SYMBOLCOMMON_NAMEaka. SYNONYMS
win.azorult (Back to overview)

Azorult

aka: PuffStealer, Rultazo

Actor(s): The Gorgon Group

VTCollection     URLhaus        

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

References
2024-09-04ANY.RUNANY.RUN, Mostafa ElSheimy
AZORult Malware: Technical Analysis
Azorult
2024-01-12cybleCyble
Sneaky Azorult Back in Action and Goes Undetected
Azorult
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-08-25splunkSplunk Threat Research Team
AppLocker Rules as Defense Evasion: Complete Analysis
Azorult
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-02Recorded FutureInsikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-13KELAKELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-10CheckpointCheckpoint
Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2021-12-02CiscoTiago Pereira
Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension
Azorult RedLine Stealer
2021-11-29Trend MicroJaromír Hořejší
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
AsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos
2021-10-06zimperiumJordan Herman
Malware Distribution with Mana Tools
Agent Tesla Azorult
2021-09-08RiskIQJennifer Grob
Bulletproof Hosting Services: Investigating Flowspec
Azorult Glupteba
2021-09-04cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT
2021-08-18AhnLabASEC Analysis Team
Infostealer Malware Azorult Being Distributed Through Spam Mails
Azorult
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-04-07F5Aditya K. Sood
Dissecting the Design and Vulnerabilities in Azorult C&C Panels
Azorult
2021-02-15Medium s2wlabSojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-06Medium mariohenkelMario Henkel
Decrypting AzoRult traffic for fun and profit
Azorult
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-12-14BluelivAlberto Marín, Blueliv Labs Team, Carlos Rubio
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-12-02DomainToolsJoe Slowik
Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign
Azorult Glupteba
2020-11-18VMRayMateusz Lukaszewski, Pascal Brackmann, VMRay Labs Team
Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-29ZscalerSahil Antil, Sudeep Singh
Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East
Azorult
2020-09-02Palo Alto Networks Unit 42Janos Szurdi, Zhanhao Chen
Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers
Azorult
2020-09-01nvisoBart Parys, Didier Stevens, Dries Boone, Maxime Thiebaut, Michel Coene
Epic Manchego – atypical maldoc delivery brings flurry of infostealers
Azorult NjRAT
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-11Talos IntelligenceJoe Marshall, Kendall McKay
Tor2Mine is up to their old tricks — and adds a few new ones
Azorult Remcos
2020-05-21MalwarebytesMalwarebytes Labs
Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-04-29FR3D.HKFred HK
Gazorp - Thieving from thieves
Azorult
2020-04-15ZscalerSudeep Singh
Multistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult
Azorult Nanocore RAT
2020-04-13BlackberryMasaki Kasuya, Tatsuya Hasegawa
Threat Spotlight: Gootkit Banking Trojan
Azorult GootKit
2020-04-02Cisco TalosVanja Svajcer
AZORult brings friends to the party
Azorult Remcos
2020-04-01CiscoAndrea Kaiser, Shyam Sundar Ramaswami
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-26TelekomThomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-26Max Kersten's BlogMax Kersten
Azorult loader stages
Azorult
2020-02-26KELALeon Kurolapnik, Raveed Laeb
What’s Dead May Never Die: AZORult Infostealer Decommissioned Again
Azorult
2020-02-21KELARaveed Laeb
Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology
Azorult
2020-02-19Team CymruTeam Cymru
Azorult – what we see using our own tools
Azorult
2020-02-12Twitter (@DrStache_)DrStache
Tweet on ManaBotnet
Azorult
2020-02-06PrevailionDanny Adamitis
The Triune Threat: MasterMana Returns
Azorult Loki Password Stealer (PWS)
2020-02-05CybereasonAssaf Dahan, Lior Rochberger
The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2020-02-03SANS ISCJan Kopriva
Analysis of a triple-encrypted AZORult downloader
Azorult
2020-01-27YoroiLuca Mella, Luigi Martire
Aggah: How to run a botnet without renting a Server (for more than a year)
LokiBot Azorult
2020-01-22Thomas Barabosch
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020-01-19360kate
BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-09-24YoroiAntonio Farina, Luca Mella
APT or not APT? What's Behind the Aggah Campaign
Azorult
2019-08-10Check PointOmer Gull
SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-11InfoSec Handlers Diary BlogBrad Duncan
Recent AZORult activity
Azorult
2019-06-04CylanceCylance Threat Research Team
Threat Spotlight: Analyzing AZORult Infostealer Malware
Azorult
2019-03-22Kaspersky LabsAlexander Eremin
AZORult++: Rewriting history
Azorult
2019-02-07BluelivBlueliv Labs Team
Sales of AZORult grind to an AZOR-halt
Azorult
2019-01-28Minerva LabsAsaf Aprozper, Gal Bitensky
AZORult: Now, as A Signed “Google Update”
Azorult
2018-10-17Check PointIsrael Gubi
The Emergence of the New Azorult 3.3
Azorult
2018-08-18Bleeping ComputerVishal Thakur
AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-07-30ProofpointProofpoint Staff
New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes
2018-05-17Minerva LabsGal Bitensky
Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers
Azorult
2017-11-12MalwareBreakdown
Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.
Azorult
2017-07-24Malware BreakdownMalware Breakdown
The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.
Azorult
2017-07-24Vitali Kremez BlogVitali Kremez
Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'
Azorult
2016-07-26ProofpointProofpoint
Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Azorult Chthonic
Yara Rules
[TLP:WHITE] win_azorult_auto (20251219 | Detects win.azorult.)
rule win_azorult_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.azorult."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8901 8bc1 c7410410000000 5d c20400 55 8bec }
            // n = 7, score = 200
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8bc1                 | mov                 eax, ecx
            //   c7410410000000       | mov                 dword ptr [ecx + 4], 0x10
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_1 = { ff15???????? 8b4dc8 8bd1 81e20000ff00 8bc1 c1e810 0bd0 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   8bd1                 | mov                 edx, ecx
            //   81e20000ff00         | and                 edx, 0xff0000
            //   8bc1                 | mov                 eax, ecx
            //   c1e810               | shr                 eax, 0x10
            //   0bd0                 | or                  edx, eax

