|Access Token Manipulation
|Create Process with Token
|Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.
|Credentials from Password Stores
|Credentials from Web Browsers
|Azorult can steal credentials from the victim’s browser.
|Deobfuscate/Decode Files or Information
|Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.
|Azorult can encrypt C2 traffic using XOR.
|File and Directory Discovery
|Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.
|Azorult can delete files from victim machines.
|Ingress Tool Transfer
|Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.
|Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.
|Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.
|Azorult can check for installed software on the system under the Registry key
|Azorult can capture screenshots of the victim’s machines.
|System Information Discovery
|Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.
|System Network Configuration Discovery
|Azorult can collect host IP information from the victim’s machine.
|System Owner/User Discovery
|Azorult can collect the username from the victim’s machine.
|System Time Discovery
|Azorult can collect the time zone information from the system.
|Credentials In Files
|Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.