SYMBOLCOMMON_NAMEaka. SYNONYMS
win.azorult (Back to overview)

Azorult

aka: PuffStealer, Rultazo

Actor(s): The Gorgon Group

URLhaus        

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

References
2023-01-30CheckpointArie Olshtein
@online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-08-25splunkSplunk Threat Research Team
@online{team:20220825:applocker:7ed5b33, author = {Splunk Threat Research Team}, title = {{AppLocker Rules as Defense Evasion: Complete Analysis}}, date = {2022-08-25}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html}, language = {English}, urldate = {2022-08-30} } AppLocker Rules as Defense Evasion: Complete Analysis
Azorult
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-02Recorded FutureInsikt Group
@techreport{group:20220802:initial:5caddb5, author = {Insikt Group}, title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}}, date = {2022-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf}, language = {English}, urldate = {2022-08-05} } Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-13KELAKELA Cyber Intelligence Center
@online{center:20220713:next:b2e43e4, author = {KELA Cyber Intelligence Center}, title = {{The Next Generation of Info Stealers}}, date = {2022-07-13}, organization = {KELA}, url = {https://ke-la.com/information-stealers-a-new-landscape/}, language = {English}, urldate = {2022-07-18} } The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-10CheckpointCheckpoint
@online{checkpoint:20220510:infostealer:33aee4a, author = {Checkpoint}, title = {{Info-stealer Campaign targets German Car Dealerships and Manufacturers}}, date = {2022-05-10}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/}, language = {English}, urldate = {2022-05-13} } Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2021-12-02CiscoTiago Pereira
@online{pereira:20211202:magnat:15dcabb, author = {Tiago Pereira}, title = {{Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension}}, date = {2021-12-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html}, language = {English}, urldate = {2021-12-07} } Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension
Azorult RedLine Stealer
2021-11-29Trend MicroJaromír Hořejší
@online{hoej:20211129:campaign:6e23cf5, author = {Jaromír Hořejší}, title = {{Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites}}, date = {2021-11-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html}, language = {English}, urldate = {2021-12-07} } Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
AsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos
2021-10-06zimperiumJordan Herman
@online{herman:20211006:malware:7f7f055, author = {Jordan Herman}, title = {{Malware Distribution with Mana Tools}}, date = {2021-10-06}, organization = {zimperium}, url = {https://community.riskiq.com/article/56e28880}, language = {English}, urldate = {2021-10-11} } Malware Distribution with Mana Tools
Agent Tesla Azorult
2021-09-08RiskIQJennifer Grob
@online{grob:20210908:bulletproof:902e9f2, author = {Jennifer Grob}, title = {{Bulletproof Hosting Services: Investigating Flowspec}}, date = {2021-09-08}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2a36a7d2/description}, language = {English}, urldate = {2021-09-10} } Bulletproof Hosting Services: Investigating Flowspec
Azorult Glupteba
2021-09-04cocomelonccocomelonc
@online{cocomelonc:20210904:av:06b27c5, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 1}}, date = {2021-09-04}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT
2021-08-18AhnLabASEC Analysis Team
@online{team:20210818:infostealer:1a3e7df, author = {ASEC Analysis Team}, title = {{Infostealer Malware Azorult Being Distributed Through Spam Mails}}, date = {2021-08-18}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/26517/}, language = {English}, urldate = {2022-04-15} } Infostealer Malware Azorult Being Distributed Through Spam Mails
Azorult
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-04-07F5Aditya K. Sood
@techreport{sood:20210407:dissecting:43afa3d, author = {Aditya K. Sood}, title = {{Dissecting the Design and Vulnerabilities in Azorult C&C Panels}}, date = {2021-04-07}, institution = {F5}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf}, language = {English}, urldate = {2021-04-19} } Dissecting the Design and Vulnerabilities in Azorult C&C Panels
Azorult
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-06Medium mariohenkelMario Henkel
