0x270f
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d55f4               | lea                 edx, [ebp - 0xc]
            //   8bc3                 | mov                 eax, ebx

        $sequence_4 = { b80f270000 e8???????? 8bf0 b80f270000 }
            // n = 4, score = 1200
            //   b80f270000           | mov                 eax, 0x270f
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   b80f270000           | mov                 eax, 0x270f

        $sequence_5 = { 7518 56 8b45fc e8???????? 8bc8 8d5301 }
            // n = 6, score = 1200
            //   7518                 | jne                 0x1a
            //   56                   | push                esi
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8d5301               | lea                 edx, [ebx + 1]

        $sequence_6 = { b80f270000 e8???????? 8bd8 b80f270000 }
            // n = 4, score = 1200
            //   b80f270000           | mov                 eax, 0x270f
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   b80f270000           | mov                 eax, 0x270f

        $sequence_7 = { ba03000000 e8???????? 8d858cfdffff e8???????? }
            // n = 4, score = 1200
            //   ba03000000           | mov                 edx, 3
            //   e8????????           |                     
            //   8d858cfdffff         | lea                 eax, [ebp - 0x274]
            //   e8????????           |                     

        $sequence_8 = { 7506 ff05???????? 56 e8???????? 59 }
            // n = 5, score = 900
            //   7506                 | jne                 8
            //   ff05????????         |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_9 = { e8???????? 59 8b45f4 40 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   40                   | inc                 eax

        $sequence_10 = { 50 e8???????? 59 8bd8 33c0 }
            // n = 5, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bd8                 | mov                 ebx, eax
            //   33c0                 | xor                 eax, eax

        $sequence_11 = { 85db 7404 8bc3 eb07 }
            // n = 4, score = 500
            //   85db                 | test                ebx, ebx
            //   7404                 | je                  6
            //   8bc3                 | mov                 eax, ebx
            //   eb07                 | jmp                 9

        $sequence_12 = { 011f 59 8bc3 c1e003 01866caf0100 }
            // n = 5, score = 200
            //   011f                 | add                 dword ptr [edi], ebx
            //   59                   | pop                 ecx
            //   8bc3                 | mov                 eax, ebx
            //   c1e003               | shl                 eax, 3
            //   01866caf0100         | add                 dword ptr [esi + 0x1af6c], eax

        $sequence_13 = { 014f18 8b4714 85c0 0f854e010000 }
            // n = 4, score = 200
            //   014f18               | add                 dword ptr [edi + 0x18], ecx
            //   8b4714               | mov                 eax, dword ptr [edi + 0x14]
            //   85c0                 | test                eax, eax
            //   0f854e010000         | jne                 0x154

        $sequence_14 = { 014110 5f 5e 5b }
            // n = 4, score = 200
            //   014110               | add                 dword ptr [ecx + 0x10], eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_15 = { 01590c 8b45f0 014110 5f }
            // n = 4, score = 200
            //   01590c               | add                 dword ptr [ecx + 0xc], ebx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   014110               | add                 dword ptr [ecx + 0x10], eax
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 1753088
}
[TLP:WHITE] win_azorult_w0   (20170930 | Match first two bytes, strings, and parts of routines present in Azorult)
rule win_azorult_w0 {
    meta:
        author = "Xylitol xylitol@temari.fr"
        date = "2017-09-30"
        description = "Match first two bytes, strings, and parts of routines present in Azorult"
        reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20170930"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    // May only the challenge guide you
    strings:
        $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
        $string2 = "SYSInfo.txt"
        $string3 = "CookieList.txt"
        $string4 = "Passwords.txt"

        $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
        $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
    condition:
      (all of ($string*) and ($constant1 or $constant2))
}
Download all Yara Rules