Skip to content

S0344 Azorult

Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. 21

Item Value
ID S0344
Associated Names
Version 1.3
Created 30 January 2019
Last Modified 13 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.002 Create Process with Token Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Azorult can steal credentials from the victim’s browser.2
enterprise T1140 Deobfuscate/Decode Files or Information Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.21
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Azorult can encrypt C2 traffic using XOR.21
enterprise T1083 File and Directory Discovery Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Azorult can delete files from victim machines.2
enterprise T1105 Ingress Tool Transfer Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.21
enterprise T1057 Process Discovery Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.21
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.2
enterprise T1012 Query Registry Azorult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall.2
enterprise T1113 Screen Capture Azorult can capture screenshots of the victim’s machines.2
enterprise T1082 System Information Discovery Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.21
enterprise T1016 System Network Configuration Discovery Azorult can collect host IP information from the victim’s machine.2
enterprise T1033 System Owner/User Discovery Azorult can collect the username from the victim’s machine.2
enterprise T1124 System Time Discovery Azorult can collect the time zone information from the system.21
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.2

Groups That Use This Software

ID Name References
G0092 TA505 3