win.azorult (Back to overview)

Azorult

aka: PuffStealer, Rultazo
URLhaus        

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

References
2020-02-05 ⋅ CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Ransomware vidar
2020-02-03 ⋅ SANS ISCJan Kopriva
@online{kopriva:20200203:analysis:c531bd3, author = {Jan Kopriva}, title = {{Analysis of a triple-encrypted AZORult downloader}}, date = {2020-02-03}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/}, language = {English}, urldate = {2020-02-10} } Analysis of a triple-encrypted AZORult downloader
Azorult
2020-01-19 ⋅ 360kate
@online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-08-10 ⋅ Check PointOmer Gull
@online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-11 ⋅ InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20190711:recent:bd25d5a, author = {Brad Duncan}, title = {{Recent AZORult activity}}, date = {2019-07-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/25120}, language = {English}, urldate = {2020-01-10} } Recent AZORult activity
Azorult
2019-06-04 ⋅ CylanceCylance Threat Research Team
@online{team:20190604:threat:c448cf8, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Analyzing AZORult Infostealer Malware}}, date = {2019-06-04}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html}, language = {English}, urldate = {2020-02-10} } Threat Spotlight: Analyzing AZORult Infostealer Malware
Azorult
2019-03-22 ⋅ Kaspersky LabsAlexander Eremin
@online{eremin:20190322:azorult:3080ee5, author = {Alexander Eremin}, title = {{AZORult++: Rewriting history}}, date = {2019-03-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/azorult-analysis-history/89922/}, language = {English}, urldate = {2019-12-20} } AZORult++: Rewriting history
Azorult
2019-02-07 ⋅ BluelivBlueliv Labs Team
@online{team:20190207:sales:c48c8d0, author = {Blueliv Labs Team}, title = {{Sales of AZORult grind to an AZOR-halt}}, date = {2019-02-07}, organization = {Blueliv}, url = {https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/}, language = {English}, urldate = {2019-11-20} } Sales of AZORult grind to an AZOR-halt
Azorult
2019-01-28 ⋅ Minerva LabsAsaf Aprozper, Gal Bitensky
@online{aprozper:20190128:azorult:78563e2, author = {Asaf Aprozper and Gal Bitensky}, title = {{AZORult: Now, as A Signed “Google Update”}}, date = {2019-01-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update}, language = {English}, urldate = {2019-12-04} } AZORult: Now, as A Signed “Google Update”
Azorult
2018-10-17 ⋅ Check PointIsrael Gubi
@online{gubi:20181017:emergence:670b6fd, author = {Israel Gubi}, title = {{The Emergence of the New Azorult 3.3}}, date = {2018-10-17}, organization = {Check Point}, url = {https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/}, language = {English}, urldate = {2020-01-07} } The Emergence of the New Azorult 3.3
Azorult
2018-08-18 ⋅ Bleeping ComputerVishal Thakur
@online{thakur:20180818:azorult:e096002, author = {Vishal Thakur}, title = {{AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys}}, date = {2018-08-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/}, language = {English}, urldate = {2019-12-20} } AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-07-30 ⋅ ProofpointProofpoint Staff
@online{staff:20180730:new:07c5e76, author = {Proofpoint Staff}, title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}}, date = {2018-07-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside}, language = {English}, urldate = {2019-12-20} } New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes Hermes Ransomware
2018-05-17 ⋅ Minerva LabsGal Bitensky
@online{bitensky:20180517:analyzing:c25d2ac, author = {Gal Bitensky}, title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}}, date = {2018-05-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers}, language = {English}, urldate = {2019-10-14} } Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers
Azorult
2017-11-12 ⋅ MalwareBreakdown
@online{malwarebreakdown:20171112:seamless:0a1c207, author = {MalwareBreakdown}, title = {{Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.}}, date = {2017-11-12}, url = {https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/}, language = {English}, urldate = {2019-12-17} } Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.
Azorult
2017-07-24 ⋅ Vitali Kremez BlogVitali Kremez
@online{kremez:20170724:lets:8b64c6c, author = {Vitali Kremez}, title = {{Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'}}, date = {2017-07-24}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'
Azorult
2017-07-24 ⋅ Malware BreakdownMalware Breakdown
@online{breakdown:20170724:seamless:7e55e6a, author = {Malware Breakdown}, title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}}, date = {2017-07-24}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/}, language = {English}, urldate = {2020-01-10} } The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.
Azorult
2016-07-26 ⋅ ProofpointProofpoint
@online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_azorult_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_azorult_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8a543201 885001 c60001 8d55e4 8d45e8 }
            // n = 5, score = 600
            //   8a543201             | mov                 dl, byte ptr [edx + esi + 1]
            //   885001               | mov                 byte ptr [eax + 1], dl
            //   c60001               | mov                 byte ptr [eax], 1
            //   8d55e4               | lea                 edx, [ebp - 0x1c]
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_1 = { e8???????? 85c0 7903 83c003 c1f802 bf01000000 }
            // n = 6, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7903                 | jns                 5
            //   83c003               | add                 eax, 3
            //   c1f802               | sar                 eax, 2
            //   bf01000000           | mov                 edi, 1