@online{henkel:20210206:decrypting:1013bd8, author = {Mario Henkel}, title = {{Decrypting AzoRult traffic for fun and profit}}, date = {2021-02-06}, organization = {Medium mariohenkel}, url = {https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05}, language = {English}, urldate = {2021-02-06} } Decrypting AzoRult traffic for fun and profit
Azorult
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
@online{suh:20210203:w1:45a76f4, author = {Hyunmin Suh and Minjei Cho}, title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}}, date = {2021-02-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d}, language = {English}, urldate = {2021-02-04} } W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
@online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-12-14BluelivAlberto Marín, Carlos Rubio, Blueliv Labs Team
@online{marn:20201214:using:e81621e, author = {Alberto Marín and Carlos Rubio and Blueliv Labs Team}, title = {{Using Qiling Framework to Unpack TA505 packed samples}}, date = {2020-12-14}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/}, language = {English}, urldate = {2020-12-15} } Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-12-02DomainToolsJoe Slowik
@online{slowik:20201202:identifying:8ac64c3, author = {Joe Slowik}, title = {{Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign}}, date = {2020-12-02}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign}, language = {English}, urldate = {2020-12-08} } Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign
Azorult Glupteba
2020-11-18VMRayVMRay Labs Team, Pascal Brackmann, Mateusz Lukaszewski
@online{team:20201118:malware:2c9a122, author = {VMRay Labs Team and Pascal Brackmann and Mateusz Lukaszewski}, title = {{Malware Analysis Spotlight: AZORult Delivered by GuLoader}}, date = {2020-11-18}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/}, language = {English}, urldate = {2022-02-14} } Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-29ZscalerSudeep Singh, Sahil Antil
@online{singh:20200929:targeted:136d828, author = {Sudeep Singh and Sahil Antil}, title = {{Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east}, language = {English}, urldate = {2020-10-04} } Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East
Azorult
2020-09-02Palo Alto Networks Unit 42Zhanhao Chen, Janos Szurdi
@online{chen:20200902:cybersquatting:b5f5a8f, author = {Zhanhao Chen and Janos Szurdi}, title = {{Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers}}, date = {2020-09-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cybersquatting/}, language = {English}, urldate = {2021-07-02} } Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers
Azorult
2020-09-01nvisoDidier Stevens, Maxime Thiebaut, Dries Boone, Bart Parys, Michel Coene
@online{stevens:20200901:epic:038897f, author = {Didier Stevens and Maxime Thiebaut and Dries Boone and Bart Parys and Michel Coene}, title = {{Epic Manchego – atypical maldoc delivery brings flurry of infostealers}}, date = {2020-09-01}, organization = {nviso}, url = {https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/}, language = {English}, urldate = {2020-09-01} } Epic Manchego – atypical maldoc delivery brings flurry of infostealers
Azorult NjRAT
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-11Talos IntelligenceKendall McKay, Joe Marshall
@online{mckay:20200611:tor2mine:ee5dda6, author = {Kendall McKay and Joe Marshall}, title = {{Tor2Mine is up to their old tricks — and adds a few new ones}}, date = {2020-06-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html}, language = {English}, urldate = {2020-06-12} } Tor2Mine is up to their old tricks — and adds a few new ones
Azorult Remcos
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-04-29FR3D.HKFred HK
@online{hk:20200429:gazorp:3aef446, author = {Fred HK}, title = {{Gazorp - Thieving from thieves}}, date = {2020-04-29}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/gazorp-thieving-from-thieves}, language = {English}, urldate = {2020-05-06} } Gazorp - Thieving from thieves
Azorult
2020-04-15ZscalerSudeep Singh
@online{singh:20200415:multistage:c0330fa, author = {Sudeep Singh}, title = {{Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult}}, date = {2020-04-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat}, language = {English}, urldate = {2020-06-08} } Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult
Azorult Nanocore RAT
2020-04-13BlackberryTatsuya Hasegawa, Masaki Kasuya
@online{hasegawa:20200413:threat:57b739e, author = {Tatsuya Hasegawa and Masaki Kasuya}, title = {{Threat Spotlight: Gootkit Banking Trojan}}, date = {2020-04-13}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan}, language = {English}, urldate = {2020-11-23} } Threat Spotlight: Gootkit Banking Trojan