        $sequence_2 = { 83c410 5e c9 c3 55 8bec 81eccc060000 }
            // n = 7, score = 200
            //   83c410               | add                 esp, 0x10
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81eccc060000         | sub                 esp, 0x6cc

        $sequence_3 = { 8d9adcbc1b8f 8b702c 03d9 337018 8bcf }
            // n = 5, score = 200
            //   8d9adcbc1b8f         | lea                 ebx, [edx - 0x70e44324]
            //   8b702c               | mov                 esi, dword ptr [eax + 0x2c]
            //   03d9                 | add                 ebx, ecx
            //   337018               | xor                 esi, dword ptr [eax + 0x18]
            //   8bcf                 | mov                 ecx, edi

        $sequence_4 = { 6a00 6a00 ff7508 ff7510 ff15???????? 85ff 7405 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff15????????         |                     
            //   85ff                 | test                edi, edi
            //   7405                 | je                  7

        $sequence_5 = { e8???????? 84c0 0f8444010000 8d45d8 50 8d4dfc e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f8444010000         | je                  0x14a
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   e8????????           |                     

        $sequence_6 = { 83fa04 1bc0 83e004 8b443814 d3e8 884415f8 42 }
            // n = 7, score = 200
            //   83fa04               | cmp                 edx, 4
            //   1bc0                 | sbb                 eax, eax
            //   83e004               | and                 eax, 4
            //   8b443814             | mov                 eax, dword ptr [eax + edi + 0x14]
            //   d3e8                 | shr                 eax, cl
            //   884415f8             | mov                 byte ptr [ebp + edx - 8], al
            //   42                   | inc                 edx

        $sequence_7 = { 68???????? 680000baba 50 50 e8???????? a1???????? 85c0 }
            // n = 7, score = 200
            //   68????????           |                     
            //   680000baba           | push                0xbaba0000
            //   50                   | push                eax
            //   50                   | push                eax
            //   e8????????           |                     
            //   a1????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { c3 55 8bec 81ec2c020000 56 8d85d8fdffff 33f6 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec2c020000         | sub                 esp, 0x22c
            //   56                   | push                esi
            //   8d85d8fdffff         | lea                 eax, [ebp - 0x228]
            //   33f6                 | xor                 esi, esi

        $sequence_9 = { 80f920 74f4 80f97d 750c 8d4201 8907 8bc3 }
            // n = 7, score = 200
            //   80f920               | cmp                 cl, 0x20
            //   74f4                 | je                  0xfffffff6
            //   80f97d               | cmp                 cl, 0x7d
            //   750c                 | jne                 0xe
            //   8d4201               | lea                 eax, [edx + 1]
            //   8907                 | mov                 dword ptr [edi], eax
            //   8bc3                 | mov                 eax, ebx

    condition:
        7 of them and filesize < 1073152
}
[TLP:WHITE] win_azorult_w0   (20170930 | Match first two bytes, strings, and parts of routines present in Azorult)
rule win_azorult_w0 {
    meta:
        author = "Xylitol xylitol@temari.fr"
        date = "2017-09-30"
        description = "Match first two bytes, strings, and parts of routines present in Azorult"
        reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20170930"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    // May only the challenge guide you
    strings:
        $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
        $string2 = "SYSInfo.txt"
        $string3 = "CookieList.txt"
        $string4 = "Passwords.txt"

        $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
        $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
    condition:
      (all of ($string*) and ($constant1 or $constant2))
}
Download all Yara Rules