A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30867  by Xylitol
 Sat Sep 30, 2017 5:35 pm
Image

Infostealer.Rultazo ~ https://www.symantec.com/security_respo ... 14-2700-99
Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan ~ https://www.proofpoint.com/us/threat-in ... ing-trojan
Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2' ~ https://www.vkremez.com/2017/07/lets-le ... l-and.html

Harvest credentials from browsers, IM, ftp clients, and various applications, wallets, cookies.
file size usually around ~498, ~510Kb

virustotal: https://www.virustotal.com/en/file/7bc9 ... 506768112/
unpacked: https://www.virustotal.com/en/file/0c44 ... 506791602/
c2:
Code: Select all
sondomax.co/f78gu9vyc7d6x5f89vg980oi/gate.php
sondomax.co/f78gu9vyc7d6x5f89vg980oi/img/logo.png
Yara rule:
Code: Select all
rule Windows_Malware : Azorult_V2
    {
            meta:
                    author = "Xylitol xylitol@temari.fr"
                    date = "2017-09-30"
                    description = "Match first two bytes, strings, and parts of routines present in Azorult"
                    reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4819"
                    // May only the challenge guide you
            strings:
                    $mz = {4D 5A}
                    $string1 = "ST234LMUV56CklAopq78Brstuvwxyz01NOPQRmGHIJKWXYZabcdefgDEFhijn9+/" wide ascii // Azorult custom base64-like alphabet
                    $string2 = "SYSInfo.txt"
                    $string3 = "CookieList.txt"
                    $string4 = "Passwords.txt"
                    $constant1 = {85 C0 74 40 85 D2 74 31 53 56 57 89 C6 89 D7 8B 4F FC 57} // Azorult grabs .txt and .dat files from Desktop
                    $constant2 = {68 ?? ?? ?? ?? FF 75 FC 68 ?? ?? ?? ?? 8D 45 F8 BA 03 00} // Portion of code from Azorult self-delete function
            condition:
                    ($mz at 0 and all of ($string*) and ($constant1 or $constant2))
    }
Some results from the rule:
Code: Select all
Windows_Malware:65a69f791ca97bd520cf82e33c3b8e9dafc100de5dc5fc12f4272e3939080872 -> evastazione.top/gate.php
Windows_Malware:49cacb19185f13f7d9a33666bd0568eaa5ec8f35ab7278ccccbae4ebc42614a7 -> btc2017.org/gate.php
Windows_Malware:a4ed52cda1b9de16e62d99fa4cbd1d7c0d23eea3860c7838f942d1907a13a013 -> coingenerator.info/azor/gate.php
Windows_Malware:abd32c41d2a254e9a32823a3c2ec422817434be4aa33c83179666fbd7b47e94f -> onlinevtvideos.com/gate.php
Windows_Malware:d5b5aef36016f5b2e05a84e277bb8cff4caf51c243a5f824209d7f0522a76f5c -> myxamop.com/gate.php
Windows_Malware:101c5f9fa265b81c81fe01cc095c95773c1f2e8cff40cf2f6f5820461fe76a13 -> flash-piayer-update.com.md-90.webhostbox.net/gate.php
Windows_Malware:cf3459cf29125101f5bea3f4206d8e43dbe097dd884ebf3155c49b276736f727 -> parking-services.us/gate.php
Windows_Malware:bfd414b0801e51cc0fbb236f45171b25c70f2a6646aeabeda242148ee1c7d41b -> v.hotfix.su/gate.php
Windows_Malware:76ac5ed9871b8d45d414cad6408fd0ae55fda8505eb60ef68bc2ecaad13f4159 -> kryptexx.com/Panel/gate.php
Windows_Malware:aefeeccf8db6789a94d23adabd95a242650b373ce29fa8103770300fcc2f53c6 -> bucscrup.ru/forum/topic.php
Windows_Malware:e09fed9ea96602186c6e8dad85052c1a99128875421e5d3127e8552edaf35a4f -> linuxip.us.md-88.webhostbox.net/b/123/gate.php
Windows_Malware:1517960496eda223e42a50a0df7ae2c1fbaa9e6c4e485eb8084b1b8455de4877 -> ghost888abc.com/AZORult2/gate.php
