AZORult infostealer first spotted by Sonicwall RTDMI engine

SonicWall RTDMI engine observed a malware campaign delivering a new variant of AZORult Stealer. AZORult is an infostealer, which collects various information from the infected system and sends it to the server. The non-existence of this malicious file at the time of detection on popular malware search portals (VirusTotal or Reversing Labs) indicates the effectiveness of the RTDMI engine.

Analysis of AZORult
Upon analysis, it is found that to avoid detection the malware is packed with a custom packer.
After unpacking, it first retrieves the information from the system which includes following:

1. Machine GUID
2. User Name
3. Machine Name
4. Windows version

Fig-3 : Querying GUID

Fig-4 : Get computer name

Fig-5 : Get user name

After retrieving the information it creates a mutex name to ensure only one instance is running on the system.

The malware encrypts the information with a hardcoded XOR key “0x6521458A” and concatenates them.
After concatenating the encrypted data, it urlencodes them. The urlencoded data is as below:
“%39%34CA%38%32%31%2D%31%38%35%37%39%31%31E%2D%37%36%31%30%37%37A%32%2D%30%36%37%36D%36%36%
39%2DBAB%36%39%36E%30%37”

All these stolen information are sent to the C&C server.

The malware connects to this IP address “37.48.105.177”.

Fig-6 : XOR loop to decrypt stolen information

The malware also steals the accounts stored in browsers and various software that are present on the infected machine example skype, telegram etc.

On further analysis, it is also found that the malware looks for cryptocurrency information stored on the infected machine and steals these information along with the passwords.

The following image shows the strings related to the information the malware looks for in the system:

Fig-7 : Cryptocurrency related string

Fig-8 : Cryptocurrency and password related strings

The malware also takes the IP address and country code of the infected machine by querying the following URL:
“http://ip-api.com/json”

All the above information are stolen and are sent to the C&C.

Indicators of Compromise: 2b9533f2065ed12f2c8d22d84252dcd5bee725cfaede304efd014cc6bdcc7c5d

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.