Azorult GootKit
2020-04-02Cisco TalosVanja Svajcer
@online{svajcer:20200402:azorult:97b15f2, author = {Vanja Svajcer}, title = {{AZORult brings friends to the party}}, date = {2020-04-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html}, language = {English}, urldate = {2020-04-07} } AZORult brings friends to the party
Azorult Remcos
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-26Max Kersten's BlogMax Kersten
@online{kersten:20200326:azorult:5d5ee1f, author = {Max Kersten}, title = {{Azorult loader stages}}, date = {2020-03-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/}, language = {English}, urldate = {2020-03-26} } Azorult loader stages
Azorult
2020-02-26KELALeon Kurolapnik, Raveed Laeb
@online{kurolapnik:20200226:whats:930c58d, author = {Leon Kurolapnik and Raveed Laeb}, title = {{What’s Dead May Never Die: AZORult Infostealer Decommissioned Again}}, date = {2020-02-26}, organization = {KELA}, url = {https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/}, language = {English}, urldate = {2021-05-07} } What’s Dead May Never Die: AZORult Infostealer Decommissioned Again
Azorult
2020-02-21KELARaveed Laeb
@online{laeb:20200221:exploring:179689d, author = {Raveed Laeb}, title = {{Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology}}, date = {2020-02-21}, organization = {KELA}, url = {https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/}, language = {English}, urldate = {2020-02-26} } Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology
Azorult
2020-02-19Team CymruTeam Cymru
@online{cymru:20200219:azorult:de72301, author = {Team Cymru}, title = {{Azorult – what we see using our own tools}}, date = {2020-02-19}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/}, language = {English}, urldate = {2020-02-26} } Azorult – what we see using our own tools
Azorult
2020-02-12Twitter (@DrStache_)DrStache
@online{drstache:20200212:manabotnet:9a3d3c6, author = {DrStache}, title = {{Tweet on ManaBotnet}}, date = {2020-02-12}, organization = {Twitter (@DrStache_)}, url = {https://twitter.com/DrStache_/status/1227662001247268864}, language = {English}, urldate = {2020-02-27} } Tweet on ManaBotnet
Azorult
2020-02-06PrevailionDanny Adamitis
@online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } The Triune Threat: MasterMana Returns
Azorult Loki Password Stealer (PWS)
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2020-02-03SANS ISCJan Kopriva
@online{kopriva:20200203:analysis:c531bd3, author = {Jan Kopriva}, title = {{Analysis of a triple-encrypted AZORult downloader}}, date = {2020-02-03}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/}, language = {English}, urldate = {2020-02-10} } Analysis of a triple-encrypted AZORult downloader
Azorult
2020-01-27YoroiLuigi Martire, Luca Mella
@online{martire:20200127:aggah:9ed3380, author = {Luigi Martire and Luca Mella}, title = {{Aggah: How to run a botnet without renting a Server (for more than a year)}}, date = {2020-01-27}, organization = {Yoroi}, url = {https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/}, language = {English}, urldate = {2021-06-16} } Aggah: How to run a botnet without renting a Server (for more than a year)
LokiBot Azorult
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020-01-19360kate
@online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-09-24YoroiAntonio Farina, Luca Mella
@online{farina:20190924:or:901ce1d, author = {Antonio Farina and Luca Mella}, title = {{APT or not APT? What's Behind the Aggah Campaign}}, date = {2019-09-24}, organization = {Yoroi}, url = {https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/}, language = {English}, urldate = {2021-06-16} } APT or not APT? What's Behind the Aggah Campaign
Azorult
2019-08-10Check PointOmer Gull
@online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20190711:recent:bd25d5a, author = {Brad Duncan}, title = {{Recent AZORult activity}}, date = {2019-07-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/25120}, language = {English}, urldate = {2020-01-10} } Recent AZORult activity
Azorult
2019-06-04CylanceCylance Threat Research Team
@online{team:20190604:threat:c448cf8, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Analyzing AZORult Infostealer Malware}}, date = {2019-06-04}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html}, language = {English}, urldate = {2020-02-10} } Threat Spotlight: Analyzing AZORult Infostealer Malware
Azorult
2019-03-22Kaspersky LabsAlexander Eremin
@online{eremin:20190322:azorult:3080ee5, author = {Alexander Eremin}, title = {{AZORult++: Rewriting history}}, date = {2019-03-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/azorult-analysis-history/89922/}, language = {English}, urldate = {2019-12-20} } AZORult++: Rewriting history
Azorult
2019-02-07BluelivBlueliv Labs Team
@online{team:20190207:sales:c48c8d0, author = {Blueliv Labs Team}, title = {{Sales of AZORult grind to an AZOR-halt}}, date = {2019-02-07}, organization = {Blueliv}, url = {https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/}, language = {English}, urldate = {2019-11-20} } Sales of AZORult grind to an AZOR-halt
Azorult
2019-01-28Minerva LabsAsaf Aprozper, Gal Bitensky
@online{aprozper:20190128:azorult:78563e2, author = {Asaf Aprozper and Gal Bitensky}, title = {{AZORult: Now, as A Signed “Google Update”}}, date = {2019-01-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update}, language = {English}, urldate = {2019-12-04} } AZORult: Now, as A Signed “Google Update”
Azorult
2018-10-17Check PointIsrael Gubi
@online{gubi:20181017:emergence:670b6fd, author = {Israel Gubi}, title = {{The Emergence of the New Azorult 3.3}}, date = {2018-10-17}, organization = {Check Point}, url = {https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/}, language = {English}, urldate = {2020-01-07} } The Emergence of the New Azorult 3.3
Azorult
2018-08-18Bleeping ComputerVishal Thakur
@online{thakur:20180818:azorult:e096002, author = {Vishal Thakur}, title = {{AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys}}, date = {2018-08-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/}, language = {English}, urldate = {2019-12-20} } AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-07-30ProofpointProofpoint Staff
@online{staff:20180730:new:07c5e76, author = {Proofpoint Staff}, title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}}, date = {2018-07-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside}, language = {English}, urldate = {2021-12-13} } New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes
2018-05-17Minerva LabsGal Bitensky
@online{bitensky:20180517:analyzing:c25d2ac, author = {Gal Bitensky}, title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}}, date = {2018-05-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers}, language = {English}, urldate = {2019-10-14} } Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers
Azorult
2017-11-12MalwareBreakdown
@online{malwarebreakdown:20171112:seamless:0a1c207, author = {MalwareBreakdown}, title = {{Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.}}, date = {2017-11-12}, url = {https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/}, language = {English}, urldate = {2019-12-17} } Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.
Azorult
2017-07-24Malware BreakdownMalware Breakdown
@online{breakdown:20170724:seamless:7e55e6a, author = {Malware Breakdown}, title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}}, date = {2017-07-24}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/}, language = {English}, urldate = {2020-01-10} } The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.
Azorult
2017-07-24Vitali Kremez BlogVitali Kremez
@online{kremez:20170724:lets:8b64c6c, author = {Vitali Kremez}, title = {{Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'}}, date = {2017-07-24}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'
Azorult
2016-07-26ProofpointProofpoint
@online{proofpoint:20160726:threat:076e87a, author = {Proofpoint}, title = {{Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan}}, date = {2016-07-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan}, language = {English}, urldate = {2019-07-09} } Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_azorult_auto (20230125 | Detects win.azorult.)
rule win_azorult_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.azorult."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 8d858cfdffff 8d562c b904010000 e8???????? ffb58cfdffff 8d8590fdffff }
            // n = 7, score = 1200
            //   68????????           |                     
            //   8d858cfdffff         | lea                 eax, [ebp - 0x274]
            //   8d562c               | lea                 edx, [esi + 0x2c]
            //   b904010000           | mov                 ecx, 0x104
            //   e8????????           |                     
            //   ffb58cfdffff         | push                dword ptr [ebp - 0x274]
            //   8d8590fdffff         | lea                 eax, [ebp - 0x270]

