October 31, 2024
By Cybervergent Team

Threat Analysis of AZORULT Malware

AZORult is a notorious information-stealer malware that first emerged in 2016,primarily targeting Windows systems. It is designed to exfiltrate sensitive data, including credentials, payment information, and cryptocurrency wallet details. Over the years, it has evolved through various versions, enhancing its capabilities and distribution methods.

Key Findings

File format: Portable Executable (PE) file, compiled using C/C++.

Functionality:

AZORult operates as both an information stealer and a dropper, capable of downloading additional malware. Its primary functions include:

·       Data Theft: Collects browser history, login credentials from various applications(e.g., Discord, Steam), cookies, and cryptocurrency wallet private keys24.

·       Commandand Control (C2) Communication: Stolen data is packaged into a ZIP file,encrypted, and sent to its C2 server via HTTP POST requests

Potential risks: Significant threat to user privacy and security.

This information can be used by security professionals and individuals to detect and mitigate threats posed by Azorult.exe.


This analysis provides a comprehensive overview of the file's structure, behavior, and potential risks.


Analyzing a Suspicious File: Azorult.exe

Static Analysis

The analysis of 'azorult.exe' revealed its hash, confirmed as malware by 62 vendors on VirusTotal. It uses anti-analysis techniques such as debugger detection and extended sleep functions to evade detection. The manifest file requests administrative privileges, indicating its intent for invasive system operations. DLL imports suggest capabilities in network communication, file manipulation, and system monitoring. Additionally, the malware employs various APIs for internet communication, system information collection, debugging checks, thread suspension, and ICMP requests, reflecting its complex, multi-functional behavior.

Figure 1:Information on the Binary

FileHash Generation

Figure 2:Hash of the binary

Figure 3:Virustotal result of the Hash

Manifest File Analysis

Figure 4:Manifest File

DLLsand APIs used By the Binary

Figure 5:DLLs used By the Binary

Figure 6:Imported API Functions by the Binary

Dynamic Analysis
The malware 'azorult.exe' demonstrated several malicious behaviors during analysis. Offline, it attempted to disable User Account Control (UAC), seeking administrative privileges to modify settings. It also made registry changes for persistent remote access, compromising system integrity. Once connected to the internet, it created and deleted core services, and used WScript to execute hidden scripts, including the installation of additional malware.

UACBypass

Figure 7:UAC Bypass Alert

Figure 8:Registry Keys Modified

Figure 9:Alerts Upon Detonation of the Binary

Figure10: Use of Wscript to run a script

Figure11: Files downloaded in the C:\ProgramData\Windows Directory

Insights into the VBS file 

Figure12: Content of the VBS file

Figure13: Content of the batch file

The VBS file executed a hidden batch file ("install.bat"), imported registry settings, and launched "rutserv.exe," which, though typically legitimate, was leveraged for persistence. Network analysis revealed DNS queries to malicious domains and HTTP interactions with a command-and-control server, indicating credential collection, server communication, and data exfiltration. It also initiated cryptocurrency mining using system resources.

Further process Monitoring

Figure14: Activity of rutserv.exe

Network Activities

Figure 15: DNS Queries and Responses

Figure16: HTTP Requests to taskhostw.com

Figure17: Contents of the HTTP Requests and Responses

Figure18: HTTP to get a Configuration file that mines Cryptocurrency

Further investigation identified "ink.exe" as responsible for the mining activity. The malware employed self-deletion of code post-execution to evade detection. AutoIt scripting was also utilized, revealing additional executables and scripts that facilitated malware installation, system control, and evasion. These behaviors illustrate a sophisticated attack strategy targeting persistence, system manipulation, and detection evasion.

Analysis of a downloaded executable

Figure19: Hash of ink.exe

Figure20:  Strings of ink.exe

Second Detonation

Figure21: Error Message When detonated the second time

AutoIt Binary Analysis

Figure22: Result of cracking the AutoIt-Compiled Binary

                             

Figure23: Contents of Clean.bat                                                               Figure 24: Contents of Temp.bat

Figure25: Contents of script.au3

Conclusion
The analysis of 'azorult.exe' and its related components reveals a highly sophisticated, multi-stage malware operation focused on persistence, system control, and evasion. Key elements include attempts to modify security settings by disabling UAC, making registry changes for sustained remote access, and leveraging both legitimate and malicious processes to establish persistence. Its use of WScript and hidden scripts for executing secondary payloads, including additional malware like 'rutserv.exe,' further highlights its versatility.