Windows_Malware:a56fe044cfe73c8472d47da3cccd10f0388f77a596ff3be4dc0706132da7511e -> ventsi11-au2.bit.md-58.webhostbox.net/wp-content/themes/1/gate.php
Windows_Malware:8358c7b3341e32f88acec323ef9ba88b5a7e6a44d997b96eeceb7a30ba29739a -> steal.lovebmw.xeovo.ml/gate.php
Windows_Malware:9f90142ba8eb9a7fae62442366087f95fc5ede1939683576e9c1122d2498dffa -> dark-file.ru/au/gate.php
Windows_Malware:414395797bafe2d59bdea58cc953f0a0e7797db2bd93aeb3995221f8cc45efaa -> coinbitbot.ru/s/gate.php
Windows_Malware:a1e5586f4bc1a5a48a7522917e21b0c6ae91aeb51c7f0fbb787fd8c204029cff -> www.grandmasson.pw/gate.php
Windows_Malware:2cb29a1d10145311ba64d2f09736f33f24062133ef497bd65a1748512016d707 -> aumax.bit.md-98.webhostbox.net/wp-content/themes/au/gate.php
Windows_Malware:d3c4d1d6bd0785abab9929bc92867ed5457fdc54a73eccc57761e6e6ccc9bb83 -> onlinevtvideos.com/gate.php
Windows_Malware:024af7e45208dec3aaab4586f27293914edb4a8a6281a174f75110af2ab86a4c -> kryptexx.com/Panel/gate.php
Windows_Malware:fc349375e1561dbb87a832d9b1d838d5cb4cd7c0d188ba215605798f80acbf43 -> mix1456465.com.cp-47.webhostbox.net/au2/gate.php
Windows_Malware:42c1ac16b9e0c93ac46fa564b2128a6e9bb0f12f04f5a78e898daf3a9c10164c -> bitscoinsme.com/a/gate.php
Windows_Malware:e5110ddaeaef802808c0e1ccb6b13c779bcb24d7b2bd610abf22aafcd58449f7 -> linuxip.us.md-88.webhostbox.net/b/123/gate.php
Windows_Malware:99a2ede112fc7f62ea13e2404cb7bf8bf7d6a09f1c130d67d563930712166f8d -> 181.215.235.154/au/gate.php
Windows_Malware:026b754d1a80ead90dbc3f0cd58c59ed27b4d7151079841530c0a6ee8a262f18 -> ninjatrader.life/update/gate.php
Windows_Malware:cf1aa18cc257ca8c3a0c612d75e4af7f7ed328cb4d3dc9c9eda0dad4830c3f21 -> 181.215.235.154/au/gate.php
Windows_Malware:0c444ad103fbfefe29fcaa0e65206461ae2d79ab89a1b84d25d2d0a02842a24d -> sondomax.co/f78gu9vyc7d6x5f89vg980oi/gate.php
Windows_Malware:9e30348aa155a5b3febb56298716d86d51107f6c459f61454f4346c3ed19e4b5 -> bitscoinsme.com/a/gate.php
Windows_Malware:10f8abd770fecb5457d5097a361d2a6b737d0fe77415ad2127937079becb8330/subfile -> coralline2016.ml/update/gate.php
Windows_Malware:374c4fe8f0fd7fa873aea2453f9993cb7e55d02886353668c0c14bb39a426f5e/subfile -> flash-piayer-update.com.md-90.webhostbox.net/gate.php
Windows_Malware:46b14e91c73bfd30d491c261c64408ca04042c0e4d440b1cbf08f131867c7c21/subfile -> coralline2016.ml/update/gate.php
Windows_Malware:abd32c41d2a254e9a32823a3c2ec422817434be4aa33c83179666fbd7b47e94f/subfile -> onlinevtvideos.com/gate.php
Windows_Malware:cea914756c525706e04c93fe9d624ed1a5c8ca92c0ffa6f3d77c3e9eaa991ebb/subfile -> aumax.bit.md-98.webhostbox.net/wp-content/themes/au/gate.php
Windows_Malware:c1ddfac30378640cc6259cd59a43469d8d75e3344f6d9ff9ad052ed05164240f/subfile
Attachments
infected
(656.22 KiB) Downloaded 72 times
 #31202  by Antelox
 Mon Jan 15, 2018 9:11 am
ikolor wrote:next..

https://www.virustotal.com/#/file/3a529 ... /detection

https://www.virustotal.com/#/file/4d8d3 ... /detection

##################
https://www.youtube.com/watch?v=l-eUufUZYgA
##################
The file with SHA256: 3a529002374cd6e62940828e92b4745798f779c6a819c8d75ab3e76ef59641e8 is a zip file containing AZORult malware.

BR,

Antelox
 #31530  by Xylitol
 Tue May 01, 2018 2:11 pm
v3 got released since beginning of april, another in attach calling needmorelogs.club
https://www.virustotal.com/en/file/0934 ... 525183688/

apparently they still can't PHP https://twitter.com/4chr4f2/status/982816310995271681
Attachments
infected
(58.2 KiB) Downloaded 51 times