AZORult

Posted: February 24, 2017
Threat Metric
Threat Level: 8/10
Infected PCs 519,918

AZORult Description


AZORult is a Trojan downloader and spyware combination that can collect information from your computer, as well as enable other attacks by downloading and installing independent threats. Different threat actors are leveraging AZORult in campaigns that are using either spam e-mails or exploit kits for distribution. Let your anti-malware utilities block and remove AZORult automatically and take proper steps for re-securing any data on your computer, such as passwords.

A Spyware with Its Hands in Every Pie

While most threats specialize in very particular 'genres' of attacks, some are enablers of others, and a minority of those might include both payloads for accomplishing specific goals along with installing threats with more features. As a representative of that last category, malware analysts are highlighting AZORult, which is receiving in-depth development and updates as of mid-2018 and is involved in the spread of both file-locker Trojans and spyware. Besides these details, AZORult also includes some default, data-grabbing features unto itself.

Some of the past scenarios utilizing AZORult include campaigns by the Cthonic Banking Trojan (which is an update of the infamous Keylogger Zeus), along with theHermes Ransomware, by separate threat actors. In both instances, AZORult acts as the 'delivery' aspect of the attack and drops the second threat after accomplishing the rest of its payload. Without any consideration for the variable threatening software that it may drop, malware experts are confirming the following functions for the last version of AZORult:

  • AZORult may collect the PC's Web-browsing history as it relates to different browsers, with the exceptions of Internet Explorer and Edge.
  • AZORult may compromise the credentials of any cryptocurrency accounts, such as Bitcoin wallets, allowing criminals to take the associated money.
  • Besides its spyware functionality, AZORult also is a working Trojan downloader and may download, install and run other threats, based on commands that its remote attacker sends via the admin panel.

AZORult also provides general system status reports and may use proxies, when appropriate.

The Trojan behind the Password

Two of the infection strategies for disseminating AZORult include EKs or exploit kits that compromise website traffic, as well as more traditional, spam e-mail attacks. The latter method may pretend that the AZORult's installer is a work-related document, such as a resume. Some of the last attacks that malware researchers took note of included an additional layer of password protection on the attachments, with the e-mail providing the password code in its body; this unusual formatting choice could be the threat actor's attempt at obscuring the unsafe contents from any security software.

Although threats that it downloads could lock and ransom your files, or conduct other attacks, AZORult is a not-insignificant threat to the PC, by itself. Most cryptocurrency wallets should be presumed compromised from AZORult infections, along with passwords and similar, confidential credentials related to online accounts. Having your anti-malware product uninstall AZORult at the first opportunity is the most appropriate defense against this threat, which, like almost all spyware, suppresses most of the visible symptoms of its presence.

Whether it uses in-browser scripts or a text document's macro for installing itself, AZORult is one of many threats that take advantage of careless security practices from the web surfers that it attacks. Ironically, some aspects of its utilization, such as dropping a file-locking Trojan after collecting anything of any value, may seem self-contradicting, but that caveat is of little comfort to anyone cleaning up an AZORult infection.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to AZORult may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



9994f688218d3c00c68937f2295fe6cd File name: 9994f688218d3c00c68937f2295fe6cd
Size: 284.67 KB (284672 bytes)
MD5: 9994f688218d3c00c68937f2295fe6cd
Detection count: 99
Group: Malware file
c:\users\alan.k\desktop\desktop ii\esgtools\esg tools\tools\info (2)\info\binances\crypt\binances.exe File name: binances.exe
Size: 380.41 KB (380416 bytes)
MD5: 6439131def75c6ef73cb43467c9444ff
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: c:\users\alan.k\desktop\desktop ii\esgtools\esg tools\tools\info (2)\info\binances\crypt\
Group: Malware file
Last Updated: May 15, 2020
file.exe File name: file.exe
Size: 538.95 KB (538952 bytes)
MD5: ab9330711166d04bd3814aa5a4873357
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
69ef96c982cd06ab342adbc051adb990 File name: 69ef96c982cd06ab342adbc051adb990
Size: 129.53 KB (129536 bytes)
MD5: 69ef96c982cd06ab342adbc051adb990
Detection count: 5
Group: Malware file
Last Updated: April 22, 2020

Registry Modifications


The following newly produced Registry Values are:

Regexp file mask%appdata%\4eddrftbgvfc.exe%appdata%\cdegef.exe%appdata%\revdd.exe%appdata%\rtfvdc.exe%appdata%\uyntbrvfec.exe%appdata%\vgrfdcsx.exe%windir%\wotsuper.regRegistry keySoftware\Margin TradeSYSTEM\ControlSet001\services\BYTEDOWNLOAD PROTECT SERVICESYSTEM\ControlSet002\services\BYTEDOWNLOAD PROTECT SERVICESYSTEM\CurrentControlSet\services\BYTEDOWNLOAD PROTECT SERVICEHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}LetsSee! 2.15WOTSUPER 2.1{185623589-5865-4F66-B722-EE1C7FDA0836}_is1Directory%APPDATA%\Margin Trade%PROGRAMFILES%\Dada\softsinn%PROGRAMFILES%\Issue\softsinn%PROGRAMFILES%\karim\softsinn%PROGRAMFILES%\LetsSee!%PROGRAMFILES%\LetsSeeI%PROGRAMFILES%\Margin Trade%PROGRAMFILES%\rundll\softsinn%PROGRAMFILES%\wotsuper%PROGRAMFILES(x86)%\Dada\softsinn%PROGRAMFILES(x86)%\Issue\softsinn%PROGRAMFILES(x86)%\karim\softsinn%PROGRAMFILES(x86)%\LetsSee!%PROGRAMFILES(x86)%\LetsSeeI%PROGRAMFILES(x86)%\Lov\softsinn%PROGRAMFILES(x86)%\Margin Trade%PROGRAMFILES(x86)%\rundll\softsinn%PROGRAMFILES(x86)%\wotsuper%WINDIR%\System32\softsinn%WINDIR%\SysWOW64\softsinn

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.