Parsing System Info:
after unpacking the actual code of this malware, the first subroutine of function it will execute is harvesting all its needed API dynamically. After that it will start to set-up now all the information it needed to generate its unique Mutex Name. This is by parsing the Machine GUID, Product Name, User Name and Computer Name of infected machine then convert it into ANSI string format using delphi internal API LStrFromWstr. |
| figure 1 - the machine information parse by Azorult |
Hashing and Encrypt the string:
Then after having those 4 system information in ANSI format, it will hash it using simple hashing algorithm that show in figure 3.
 |
| figure 2 - hashing the system info. |
 | |
| figure 3 - hashing algorithm |
After that, it will concatenate those 4 ANSI string as 1 long string to compute the 5th hash value.
 |
| figure 4 - concatenation of the system info. string |
It will separate those 5 hash value with '-' dash character and call the CreateMutex function.
 |
| figure 5 - adding delimiter for each hash value |
 |
| figure 6 - create mutex |
Simplified Process:
Sha1: 35aedeadde9f2ca077b0e4093d72334a57531a9a
Md5: b3bc031fef0d0c41fd26b308c8cbc620
Sha256: 3a65b5735981f636fbaf9cff05e78f933d10b5191209eb077d4a29210c23e739
https://www.virustotal.com/#/file/3a65b5735981f636fbaf9cff05e78f933d10b5191209eb077d4a29210c23e739/detection
Yara Rule:
import "pe"
rule azorult_win32_unpack {
meta:
author = "tccontre"
description = "detecting azorult malware"
date = "2019-01-23"
sha256 = "ae75cd28bc2309f085f79bc8bd480e797b5e42f852c40a8cc733e1a51a7c5fa9"
strings:
$mz = { 4d 5a }
$s1 = "FROM moz_places, moz_historyvisits WHERE" fullword
$c0 = "\\accounts.xml" fullword wide
$c1 = "PortNumber" fullword wide
$c2 = "\\places.sqlite" fullword wide
$code1 = { 81 F1 8A 45 21 65 03 D9 8B CB C1 E1 0D 8B F3 C1 EE 13 0B CE 2B D9 42 48 }
condition:
($mz at 0) and all of ($s*) and 2 of ($c*) and all of ($code*)
}
