AZORult Information Stealer Trojan

AZORult is a banking and information stealing trojan associated with other malware such as Rammnit, Seamless and RiG.

Previously, AZORult has been distributed through intermediary malware such as downloaders or exploit kits. Newer versions, however, are distributed directly using malicious attachments in spam emails. These attachments use several techniques including macros and Dynamic Data Exchange exploits to deliver AZORult.

Once installed, AZORult will spawn a legitimate hollow process before injecting itself within the process to prevent detection. It will then send system data to a C2 server before monitoring any installed internet browsers for banking and cookie information. Newer variants of AZORult will also attempt to obtain Bitcoin wallet addresses, FTP or XMPP credentials and desktop files.

The malware searches for the following information and sends it to its C2 server:

  • Saved passwords, such as those from browsers, email and FTP servers;
  • Cookies from browsers and forms, including autofill;
  • wallet.dat files from popular bitcoin clients;
  • Skype message history;
  • Files from chat history;
  • Desktop files;
  • Files with specified extensions from Desktop and files in folders;
  • List of installed programs;
  • List of running processes; and
  • Username, computer name, and operating system type
Most Infected Countries or Regions – 18th July 2018

Indicators of Compromise / C&C URL’s To Block




    MD5 File Hashes

    • 5829b77898d5acff0b0fbd87deb6b9cb
    • 48a801a908d44f1770d19f5569663f98
    • 5829b77898d5acff0b0fbd87deb6b9cb
    • 305c699a84ad3fe04ca083ad499d32b3
    • 05763c6632fcaaad57ba632788aa5a34


    • au3_exe.exe
    • cartwheels.dll
    • chrom.exe
    • FWLosDEdtZ.exe

    Affected Platforms

      • Microsoft Windows – All versions

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: