Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [1][2]

ID: S0344
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1134Access Token ManipulationAzorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.[1]
EnterpriseT1003Credential DumpingAzorult can dump credentials from victim browsers.[1]
EnterpriseT1081Credentials in FilesAzorult can steal credentials from the victim's browser.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationAzorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.[1][2]
EnterpriseT1083File and Directory DiscoveryAzorult can recursively search for files in folders and collects files from the desktop with certain extensions.[1]
EnterpriseT1107File DeletionAzorult can delete files from victim machines.[1]
EnterpriseT1057Process DiscoveryAzorult can collect a list of running processes by calling CreateToolhelp32Snapshot.[1][2]
EnterpriseT1093Process HollowingAzorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.[1]
EnterpriseT1012Query RegistryAzorult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall.[1]
EnterpriseT1105Remote File CopyAzorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[1][2]
EnterpriseT1113Screen CaptureAzorult} can capture screenshots of the victim’s machines.[1]
EnterpriseT1032Standard Cryptographic ProtocolAzorult can encrypt C2 traffic using XOR.[1][2]
EnterpriseT1082System Information DiscoveryAzorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.[1][2]
EnterpriseT1016System Network Configuration DiscoveryAzorult can collect host IP information from the victim’s machine.[1]
EnterpriseT1033System Owner/User DiscoveryAzorult can collect the username from the victim’s machine.[1]
EnterpriseT1124System Time DiscoveryAzorult can collect the time zone information from the system.[1][2]