        $sequence_1 = { 59 59 648910 e9???????? 8d45f4 50 }
            // n = 6, score = 1200
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   648910               | mov                 dword ptr fs:[eax], edx
            //   e9????????           |                     
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax

        $sequence_2 = { 56 8b45fc e8???????? 8bc8 8d5301 }
            // n = 5, score = 1200
            //   56                   | push                esi
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8d5301               | lea                 edx, [ebx + 1]

        $sequence_3 = { 03d0 8bf2 8b45fc e8???????? 3bf8 }
            // n = 5, score = 1200
            //   03d0                 | add                 edx, eax
            //   8bf2                 | mov                 esi, edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   3bf8                 | cmp                 edi, eax

        $sequence_4 = { 8b45f8 33d2 e8???????? 7464 }
            // n = 4, score = 1200
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     
            //   7464                 | je                  0x66

        $sequence_5 = { 8945f8 8d55f4 8bc3 e8???????? }
            // n = 4, score = 1200
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d55f4               | lea                 edx, [ebp - 0xc]
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     

        $sequence_6 = { 55 68???????? 64ff30 648920 53 b9???????? ba???????? }
            // n = 7, score = 1200
            //   55                   | push                ebp
            //   68????????           |                     
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   53                   | push                ebx
            //   b9????????           |                     
            //   ba????????           |                     

        $sequence_7 = { 56 894df4 8955f8 8945fc 8b7508 8d45fc }
            // n = 6, score = 1200
            //   56                   | push                esi
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_8 = { 7506 ff05???????? 56 e8???????? }
            // n = 4, score = 900
            //   7506                 | jne                 8
            //   ff05????????         |                     
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_9 = { 53 e8???????? 59 56 e8???????? 59 8bc7 }
            // n = 7, score = 900
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bc7                 | mov                 eax, edi

        $sequence_10 = { e8???????? 59 8b45f4 40 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   40                   | inc                 eax

        $sequence_11 = { 50 e8???????? 59 8bd8 33c0 }
            // n = 5, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bd8                 | mov                 ebx, eax
            //   33c0                 | xor                 eax, eax

        $sequence_12 = { 85db 7404 8bc3 eb07 }
            // n = 4, score = 500
            //   85db                 | test                ebx, ebx
            //   7404                 | je                  6
            //   8bc3                 | mov                 eax, ebx
            //   eb07                 | jmp                 9

        $sequence_13 = { 014110 5f 5e 5b }
            // n = 4, score = 200
            //   014110               | add                 dword ptr [ecx + 0x10], eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_14 = { 011f 59 8bc3 c1e003 01866caf0100 }
            // n = 5, score = 200
            //   011f                 | add                 dword ptr [edi], ebx
            //   59                   | pop                 ecx
            //   8bc3                 | mov                 eax, ebx
            //   c1e003               | shl                 eax, 3
            //   01866caf0100         | add                 dword ptr [esi + 0x1af6c], eax

        $sequence_15 = { 014f18 8b4714 85c0 0f854e010000 }
            // n = 4, score = 200
            //   014f18               | add                 dword ptr [edi + 0x18], ecx
            //   8b4714               | mov                 eax, dword ptr [edi + 0x14]
            //   85c0                 | test                eax, eax
            //   0f854e010000         | jne                 0x154

    condition:
        7 of them and filesize < 1753088
}
[TLP:WHITE] win_azorult_w0   (20170930 | Match first two bytes, strings, and parts of routines present in Azorult)
rule win_azorult_w0 {
    meta:
        author = "Xylitol xylitol@temari.fr"
        date = "2017-09-30"
        description = "Match first two bytes, strings, and parts of routines present in Azorult"
        reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20170930"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    // May only the challenge guide you
    strings:
        $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
        $string2 = "SYSInfo.txt"
        $string3 = "CookieList.txt"
        $string4 = "Passwords.txt"

        $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
        $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
    condition:
      (all of ($string*) and ($constant1 or $constant2))
}
Download all Yara Rules