AZORult

Posted: February 24, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	4,680
Threat Level:	8/10
Infected PCs:	535,856

First Seen:	February 24, 2017
Last Seen:	October 16, 2023
OS(es) Affected:	Windows

AZORult is a Trojan downloader and spyware combination that can collect information from your computer, as well as enable other attacks by downloading and installing independent threats. Different threat actors are leveraging AZORult in campaigns that are using either spam e-mails or exploit kits for distribution. Let your anti-malware utilities block and remove AZORult automatically and take proper steps for re-securing any data on your computer, such as passwords.

A Spyware with Its Hands in Every Pie

While most threats specialize in very particular 'genres' of attacks, some are enablers of others, and a minority of those might include both payloads for accomplishing specific goals along with installing threats with more features. As a representative of that last category, malware analysts are highlighting AZORult, which is receiving in-depth development and updates as of mid-2018 and is involved in the spread of both file-locker Trojans and spyware. Besides these details, AZORult also includes some default, data-grabbing features unto itself.

Some of the past scenarios utilizing AZORult include campaigns by the Cthonic Banking Trojan (which is an update of the infamous Keylogger Zeus), along with theHermes Ransomware, by separate threat actors. In both instances, AZORult acts as the 'delivery' aspect of the attack and drops the second threat after accomplishing the rest of its payload. Without any consideration for the variable threatening software that it may drop, malware experts are confirming the following functions for the last version of AZORult:

AZORult may collect the PC's Web-browsing history as it relates to different browsers, with the exceptions of Internet Explorer and Edge.
AZORult may compromise the credentials of any cryptocurrency accounts, such as Bitcoin wallets, allowing criminals to take the associated money.
Besides its spyware functionality, AZORult also is a working Trojan downloader and may download, install and run other threats, based on commands that its remote attacker sends via the admin panel.

AZORult also provides general system status reports and may use proxies, when appropriate.

The Trojan behind the Password

Two of the infection strategies for disseminating AZORult include EKs or exploit kits that compromise website traffic, as well as more traditional, spam e-mail attacks. The latter method may pretend that the AZORult's installer is a work-related document, such as a resume. Some of the last attacks that malware researchers took note of included an additional layer of password protection on the attachments, with the e-mail providing the password code in its body; this unusual formatting choice could be the threat actor's attempt at obscuring the unsafe contents from any security software.

Although threats that it downloads could lock and ransom your files, or conduct other attacks, AZORult is a not-insignificant threat to the PC, by itself. Most cryptocurrency wallets should be presumed compromised from AZORult infections, along with passwords and similar, confidential credentials related to online accounts. Having your anti-malware product uninstall AZORult at the first opportunity is the most appropriate defense against this threat, which, like almost all spyware, suppresses most of the visible symptoms of its presence.

Whether it uses in-browser scripts or a text document's macro for installing itself, AZORult is one of many threats that take advantage of careless security practices from the web surfers that it attacks. Ironically, some aspects of its utilization, such as dropping a file-locking Trojan after collecting anything of any value, may seem self-contradicting, but that caveat is of little comfort to anyone cleaning up an AZORult infection.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

c:\Users\<username>\desktop\desktop ii\esgtools\esg tools\tools\info (2)\info\binances\crypt\binances.exe

File name: binances.exe
Size: 380.41 KB (380416 bytes)
MD5: 6439131def75c6ef73cb43467c9444ff
Detection count: 225
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\desktop\desktop ii\esgtools\esg tools\tools\info (2)\info\binances\crypt
Group: Malware file
Last Updated: January 14, 2021

9994f688218d3c00c68937f2295fe6cd

File name: 9994f688218d3c00c68937f2295fe6cd
Size: 284.67 KB (284672 bytes)
MD5: 9994f688218d3c00c68937f2295fe6cd
Detection count: 99
Group: Malware file

file.exe

File name: file.exe
Size: 538.95 KB (538952 bytes)
MD5: ab9330711166d04bd3814aa5a4873357
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

69ef96c982cd06ab342adbc051adb990

File name: 69ef96c982cd06ab342adbc051adb990
Size: 129.53 KB (129536 bytes)
MD5: 69ef96c982cd06ab342adbc051adb990
Detection count: 5
Group: Malware file
Last Updated: April 22, 2020

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%appdata%\4eddrftbgvfc.exe%appdata%\cdegef.exe%appdata%\revdd.exe%appdata%\rtfvdc.exe%appdata%\uyntbrvfec.exe%appdata%\vgrfdcsx.exe%windir%\wotsuper.regHKEY..\..\..\..{RegistryKeys}Software\Margin TradeSYSTEM\ControlSet001\services\BYTEDOWNLOAD PROTECT SERVICESYSTEM\ControlSet002\services\BYTEDOWNLOAD PROTECT SERVICESYSTEM\CurrentControlSet\services\BYTEDOWNLOAD PROTECT SERVICEHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}LetsSee! 2.15WOTSUPER 2.1{185623589-5865-4F66-B722-EE1C7FDA0836}_is1

Additional Information

The following directories were created:

%APPDATA%\Margin Trade%PROGRAMFILES%\Dada\softsinn%PROGRAMFILES%\Issue\softsinn%PROGRAMFILES%\LetsSee!%PROGRAMFILES%\LetsSeeI%PROGRAMFILES%\Margin Trade%PROGRAMFILES%\karim\softsinn%PROGRAMFILES%\rundll\softsinn%PROGRAMFILES%\wotsuper%PROGRAMFILES(x86)%\Dada\softsinn%PROGRAMFILES(x86)%\Issue\softsinn%PROGRAMFILES(x86)%\LetsSee!%PROGRAMFILES(x86)%\LetsSeeI%PROGRAMFILES(x86)%\Lov\softsinn%PROGRAMFILES(x86)%\Margin Trade%PROGRAMFILES(x86)%\karim\softsinn%PROGRAMFILES(x86)%\rundll\softsinn%PROGRAMFILES(x86)%\wotsuper%WINDIR%\SysWOW64\softsinn%WINDIR%\System32\softsinn