Let’s Learn: Reversing Credential and Payment Card Information Stealer ‘AZORult V2’

Goal: Reverse the second version of the popular credential and payment card information stealer “AZORult”
Original find: @DynamicAnalysis
Source:  AU2_EXEsd.exe
Tool: OllyDBG, CFF Explorer

Brief overview: AZORult Version 2 Stealer, written in Borland Delphi collects informations, sends a report to the C2 server, then self-deletes. AZORult steals cookies, saved passwords, and saved credit card information from browsers. It also steals XMPP and Bitcoin wallet information Additionally, the malware is able to grab files from Desktop with specified extensions. It supports .bit domain communication.
Command-and-Control (C2) Serverparking-services[.]us/gate[.]php
Mutex: as8d749s8adq98w4d65sa1

AZORult’s getcfg=ADE97CA-F64C8173-1D26C270-B040AB046 value

It encodes streams and separates the report information as follows:
  • Browsers\AutoComplete\_CC.txt
  • Browsers\AutoComplete\__.default
  • Browsers\Cookies\__.default.txt
  • IP.txt
  • Passwords.txt
  • CookieList.txt
  • SYSInfo.txt
AZORult’s custom base64-like alphabet:
Obtains Windows version via ProductName Registry value:
The harvested SYSINFO victim information is in the following format:

  • BIN: 
  • MachineID :   -> SOFTWARE\Microsoft\Cryptography\MachineGuid
  • EXE_PATH  :  
  • DLL_PATH  :  
  • Windows    :  – > SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
  • Comp(User) : 
  • CPU Model: ->   HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ProcessorNameString
  • [System Process]
  • [Programms]

AZORult obtains the user and computer information via usual GetUserName and GetComputerName APIs.

The stealer targets the following applications for credential harvesting:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {font-kerning: none} ul.ul1 {list-style-type: disc}

  • Google Chrome (including x64)
  • YandexBrowser
  • Opera
  • Firefox
  • Orbitum
  • Chromium
  • Amigo
  • Outlook
  • FileZilla
  • WinSCP
  • Thunderbird
  • 360Browser
  • Vivaldi
  • Bromium
  • InternetMailRu
  • Bromium
  • Nichrome
  • RockMelt
  • Skype
  • Steam
The stealer collects  XMPP/Jabber credentials from the following apps:

  • PsiPlus
  • Psi
  • Pidgin

Moreover, AZOrult aslo appear to collet the following cryptocurrency files:
  • wallet.dat
  • \wallet.dat
  • electrum.dat
  • \electrum.dat
  • .wallet
  • \.wallet
  • %APPDATA%\MultiBitHD
  • mbhd.wallet.aes
  • \MultiBitHD\
  • \mbhd.wallet.aes
  • \mbhd.checkpoints
  • mbhd.checkpoints
  • \mbhd.spvchain
  • mbhd.spvchain
  • \mbhd.yaml
  • mbhd.yaml
  • wallet_path
  • Software\monero-project\monero-core
  • \Monero\
Desktop file grabber of files with .txt & .dat extensions.

For example, here is AZORult’s cookie/credit card grabber from Mozilla Firefox’s Sqlite tables: 
  • SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  • SELECT host_key, name, encrypted_value, value, path, secure, expires_utc FROM cookies
  • SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  • SELECT fieldname, value FROM moz_formhistory
  • SELECT name, value FROM autofill
  • SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
Self-delete function:

li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {-webkit-text-stroke: 0px #000000} span.s2 {font-kerning: none} ul.ul1 {list-style-type: disc}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: