{
	"id": "cfd3d83c-a6f1-4e73-82c6-e51b1c7d3dc4",
	"created_at": "2026-04-06T00:22:32.655062Z",
	"updated_at": "2026-04-10T03:21:57.497241Z",
	"deleted_at": null,
	"sha1_hash": "20f75badaa04bcac0c13ed2d0cbcb1e7bd305acf",
	"title": "AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3170505,
	"plain_text": "AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys\r\nBy Vishal Thakur\r\nPublished: 2018-08-18 · Archived: 2026-04-05 15:16:07 UTC\r\nThis is a guest post from Vishal Thakur, a Security Incident Handler, APAC CSIRT for Salesforce. In this article Thakur\r\ntakes a deep drive into the technical aspects of a new AZORult variant that was found globally targeting computers. Those\r\ninfected would have the Aurora Ransomware installed as well as a information stealing Trojan.\r\nFor those who are interested in step-by-step look at the reverse engineering of a malware sample, you will find this post very\r\ninteresting.\r\nTowards the end of July 2018, we saw a new version of the AZORult trojan being used in malware campaigns targeting\r\ncomputers globally. In this article, we will dive into the malware and analyze its execution flow and payloads.\r\nThe initial infection vector is a phishing email that comes with a downloader malware attached. On execution, it downloads\r\nand executes the main malware.\r\nThis version of the malware comes with two payloads. These are embedded in the main binary and are simply dropped on to\r\nthe disk and executed. The first payload to be executed is an information stealer that targets local accounts, browsers, saved\r\ncredentials etc (this is the AZORult part). The second payload is the Aurora ransomware.\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 1 of 17\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 2 of 17\n\nVisit Advertiser websiteGO TO PAGE\r\nWe also identified the MalActor “Oktropys” running the Aurora ransomware campaign in this case.\r\nThe main goal of this article is to analyze the malware from an incident response/threat neutralization point of view. We will\r\ntry to understand the code structure and see if we are able to extract some useful IOCs from the binaries.\r\nAnalyzing the dropper\r\nLet’s start the analysis by looking at the main binary. As stated earlier, this binary comes with the payloads embedded. You\r\ncan simply extract these payloads by un-archiving the PE.\r\nTo unarchive the binary, we use the 7-Zip program as shown below.\r\nAs you can see, we were able to dump the archived data into a folder. Step into the folder two levels and you’ll find the\r\nextracted folders:\r\nStep into the folder $1\r\nNow we step into the folder 1337 and find the embedded payloads:\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 3 of 17\n\nNow, instead of getting to the payloads directly, we’ll follow the malware execution and see how it is using these embedded\r\npayloads.\r\nLet’s start by taking a look at the main dropper. On execution, it loads a number of modules that you can see in the image\r\nbelow.\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 4 of 17\n\nA complete list of all modules loaded on execution\r\nNow we’ll have a look at the interesting modules and their functions that are called on by the malware.\r\nAs pointed out earlier, the malware drops two payloads. The first one to be dropped on execution is AU3_EXE_2018–07–\r\n18_23–01.exe.\r\nAs you can see in the image below, function CreateFileA is used to create the file before the process is launched.\r\nNext step is to create the process:\r\nOnce the process is ready, it’s time to launch it by execution:\r\nAs you can see in the image below, the process has now been launched.\r\nThe next step for the malware is to move on to the next payload. It follows a similar flow to create and launch the second\r\npayload.\r\nIt calls on the function CreateProcess:\r\nNext, it calls CreateProcessInternal, which will launch the process:\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 5 of 17\n\nAnd in the image below you can see the second payload has now been launched.\r\nBoth malicious process launched\r\nNow that we know how the main binary loads and executes these payloads, it’s time to get into the payloads and analyze\r\nthem separately.\r\nPayload #1: AZORult Stealer\r\nIn this section, we’ll take a look at the first payload, which is the AZORult Stealer. Let’s start by listing the modules that are\r\nloaded by the malware and then picking the ones that are of interest to us.\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 6 of 17\n\nA complete list of modules loaded by the malware on successful execution\r\nNote that the above list of modules is the complete list and is only available after the process has loaded completely. As we\r\nstart the analysis, this list should be considerably shorter.\r\nThe malware extracts some important information about the victim's computer. This information is then sent to the\r\nmalware's C2.\r\nHere’s an example of the function GetUserName:\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 7 of 17\n\nAmong other things, the malware also tries to steal browser login data. The images below show you the function call and\r\nstack values. We’ll look at some other information that is targeted later in the article.\r\nIn order to connect to the C2, the process will now call on function InternetConnectURL and we should be able to see the\r\nURL value being passed on to the stack. We can capture this IOC at this point:\r\nNext step is to canonicalize the URL so that it can be used over the wire for establishing a connection to the C2:\r\nNext step is to call the proxy functions before the connection call is made. InternetInitializeAutoProxyDll refreshes the\r\ninternal state of proxy configuration information from the registry.\r\nNow let’s take a quick look into the crypto functions that are called to encrypt the data before it is sent back to C2.\r\nThe malware uses a couple of Crypto functions, but the code seems to be incomplete as some major functions are not\r\ncalled/executed. No hash is generated/duplicated, the actual cryptEncrypt function is not called, key is not destroyed in the\r\nend and the context is not released. Crypto functions can still be executed the way they have been implemented in the code\r\nbut cannot be re-used without problems. It’ll be interesting to see if the authors are trying to move towards full AES\r\nencryption for future releases as we saw in the case of Emotet.