win.azorult (Back to overview)

Azorult

aka: PuffStealer, Rultazo
URLhaus        

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

References
http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html
https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update
https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers
https://isc.sans.edu/diary/25120
https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/
https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/
https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/
https://securelist.com/azorult-analysis-history/89922/
https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/
https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/
https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
Yara Rules
[TLP:WHITE] win_azorult_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_azorult_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 0fb64438ff 0fb7c0 33f0 8d45d4 8bd6 }
            // n = 5, score = 1100
            //   0fb64438ff           | movzx               eax, byte ptr [eax + edi - 1]
            //   0fb7c0               | movzx               eax, ax
            //   33f0                 | xor                 esi, eax
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   8bd6                 | mov                 edx, esi

        $sequence_1 = { 8b45fc 33d2 e8???????? 74?? 8b45f8 33d2 }
            // n = 6, score = 1100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     
            //   74??                 |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   33d2                 | xor                 edx, edx

        $sequence_2 = { 8b45f8 e8???????? 85c0 79?? 83c003 c1f802 bf01000000 }
            // n = 7, score = 1100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   79??                 |                     
            //   83c003               | add                 eax, 3
            //   c1f802               | sar                 eax, 2
            //   bf01000000           | mov                 edi, 1

        $sequence_3 = { e8???????? 8b45e0 e8???????? c1e008 5a }
            // n = 5, score = 1100
            //   e8????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   e8????????           |                     
            //   c1e008               | shl                 eax, 8
            //   5a                   | pop                 edx

        $sequence_4 = { 8d45f8 e8???????? e9???????? 8d45f4 50 }
            // n = 5, score = 1100
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   e8????????           |                     
            //   e9????????           |                     
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax

        $sequence_5 = { 8d55e8 8d45dc e8???????? 8b45dc e8???????? }
            // n = 5, score = 1100
            //   8d55e8               | lea                 edx, [ebp - 0x18]
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   e8????????           |                     

        $sequence_6 = { e8???????? ff75e8 8b45fc ba04000000 e8???????? }
            // n = 5, score = 1100
            //   e8????????           |                     
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ba04000000           | mov                 edx, 4
            //   e8????????           |                     

        $sequence_7 = { 8b45fc 33d2 e8???????? 74?? 8b45f8 33d2 e8???????? }
            // n = 7, score = 1100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     
            //   74??                 |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     

        $sequence_8 = { 8bc6 e8???????? 8b16 0fb6541aff 83ea20 885418ff }
            // n = 6, score = 1100
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   0fb6541aff           | movzx               edx, byte ptr [edx + ebx - 1]
            //   83ea20               | sub                 edx, 0x20
            //   885418ff             | mov                 byte ptr [eax + ebx - 1], dl

        $sequence_9 = { 648920 e8???????? 8d55d4 e8???????? ff75d4 8d45d0 e8???????? }
            // n = 7, score = 1100
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   e8????????           |                     
            //   8d55d4               | lea                 edx, [ebp - 0x2c]
            //   e8????????           |                     
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   e8????????           |                     

    condition:
        7 of them
}
[TLP:WHITE] win_azorult_w0   (20170930 | Match first two bytes, strings, and parts of routines present in Azorult)
rule win_azorult_w0 {
    meta:
        author = "Xylitol xylitol@temari.fr"
        date = "2017-09-30"
        description = "Match first two bytes, strings, and parts of routines present in Azorult"
        reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult"
        malpedia_version = "20170930"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    // May only the challenge guide you
    strings:
        $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
        $string2 = "SYSInfo.txt"
        $string3 = "CookieList.txt"
        $string4 = "Passwords.txt"

        $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
        $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
    condition:
      (all of ($string*) and ($constant1 or $constant2))
}
Download all Yara Rules