Severity

Medium

Analysis Summary

AZORult is a payment card and credential information stealer. It was sold on Russian underground forums as a means to collect sensitive information from infected systems. The malware is also able to steal cookies, browsing history, cryptocurrency, and ID/passwords. Exploits such as phishing emails and Fallout Exploit Kit (EK) paired with social engineering techniques are major infection vectors of the AZORult malware. The malware can also be used as a loader to download other malware.

Impact

• Information Theft
• Credential Theft
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• c61df8b07fcdcdd442bfd2a73102f2e3

SHA-256

• 325131729ab48a10ecb1a8ff30ee35f74ecff06618cf887a0802bda5cd356902

SHA1

• 916ca138209e7e918849b3b81cf9a4d5bcc8e9d8

URL

• http[:]//erolbasa[.]ac[.]ug/
• http[:]//erolbasa[.]ac[.]ug/main[.]php
• http[:]//erolbasa[.]ac[.]ug/mozglue[.]dll
• http[:]//erolbasa[.]ac[.]ug/sqlite3[.]dll
• http[:]//erolbasa[.]ac[.]ug/msvcp140[.]dll
• http[:]//erolbasa[.]ac[.]ug/nss3[.]dll
• http[:]//erolbasa[.]ac[.]ug/freebl3[.]dll
• http[:]//erolbasa[.]ac[.]ug/vcruntime140[.]dll
• http[:]//185[.]215[.]113[.]77/axfdgjkhdf[.]exea

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.