        $sequence_2 = { 8d55e8 8d45e0 e8???????? 8b45e0 e8???????? c1e008 }
            // n = 6, score = 600
            //   8d55e8               | lea                 edx, [ebp - 0x18]
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   e8????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   e8????????           |                     
            //   c1e008               | shl                 eax, 8

        $sequence_3 = { 8d562c b904010000 e8???????? ffb58cfdffff 8d8590fdffff }
            // n = 5, score = 600
            //   8d562c               | lea                 edx, [esi + 0x2c]
            //   b904010000           | mov                 ecx, 0x104
            //   e8????????           |                     
            //   ffb58cfdffff         | push                dword ptr [ebp - 0x274]
            //   8d8590fdffff         | lea                 eax, [ebp - 0x270]

        $sequence_4 = { ba06000000 e8???????? 8b9578fdffff 8d857cfdffff }
            // n = 4, score = 600
            //   ba06000000           | mov                 edx, 6
            //   e8????????           |                     
            //   8b9578fdffff         | mov                 edx, dword ptr [ebp - 0x288]
            //   8d857cfdffff         | lea                 eax, [ebp - 0x284]

        $sequence_5 = { e8???????? 85c0 75c1 85db 750d }
            // n = 5, score = 600
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75c1                 | jne                 0xffffffc3
            //   85db                 | test                ebx, ebx
            //   750d                 | jne                 0xf

        $sequence_6 = { 64ff30 648920 8d45fc 50 8b45f4 50 }
            // n = 6, score = 600
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax

        $sequence_7 = { 6800040000 8b45f8 8b55fc e8???????? 5b 8be5 }
            // n = 6, score = 600
            //   6800040000           | push                0x400
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_8 = { 53 e8???????? 59 56 e8???????? 59 8bc7 }
            // n = 7, score = 500
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bc7                 | mov                 eax, edi

        $sequence_9 = { 7506 ff05???????? 56 e8???????? }
            // n = 4, score = 500
            //   7506                 | jne                 8
            //   ff05????????         |                     
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_10 = { e8???????? 59 8b45f4 40 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   40                   | inc                 eax

        $sequence_11 = { 85db 7404 8bc3 eb07 }
            // n = 4, score = 300
            //   85db                 | test                ebx, ebx
            //   7404                 | je                  6
            //   8bc3                 | mov                 eax, ebx
            //   eb07                 | jmp                 9

        $sequence_12 = { 8d4c2418 e8???????? 84c0 740b 8d4c2418 }
            // n = 5, score = 100
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   740b                 | je                  0xd
            //   8d4c2418             | lea                 ecx, [esp + 0x18]

        $sequence_13 = { 23c6 50 e8???????? 53 68a0074100 }
            // n = 5, score = 100
            //   23c6                 | and                 eax, esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   53                   | push                ebx
            //   68a0074100           | push                0x4107a0

        $sequence_14 = { 8b7dfc 57 ff15???????? 8bc6 5b eb02 33c0 }
            // n = 7, score = 100
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   5b                   | pop                 ebx
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_15 = { 8b8674af0600 8d9670af0100 2bc8 03d0 53 51 }
            // n = 6, score = 100
            //   8b8674af0600         | mov                 eax, dword ptr [esi + 0x6af74]
            //   8d9670af0100         | lea                 edx, [esi + 0x1af70]
            //   2bc8                 | sub                 ecx, eax
            //   03d0                 | add                 edx, eax
            //   53                   | push                ebx
            //   51                   | push                ecx

    condition:
        7 of them
}
[TLP:WHITE] win_azorult_w0   (20170930 | Match first two bytes, strings, and parts of routines present in Azorult)
rule win_azorult_w0 {
    meta:
        author = "Xylitol xylitol@temari.fr"
        date = "2017-09-30"
        description = "Match first two bytes, strings, and parts of routines present in Azorult"
        reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20170930"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    // May only the challenge guide you
    strings:
        $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
        $string2 = "SYSInfo.txt"
        $string3 = "CookieList.txt"
        $string4 = "Passwords.txt"

        $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
        $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
    condition:
      (all of ($string*) and ($constant1 or $constant2))
}
Download all Yara Rules