Network activities, such as DNS queries and HTTP communication with command-and-control servers, signal active data exfiltration, credential theft, and system monitoring. Moreover, the malware exploits system resources for cryptocurrency mining, with components like 'ink.exe' designed for this purpose. The use of AutoIt scripting to obfuscate and execute further malicious code underscores the complex nature of its attack chain.

By combining anti-detection measures like self-deleting code and debugger avoidance techniques with administrative-level operations, 'azorult.exe' exhibits highly adaptive and evasive behavior, designed to maintain long-term access and control over compromised systems. This combination of stealth, persistence, and resource exploitation makes it a potent threat, especially in environments where layered defenses are weak or misconfigured.


Recommendations

  • Isolate Affected Systems: Disconnect the infected machine from the network to prevent further spread and communication with     command-and-control servers.
  • Perform a Thorough Scan: Use reputable antivirus/anti-malware tools to perform a comprehensive scan and remove identified threats.
  • Remove Malicious Files: Delete the dropped files and any related artifacts found in C:\ProgramData\Windows,     C:\ProgramData\Microsoft\Intel\, and other suspicious directories.
  • Restore Registry Settings: Revert any registry changes made by the malware, particularly those related to remote access and persistence.
  • Restore Services: Reinstall or repair any affected services like swprv to ensure system stability.
  • Check and Repair Network Configurations: Ensure that network configurations are restored to their original state and that no malicious network connections or DNS settings are left behind.

IOCs

Mainobject - azorult.exe

·       md55df0cf8b8aa7e56884f71da3720fb2c6

·       sha10610e911ade5d666a45b41f771903170af58a05a

·       sha256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

Dropped executable file

  • C:\Users\admin\AppData\Local\Temp\autAA65.tmp 
  • C:\Users\admin\AppData\Local\Temp\autC159.tmp 
  • C:\ProgramData\install\ink.exe     : ef3839826ed36f3a534d1d099665b909
  • C:\ProgramData\Windows\rfusclient.exe 
  • C:\ProgramData\Windows\rutserv.exe 
  • C:\ProgramData\Windows\winit.exe 
  • C:\ProgramData\Windows\vp8encoder.dll 
  • C:\ProgramData\Windows\vp8decoder.dll 
  • C:\ProgramData\Microsoft\Intel\P.exe 
  • C:\ProgramData\Microsoft\Intel\R8.exe 
  • C:\ProgramData\Microsoft\Intel\winlog.exe 
  • C:\ProgramData\Microsoft\Intel\taskhost.exe 
  • C:\ProgramData\RealtekHD\taskhostw.exe 
  • C:\ProgramData\Microsoft\rootsystem\1.exe 
  • C:\rdp\Rar.exe 
  • C:\ProgramData\Microsoft\Intel\winlogon.exe 
  • C:\rdp\RDPWInst.exe 
  • C:\Users\admin\AppData\Local\Temp\aut2761.tmp 
  • C:\Program     Files\RDP Wrapper\rdpwrap.dll 
  • C:\Windows\System32\rfxvmt.dll

DNS requests

  •  iplogger.org
  •  boglogov.site
  •  taskhostw.com
  •  freemail.freehost.com.ua
  •  c.pki.goog
  •  rms-server.tektonit.ru
  •  raw.githubusercontent.com
  •  ip-api.com

Connections

  •  109.248.203.81
  •  40.126.32.140
  •  152.89.218.85
  •  185.199.108.133
  •  172.67.74.161
  •  23.218.210.69
  •  224.0.0.251
  •  20.12.23.50
  •  184.30.21.171
  •  20.190.159.23
  •  194.0.200.251
  •  208.95.112.1
  •  95.213.205.83

HTTP/HTTPS requests

  • http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
  • http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
  •   http://ip-api.com/json
  • http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
  • http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
  • http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
  •   http://c.pki.goog/r/gsr1.crl
  •   http://c.pki.goog/r/r4.crl
  •   http://taskhostw.com/L.html
  •   http://taskhostw.com/randomink/STATUS.html
  •   http://taskhostw.com/randomink/loaderTOP.html
  •   http://taskhostw.com/randomink/Login.html
  •   http://taskhostw.com/randomink/Password.html
  •   http://taskhostw.com/randomink/Server.html