Home Malware Programs Trojans AZORult

AZORult

Posted: February 24, 2017

Threat Metric

Ranking: 4,680
Threat Level: 8/10
Infected PCs: 535,856
First Seen: February 24, 2017
Last Seen: October 16, 2023
OS(es) Affected: Windows


AZORult is a Trojan downloader and spyware combination that can collect information from your computer, as well as enable other attacks by downloading and installing independent threats. Different threat actors are leveraging AZORult in campaigns that are using either spam e-mails or exploit kits for distribution. Let your anti-malware utilities block and remove AZORult automatically and take proper steps for re-securing any data on your computer, such as passwords.

A Spyware with Its Hands in Every Pie

While most threats specialize in very particular 'genres' of attacks, some are enablers of others, and a minority of those might include both payloads for accomplishing specific goals along with installing threats with more features. As a representative of that last category, malware analysts are highlighting AZORult, which is receiving in-depth development and updates as of mid-2018 and is involved in the spread of both file-locker Trojans and spyware. Besides these details, AZORult also includes some default, data-grabbing features unto itself.

Some of the past scenarios utilizing AZORult include campaigns by the Cthonic Banking Trojan (which is an update of the infamous Keylogger Zeus), along with theHermes Ransomware, by separate threat actors. In both instances, AZORult acts as the 'delivery' aspect of the attack and drops the second threat after accomplishing the rest of its payload. Without any consideration for the variable threatening software that it may drop, malware experts are confirming the following functions for the last version of AZORult:

  • AZORult may collect the PC's Web-browsing history as it relates to different browsers, with the exceptions of Internet Explorer and Edge.
  • AZORult may compromise the credentials of any cryptocurrency accounts, such as Bitcoin wallets, allowing criminals to take the associated money.
  • Besides its spyware functionality, AZORult also is a working Trojan downloader and may download, install and run other threats, based on commands that its remote attacker sends via the admin panel.

AZORult also provides general system status reports and may use proxies, when appropriate.

The Trojan behind the Password

Two of the infection strategies for disseminating AZORult include EKs or exploit kits that compromise website traffic, as well as more traditional, spam e-mail attacks. The latter method may pretend that the AZORult's installer is a work-related document, such as a resume. Some of the last attacks that malware researchers took note of included an additional layer of password protection on the attachments, with the e-mail providing the password code in its body; this unusual formatting choice could be the threat actor's attempt at obscuring the unsafe contents from any security software.

Although threats that it downloads could lock and ransom your files, or conduct other attacks, AZORult is a not-insignificant threat to the PC, by itself. Most cryptocurrency wallets should be presumed compromised from AZORult infections, along with passwords and similar, confidential credentials related to online accounts. Having your anti-malware product uninstall AZORult at the first opportunity is the most appropriate defense against this threat, which, like almost all spyware, suppresses most of the visible symptoms of its presence.

Whether it uses in-browser scripts or a text document's macro for installing itself, AZORult is one of many threats that take advantage of careless security practices from the web surfers that it attacks. Ironically, some aspects of its utilization, such as dropping a file-locking Trojan after collecting anything of any value, may seem self-contradicting, but that caveat is of little comfort to anyone cleaning up an AZORult infection.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



c:\Users\<username>\desktop\desktop ii\esgtools\esg tools\tools\info (2)\info\binances\crypt\binances.exe File name: binances.exe
Size: 380.41 KB (380416 bytes)
MD5: 6439131def75c6ef73cb43467c9444ff
Detection count: 225
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\desktop\desktop ii\esgtools\esg tools\tools\info (2)\info\binances\crypt
Group: Malware file
Last Updated: January 14, 2021
9994f688218d3c00c68937f2295fe6cd File name: 9994f688218d3c00c68937f2295fe6cd
Size: 284.67 KB (284672 bytes)
MD5: 9994f688218d3c00c68937f2295fe6cd
Detection count: 99
Group: Malware file
file.exe File name: file.exe
Size: 538.95 KB (538952 bytes)
MD5: ab9330711166d04bd3814aa5a4873357
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
69ef96c982cd06ab342adbc051adb990 File name: 69ef96c982cd06ab342adbc051adb990
Size: 129.53 KB (129536 bytes)
MD5: 69ef96c982cd06ab342adbc051adb990
Detection count: 5
Group: Malware file
Last Updated: April 22, 2020

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%appdata%\4eddrftbgvfc.exe%appdata%\cdegef.exe%appdata%\revdd.exe%appdata%\rtfvdc.exe%appdata%\uyntbrvfec.exe%appdata%\vgrfdcsx.exe%windir%\wotsuper.regHKEY..\..\..\..{RegistryKeys}Software\Margin TradeSYSTEM\ControlSet001\services\BYTEDOWNLOAD PROTECT SERVICESYSTEM\ControlSet002\services\BYTEDOWNLOAD PROTECT SERVICESYSTEM\CurrentControlSet\services\BYTEDOWNLOAD PROTECT SERVICEHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}LetsSee! 2.15WOTSUPER 2.1{185623589-5865-4F66-B722-EE1C7FDA0836}_is1

Additional Information

The following directories were created:
%APPDATA%\Margin Trade%PROGRAMFILES%\Dada\softsinn%PROGRAMFILES%\Issue\softsinn%PROGRAMFILES%\LetsSee!%PROGRAMFILES%\LetsSeeI%PROGRAMFILES%\Margin Trade%PROGRAMFILES%\karim\softsinn%PROGRAMFILES%\rundll\softsinn%PROGRAMFILES%\wotsuper%PROGRAMFILES(x86)%\Dada\softsinn%PROGRAMFILES(x86)%\Issue\softsinn%PROGRAMFILES(x86)%\LetsSee!%PROGRAMFILES(x86)%\LetsSeeI%PROGRAMFILES(x86)%\Lov\softsinn%PROGRAMFILES(x86)%\Margin Trade%PROGRAMFILES(x86)%\karim\softsinn%PROGRAMFILES(x86)%\rundll\softsinn%PROGRAMFILES(x86)%\wotsuper%WINDIR%\SysWOW64\softsinn%WINDIR%\System32\softsinn
Loading...