AZORult is a notorious information-stealer malware that first emerged in 2016,primarily targeting Windows systems. It is designed to exfiltrate sensitive data, including credentials, payment information, and cryptocurrency wallet details. Over the years, it has evolved through various versions, enhancing its capabilities and distribution methods.
Key Findings
File format: Portable Executable (PE) file, compiled using C/C++.
Functionality:
AZORult operates as both an information stealer and a dropper, capable of downloading additional malware. Its primary functions include:
· Data Theft: Collects browser history, login credentials from various applications(e.g., Discord, Steam), cookies, and cryptocurrency wallet private keys24.
· Commandand Control (C2) Communication: Stolen data is packaged into a ZIP file,encrypted, and sent to its C2 server via HTTP POST requests
Potential risks: Significant threat to user privacy and security.
This information can be used by security professionals and individuals to detect and mitigate threats posed by Azorult.exe.
This analysis provides a comprehensive overview of the file's structure, behavior, and potential risks.
Analyzing a Suspicious File: Azorult.exe
Static Analysis
The analysis of 'azorult.exe' revealed its hash, confirmed as malware by 62 vendors on VirusTotal. It uses anti-analysis techniques such as debugger detection and extended sleep functions to evade detection. The manifest file requests administrative privileges, indicating its intent for invasive system operations. DLL imports suggest capabilities in network communication, file manipulation, and system monitoring. Additionally, the malware employs various APIs for internet communication, system information collection, debugging checks, thread suspension, and ICMP requests, reflecting its complex, multi-functional behavior.
Figure 1:Information on the Binary
FileHash Generation
Figure 2:Hash of the binary
Figure 3:Virustotal result of the Hash
Manifest File Analysis
Figure 4:Manifest File
DLLsand APIs used By the Binary
Figure 5:DLLs used By the Binary
Figure 6:Imported API Functions by the Binary
Dynamic Analysis
The malware 'azorult.exe' demonstrated several malicious behaviors during analysis. Offline, it attempted to disable User Account Control (UAC), seeking administrative privileges to modify settings. It also made registry changes for persistent remote access, compromising system integrity. Once connected to the internet, it created and deleted core services, and used WScript to execute hidden scripts, including the installation of additional malware.
UACBypass
Figure 7:UAC Bypass Alert
Figure 8:Registry Keys Modified
Figure 9:Alerts Upon Detonation of the Binary
Figure10: Use of Wscript to run a script
Figure11: Files downloaded in the C:\ProgramData\Windows Directory
Insights into the VBS file
Figure12: Content of the VBS file
Figure13: Content of the batch file
The VBS file executed a hidden batch file ("install.bat"), imported registry settings, and launched "rutserv.exe," which, though typically legitimate, was leveraged for persistence. Network analysis revealed DNS queries to malicious domains and HTTP interactions with a command-and-control server, indicating credential collection, server communication, and data exfiltration. It also initiated cryptocurrency mining using system resources.
Further process Monitoring
Figure14: Activity of rutserv.exe
Network Activities
Figure 15: DNS Queries and Responses
Figure16: HTTP Requests to taskhostw.com
Figure17: Contents of the HTTP Requests and Responses
Figure18: HTTP to get a Configuration file that mines Cryptocurrency
Further investigation identified "ink.exe" as responsible for the mining activity. The malware employed self-deletion of code post-execution to evade detection. AutoIt scripting was also utilized, revealing additional executables and scripts that facilitated malware installation, system control, and evasion. These behaviors illustrate a sophisticated attack strategy targeting persistence, system manipulation, and detection evasion.
Analysis of a downloaded executable
Figure19: Hash of ink.exe
Figure20: Strings of ink.exe
Second Detonation
Figure21: Error Message When detonated the second time
AutoIt Binary Analysis
Figure22: Result of cracking the AutoIt-Compiled Binary
Figure23: Contents of Clean.bat Figure 24: Contents of Temp.bat
Figure25: Contents of script.au3
Conclusion
The analysis of 'azorult.exe' and its related components reveals a highly sophisticated, multi-stage malware operation focused on persistence, system control, and evasion. Key elements include attempts to modify security settings by disabling UAC, making registry changes for sustained remote access, and leveraging both legitimate and malicious processes to establish persistence. Its use of WScript and hidden scripts for executing secondary payloads, including additional malware like 'rutserv.exe,' further highlights its versatility.
