Cyble-Azorult-Stealer-Resurfaces

A Deep-Dive Analysis of Azorult Stealer

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

Azorult stealer is an infamous information stealer trojan, first discovered in 2016 and has been widely used by various Threat Actors (TAs) since then. Azorult stealer is well known for stealing different system information, such as browser history, cookies, ID/Passwords, cryptocurrency information, etc. The Azorult stealer is sold on Russian cybercrime forums, and TAs can buy the stealer binaries and use them in their cyber-attack campaigns.

TAs drop Azorult using various infection vectors, including phishing emails, pirated software, malicious documents, etc. TAs may often lure victims by using Key Generator (KeyGen) programs. After execution, these keygen programs drop various malware into the system, in this case – the Azroult stealer.

Figure 1 shows the execution flow of Azorult stealer malware. Azorult drops itself in the “TEMP” folder and runs itself using WScript and VB script. After execution, the stealer sends a unique system ID to the Command-and-Control (C&C) server. In response, the C&C sends configuration details and supports DLL files. Azorult then extracts the data from the system and uploads this data to C&C.  The stealer then deletes extracted data, support DLLs and stealer file.

Figure 1 High-Level Execution Flow of Azorult Stealer

Technical Analysis

After the initial infection, the multi-stage loader drops the final payload of the Azorult stealer. Azorult file is a .NET-based 32-bit Graphical User Interface (GUI) executable masquerading as the official Telegram Desktop Application. Figure 2 shows the static information of the Azorult stealer.

Figure 2 Azorult Stealer Static Details

Upon execution, Azorult copies itself in the “C:\Users\MalWorkstation\AppData\Local\Temp\” folder as Xzegdxbuoconsoleapp3.exe. WScript.exe runs Xzegdxbuoconsoleapp3.exe from the Temp folder using VB Script. Figure 3 shows the VBScript code for executing Xzegdxbuoconsoleapp3.exe.

Figure 3 VBScript code to run Xzegdxbuoconsoleapp3.exe

Figure 4 shows the execution flow of Xzegdxbuoconsoleapp3.exe using WScript.exe.

Figure 4 WScript.exe running Xzegdxbuoconsoleapp3.exe

Azorult file contains a “Resources” folder which has an encrypted file Srpccwbxdhrzif, used for defense evasion. Figure 5 shows the Resource folder and the raw encrypted data.

Figure 5 Encrypted Srpccwbxdhrzif file in Resources

Azorult source code reveals Srpccwbxdhrzif file is encrypted using Triple-DES Encryption Algorithm. Attackers use the Triple-DES algorithm with ECB Cipher mode and PKCS7 padding for encryption. The code snippet showing the routine for decrypting the Srpccwbxdhrzif is shown below.

Figure 6 Triple DES Algorithm Implementation

The main malware also contains a decryption key hardcoded into itself, as shown in Figure 7.

Figure 7 Hardcoded Decryption Key in the Memory

Azorult decrypts the file Srpccwbxdhrzif in memory as Srpccwbxdhrzif.dll. Figure 8 shows the Srpccwbxdhrzif.dll in the memory.

Figure 8 Decrypted Srpccwbxdhrzif.dll in Memory

Srpccwbxdhrzif.dll is a 32-bit .NET-based DLL file. Figure 9 shows static details of the Srpccwbxdhrzif.dll.

Figure 9 Static Details of Srpccwbxdhrzif.dll

The DLL Srpccwbxdhrzif.dll contains the code for communication with the C&C server.

Azorult masquerades as a legitimate application to avoid suspicion. In this particular case, it masquerades as the Telegram desktop application. While running, multiple activities are performed by the Azorult stealer. Figure 10 shows the process tree of the execution of Azorult.

Figure 10 Process Tree of Azorult Stealer

Upon execution, Azorult sends a unique identification code to C&C from the infected computer using a HTTP POST request. Azorult sends unique identification code as an index.php file to C&C domain – Milsom[.]ac[.]ug. Multiple C&C server addresses are hardcoded into the malware. Figure 11 shows the packet details of the initial C&C communication.

Figure 11 Network Packet Details of Initial C&C Communication

In response, the C&C sends additional data and in base64 encoded configuration string to Azorult stealer. The contents of the index.php.htm are shown in Figure 12.

Figure 12 Encrypted Data Sent from C&C

There are multiple URLs hardcoded into the malware. Figure 13 shows the DNS requests made from the Azorult stealer.

Figure 13 Azorult trying to connect to the Domains

The configuration data contains the below details, which the stealer uses to perform further actions. 

