AzorULT 3.4.1 Cracked ANALYZE ME

KarNOX · February 6, 2020, 11:51am

New AZORult 3.4.1 hit the public. Who is the author is unknown, but it feels more stable than grunt 3.3, and the builder will be smaller.

It can be seen that the author does not abandon the work begun. In this builder, you can already hide the admin area further in the site’s folders,and at the root of the site, for example, place a dummy site.
Also now url to admin panel is encrypted and
it cannot be read in the hex editor.

According to the previous version, there were questions about jerks in some cases to the left address.
Probably customers complained and in this version everything is fixed: -

Build knocks exclusively in your admin area.
According to tests, this is so far the best exe azorult builder in the public that I managed to see.
As always, it seems that no glues were found, but to sleep peacefully we launch the software on the virtual machine

What were the changes on the admin panel is not known for certain, but it’s recommended to use that admin panel with it to avoid misunderstandings,
which comes with the kit.

DO NOT DOWNLOAD THIS UNLESS YOU INTEND TO DO MALWARE ANALYSIS ON IT. - https://mega.nz/#!9UIBVabT!wWGZh7sq9COOUqD1Fv-eWuMYrJySwzmpvFhY894GuNU
Pass- AzorULT

According to rumors, this is not the latest version, there is another 3.4.2, it has already added the function of creating a stiller in the form of a dll. But so far no one has laid it out in public.

Rootsec · February 7, 2020, 7:15pm

@MoNsTeR Are such things allowed here at this forum?

KarNOX · February 13, 2020, 8:18pm

PUT THIS IN A SANDBOX AND ANALYZE IT- https://mega.nz/#!QN4niZhK!KqDjBl7vM4M7CxGIjU0DLg9BgLFyaS82Kn_OOFZdMnE

Kevin300 · February 14, 2020, 10:10pm

Can’t make a build since the file refused to open.I turned off all window defender open in window 10 and also tried on vm.What’s wrong there

Rootsec · February 16, 2020, 8:25am

Suspicious payload

S1L3nt78 · February 22, 2020, 10:02pm

That is not a builder, its a payload which is why it melts into the system

S1L3nt78 · February 22, 2020, 10:02pm

NOTE: This builder does NOT create payloads but is a payload!

MoNsTeR · February 23, 2020, 4:55am

I HAVE MOVED THIS THREAD TO THE MALWARE ANALYSIS SECTION DO TO ITS CONTENT AND INTENT.

First one to get the ip address of the command server gets the flag.

MrRobot · February 24, 2020, 8:50am

Challenge Completed Successfully

HTTP REQUESTS:

Method: POST
URL: http://f0401710.xsph.ru/api/check.get
URL: http://f0401710.xsph.ru/api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=0&p9=2&p10=gKi64JYnGDhmC4wPPWy3zZJgs9aUUkeUoF1s
IP Address: 141.8.192.151
Origin: Russia
ProcessName: dllhost.exe
Hosting: Sprinthost.ru

What Happens After Execution:

(1) Replicate itself to Temp directory
i.e C:\Users\USERNAME\AppData\Local\Temp\cl_setup.exe

(2) cl_setup.exe starts a new exe i.e dllhost.exe

What this dllhost.exe is doing:

(1) Uploading the Firefox & Chrome Cookies Database file to remote server
Firefox DB Path: C:\Users\USERNAME\AppData\Roaming\Mozilla\Firefox\Profiles\q1dyz51w.default\cookies.sqlite

Chrome DB Path: C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Cookies

(2) Reads Internet Cache Settings
RegistryPath: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Maybe it is using it to Create a Unique ID of Victim which is uploaded to the server for victim Identity

(3) Gives the attacker a full commandline access of victim machine
After execution, It Deletes the cl_setup.exe file
Executes this Command: “C:\Windows\System32\cmd.exe” /c TimeOut 1 & Del /F “C:\Users\admin\AppData\Local\Temp\cl_setup.exe”

These are few image:

HTTP POST Request

Capture1366×568 121 KB
503 Service Unavailable

Capture11055×516 94.8 KB
DNS request packets

Capture31227×191 29.9 KB

MrRobot · February 24, 2020, 8:52am

Conclusion: Yes It is a malicious file

MrRobot · February 24, 2020, 8:56am

Advise: Always trust on open source projects, even premium/paid rats also contains malware! So beware!!

MoNsTeR · February 24, 2020, 12:35pm

WE HAVE MANY PROFESSIONALS ON THIS SITE THAT WILL EXPOSE MALICIOUS USER’S THAT SCREW WITH OUR COMMUNITY.

Great Work!!! @MrRobot Very thorough report. Hopefully user’s with malicious intent will think twice before trying infect our community, after reading MrRobots report.

After a little more digging I found that IP Address: 141.8.192.151 now belongs to vilir.from.sh as shared host I believe. I found that vilir.from.sh and f0401710.xsph.ru have very close registration dates which leads me to believe that the attacker is still using sprinthost.ru hosting with the ip 141.8.192.151.

Digging more I found that xsph.ru has been seen around f0270405.xsph.ru f0278019.xsph.ru f0282314.xsph.ru f0312640.xsph.ru f0325563.xsph.ru. So I dig on some more and find some interesting logins to the command center.

http://f0403892.xsph.ru/panel/admin.php
http://f0401354.xsph.ru/black/admin.php
http://f0401036.xsph.ru/panel/admin.php
http://f0400620.xsph.ru/dashboard/admin.php
http://f0386817.xsph.ru/32cd6120/login.php

I guess you could imagine what I was thinking. Yep xsph.ru is hosting a criminal network with multiple http botnets. After finding the logins I was intrigued so I dug around and “BOOM” found out that xsph.ru is on a watch list already and confirmed my suspicion of a CyberCrime network with multiple actors.

I have contacted both domain controllers, 101 domains, REGTIME-RU, along with the hosting company sprinthost.ru. So if the attacker is reading this, YOU JUST GOT YOUR ASS BUSTED!! Happy Hunting!!!

Domain:from.sh
Registrar:101domain GRS Ltd
Registered On:2008-07-24
Expires On:2020-07-24
Updated On:2019-07-01
Status:clientTransferProhibited
Name Servers: ns1.sprinthost.ru ns2.sprinthost.ru
Reverse DNS: 151.192.8.141.in-addr.arpa
Hostname: vilir.from.sh

Domain:xsph.ru
Registrar:REGTIME-RU
Registered On:2008-07-30
Expires On:2020-07-30
Status:REGISTERED, DELEGATED, VERIFIED
Name Servers: ns1.sprinthost.ru. ns2.sprinthost.ru. ns3.sprinthost.net. ns4.sprinthost.net.

Service scan

FTP - 21 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 3 of 50 allowed.
220-Local time is now 14:06. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 5 minutes of inactivity.
220 Logout.

SMTP - 25 220 vilir.from.sh
421 vilir.from.sh lost input connection

HTTP - 80 HTTP/1.1 404 Not Found
Server: openresty
Date: Mon, 24 Feb 2020 11:06:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Vary: Accept-Encoding

POP3 - 110 +OK Dovecot ready.

IMAP - 143 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.

HackerSploit · February 25, 2020, 1:24am

Excellent analysis, @MoNsTeR @MrRobot. I will also look into this.