Network activities, such as DNS queries and HTTP communication with command-and-control servers, signal active data exfiltration, credential theft, and system monitoring. Moreover, the malware exploits system resources for cryptocurrency mining, with components like 'ink.exe' designed for this purpose. The use of AutoIt scripting to obfuscate and execute further malicious code underscores the complex nature of its attack chain.
By combining anti-detection measures like self-deleting code and debugger avoidance techniques with administrative-level operations, 'azorult.exe' exhibits highly adaptive and evasive behavior, designed to maintain long-term access and control over compromised systems. This combination of stealth, persistence, and resource exploitation makes it a potent threat, especially in environments where layered defenses are weak or misconfigured.
Recommendations
- Isolate Affected Systems: Disconnect the infected machine from the network to prevent further spread and communication with command-and-control servers.
- Perform a Thorough Scan: Use reputable antivirus/anti-malware tools to perform a comprehensive scan and remove identified threats.
- Remove Malicious Files: Delete the dropped files and any related artifacts found in C:\ProgramData\Windows, C:\ProgramData\Microsoft\Intel\, and other suspicious directories.
- Restore Registry Settings: Revert any registry changes made by the malware, particularly those related to remote access and persistence.
- Restore Services: Reinstall or repair any affected services like swprv to ensure system stability.
- Check and Repair Network Configurations: Ensure that network configurations are restored to their original state and that no malicious network connections or DNS settings are left behind.
IOCs
Mainobject - azorult.exe
· md55df0cf8b8aa7e56884f71da3720fb2c6
· sha10610e911ade5d666a45b41f771903170af58a05a
· sha256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
Dropped executable file
- C:\Users\admin\AppData\Local\Temp\autAA65.tmp
- C:\Users\admin\AppData\Local\Temp\autC159.tmp
- C:\ProgramData\install\ink.exe : ef3839826ed36f3a534d1d099665b909
- C:\ProgramData\Windows\rfusclient.exe
- C:\ProgramData\Windows\rutserv.exe
- C:\ProgramData\Windows\winit.exe
- C:\ProgramData\Windows\vp8encoder.dll
- C:\ProgramData\Windows\vp8decoder.dll
- C:\ProgramData\Microsoft\Intel\P.exe
- C:\ProgramData\Microsoft\Intel\R8.exe
- C:\ProgramData\Microsoft\Intel\winlog.exe
- C:\ProgramData\Microsoft\Intel\taskhost.exe
- C:\ProgramData\RealtekHD\taskhostw.exe
- C:\ProgramData\Microsoft\rootsystem\1.exe
- C:\rdp\Rar.exe
- C:\ProgramData\Microsoft\Intel\winlogon.exe
- C:\rdp\RDPWInst.exe
- C:\Users\admin\AppData\Local\Temp\aut2761.tmp
- C:\Program Files\RDP Wrapper\rdpwrap.dll
- C:\Windows\System32\rfxvmt.dll
DNS requests
- iplogger.org
- boglogov.site
- taskhostw.com
- freemail.freehost.com.ua
- c.pki.goog
- rms-server.tektonit.ru
- raw.githubusercontent.com
- ip-api.com
Connections
- 109.248.203.81
- 40.126.32.140
- 152.89.218.85
- 185.199.108.133
- 172.67.74.161
- 23.218.210.69
- 224.0.0.251
- 20.12.23.50
- 184.30.21.171
- 20.190.159.23
- 194.0.200.251
- 208.95.112.1
- 95.213.205.83
HTTP/HTTPS requests
- http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
- http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
- http://ip-api.com/json
- http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
- http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
- http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
- http://c.pki.goog/r/gsr1.crl
- http://c.pki.goog/r/r4.crl
- http://taskhostw.com/L.html
- http://taskhostw.com/randomink/STATUS.html
- http://taskhostw.com/randomink/loaderTOP.html
- http://taskhostw.com/randomink/Login.html
- http://taskhostw.com/randomink/Password.html
- http://taskhostw.com/randomink/Server.html