​Configuration ​Description 
​Browser Path ​Various paths from which stealers can extract sensitive details. 
​Crypto Wallet ​Crypto Wallet details for extraction 

After execution, Xzegdxbuoconsoleapp3.exe downloads the supported DLL files for information stealing from C&C. These DLL files are genuine component files of various software applications such as browsers. Figure 14 shows the request and response for downloading DLL file softokn3.dll.

Figure 14 Xzegdxbuoconsoleapp3.exe Downloaded softokn3.dll

Additional supporting DLLs downloaded from the C&C are listed below:

  • freebl3.dll
  • mozglue.dll
  • msvcp140.dll
  • nss3.dll
  • softokn3.dll
  • sqlite3.dll
  • vcruntime140.dll

Figure 15 shows the downloaded DLLs used by the Xzegdxbuoconsoleapp3.exe process.

Figure 15 Xzegdxbuoconsoleapp3.exe Loading Support DLLs

Upon execution, Xzegdxbuoconsoleapp3.exe exfiltrates the data from the systems and stores it into C:/ProgramData folder. This folder contains browser autofill data, cookies data, passwords, screenshots, and system information-related data of the victim’s system, as shown in Figure 16.

Figure 16 Data Gathered by Xzegdxbuoconsoleapp3.exe

Figure 17 shows the contents of system.txt, which contains the system information including hardware, domain, language, and software installed into the system.

Figure 17 System Information Extracted by Xzegdxbuoconsoleapp3.exe

Figure 18 shows the captured POST request created by the stealer, which contains the exfiltrated data compressed into a zip fil. In our analysis, the zip file was named _5514573629.zip.

Figure 18 Data Exfiltrated to C&C by Xzegdxbuoconsoleapp3.exe

After exfiltration of the data, Xzegdxbuoconsoleapp3.exe runs cmd.exe for killing itself, deleting the folder _5514573629, and exits. Figure 19 shows the details of the process killing the Xzegdxbuoconsoleapp3 process and deleting the folder.

Figure 19 Azorult Stealer Deleting Itself and the Gathered Data
“C:\Windows\System32\cmd.exe” /c taskkill /pid 3260 & erase C:\Users\MalWorkstation\AppData\Local\Temp\Xzegdxbuoconsoleapp3.exe & RD /S /Q C:\\ProgramData\\551457362933425\\* & exit

Conclusion  

Azorult stealer is used for stealing custom information from victims’ systems including credentials, cookies, browser data, and cryptocurrency wallets, etc. In this campaign, the TA is using keygen software and phishing emails to deliver the Azorult stealer payload.

The TAs behind Azorult have used multiple methods to extract the targeted victim’s crucial data. The victims can range from organizations to general users.

Cyble Research Labs will continuously monitor emerging threats and targeted cyber-attacks. 

Our Recommendations 

​We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: 

  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • ​Conduct regular backup practices and keep those backups offline or in a separate network. 

​MITRE ATT&CK® Techniques 

​Tactic ​Technique ID ​Technique Name 
ExecutionT1059Command and Scripting Interpreter
Defence EvasionT1497.003Virtualization/Sandbox Evasion: Time Based Evasion
Credential AccessT1555  
T1552
T1539
Credentials from Password Stores
Unsecured Credentials
Steal Web Session Cookie  
DiscoveryT1518
T1082
Software Discovery
System Information Discovery
​Command and Control T1095 ​Non-Application Layer Protocol 
​Exfiltration T1041 ​Exfiltration Over C2 Channel   

​Indicators of Compromise (IoCs):   

​Indicators ​Indicator type ​Description 
720ae9355ab33d0a10059da07c7af1722b5c53daa94950e8d5f01ba330951efb​SHA-256 Azorult Stealer 
a1d765c68a5cddc84dbf51767232c8eb0c3284cf0443671a6ada80ee10db70a7SHA-256 Azorult Stealer 
2ee579a9f9ebf574254c0da0f2a45fbff896e7864e3b40f95f826943e6f0213bSHA-256 Azorult Stealer 
8f7f529578b7a3d53f001f5130b0ba9e450f936c1309395cba875acdce5b77c3SHA-256 Azorult Stealer 
03f36ba5d0b98fab3b67c14041448b31ab255c6f73a9e04791a11af40be5bc0fSHA-256 Azorult Stealer 
Rebrand[.]ly​C&C C&C URL 
Marketprice[.]pk​C&C C&C URL 
Matisaas[.]ac[.]ug​C&C C&C URL 
Mantata[.]ac[.]ug​C&C C&C URL 
Playwell[.]ug​C&C C&C URL 
Wellplayed[.]ug​C&C C&C URL 
Marcyovcx[.]ru​C&C C&C URL 
Milsom[.]ac[.]ug​C&C C&C URL 
Scarsa[.]ac[.]ug​C&C C&C URL 
185.215.113[.]77IPC&C IP

About Us  

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.   

Scroll to Top