\r\nCryptAcquireContext\r\nThis function is called on to get the  cryptographic service provider (CSP).\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 8 of 17\n\nThe provider is returned and passed on to the stack as a variable:\r\nThe returned value is dumped into the memory space:\r\nCryptGenRandom\r\nNow, the next function, CryptGenRandom is called so that a random key can be generated.\r\nThe networking information is now passed on to the stack and then dumped into the memory space. Please note that the data\r\nis in the little endian format.\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 9 of 17\n\nLittle Endian\r\nThe malware also reads through the cookies that are available on the disk:\r\nLocation where the cookies are stored\r\nExample of the bing.com cookie being accessed:\r\nThe malware now tries to send data back to the C2 using a POST request. This is how that request is constructed:\r\nThe values are passed into memory, step by step using the ‘memcpy’ function:\r\nAnd here’s the final request:\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 10 of 17\n\nThe C2 responds with a base64 encoded string that outlines the information that the malware tries to steal (Browsers,\r\nfilePaths, fileNames etc).\r\nRemarks\r\nThe malware comes with loads of DLLs that are dumped in the directory:\r\nC:\\Users\\Administrator\\AppData\\Local\\Temp\\2fda\r\nAfter successful execution, the process spawns a cmd.exe, which in turns spawns a timeout.exe. Both these process are\r\nbenign.\r\nProcess flow after initial execution\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 11 of 17\n\nPayload #2: Aurora Ransomware\r\nThe second payload dropped by the malware dropper is the the Aurora ransomware. Upon successful execution, it encrypts\r\ndata on the victim’s computer and directs the victim to pay $150 using bitcoins.\r\nThe malware is a very basic ransomware and for that reason, we’ll only analyze the networking functions and try to the get\r\nthe IOC from them.\r\nWhen executed, here is a list of modules loaded by this malware:\r\nThis ransomware is geo-targeted or at least it has that functionality built into it. To perform geolocation it attempts to\r\nconnect to a geo-location site and get the location of the victim computer. Here’s the call that is made for this purpose:\r\nAnd the script that runs on the server:\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 12 of 17\n\nThis script reaches out to MaxMind in the background and gets the geo-location of the victim computer. Here’s how that\r\nactually works:\r\nAt this time it looks like the MalActor is avoiding infections in Russia based on the geo-result from the above functionality.\r\nAnd here’s the C2 information for the Aurora Ransomware:\r\nConnection Initiation\r\nC2 Connection\r\nNow let’s take a quick look at the connections that are made to the C2 and how the information is passed in both directions.\r\nThe server uses a php script to generate a one-time public key, which is then used to encrypt the files on the disk. This key is\r\ncreated based on a computer ID that is generated based on the local information extracted from the computer.\r\nThis malware uses ws2_32.dll for all networking operations. Look at the image below to see how the connection is\r\nconstructed:\r\nFirst the event is created:\r\nThe next step is to load it in memory:\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 13 of 17\n\nIP passed on to the stack\r\nC2 IP loaded into the memory, ready to be passed into the registers\r\nNow, the request is ready to be sent to the C2:\r\nAnd here’s the result with the generated key:\r\nNext, let’s take a look at the actual encryption process. As you can see in the image below, the data is loaded into memory,\r\nthen written to the files (over-written) to encrypt them:\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 14 of 17\n\nBelow is an example of a file in process of being encrypted. This was achieved by inserting interrupts on the function\r\n“memcpy” and then executing the process:\r\nAnd finally, this is the ransom note being written to the disk as a txt file:\r\nThe ransom being asked by this MalActor is $150. Here’s the ransom note:\r\nAurora Ransom Note\r\nWe were able to get to the admin panel of the campaign, which is the back-end for the Aurora ransomware. In this campaign,\r\nwe can see that the MalActor running the campaign is someone called \"Oktropys\", who has been seen running ransomware\r\ncampaigns in the past and has been quoted as ‘Oktropys ransomware’ in some publications, which is not completely\r\naccurate.\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 15 of 17\n\nAt this time there have been two transactions on the associated wallet.\r\nConclusion\r\nAZORult trojan has been around for quite some time and has been successfully used by criminals to steal critical personal\r\ninformation from their victims. The stolen passwords have been used widely to gain unauthorized access to bank accounts,\r\nemail accounts and other online applications.\r\nThis new version is another example of malware authors bundling in different payloads to maximize the returns. In this case,\r\nthey have included a ransomware and are asking for $150 for the decryption key, which is being managed by MalActor\r\nOktropys.\r\nThe initial vector for this infection is an email campaign, that comes with a downloader (macro-based) that, on execution,\r\ndownloads the malicious binary, which in turns drops two malware payloads and infects the victim computers.\r\nIOC\r\nNetwork Traffic:\r\nhxxp://5.8.88.[]25/info.php?—?ransomware\r\nhxp://lulaaura[.]top/index.php?—?stealer\r\nHASHES\r\nMain Dropper: 09ffaa1523fbdceb7c0e6fa2be7221c161b5499dd45fc5dd4c210425fb333427\r\nStealer: 5151d9245858f3e28fa45f696421a49307436808d3ec18ff9e36f7876b0696d3\r\nRansomware: 41d35a960b3f28b1a729cdae920573de3ccefef7fdd3bbdb9d3ce729b6aa5277\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 16 of 17\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nhttps://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/"
	],
	"report_names": [
		"azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys"
	],
	"threat_actors": [],
	"ts_created_at": 1775434952,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20f75badaa04bcac0c13ed2d0cbcb1e7bd305acf.pdf",
		"text": "https://archive.orkl.eu/20f75badaa04bcac0c13ed2d0cbcb1e7bd305acf.txt",
		"img": "https://archive.orkl.eu/20f75badaa04bcac0c13ed2d0cbcb1e7bd305acf.jpg"
	}
}