OP 25 November, 2019 - 05:56 AM
(This post was last modified: 30 November, 2019 - 04:10 AM by agcash6.
Edit Reason: updated download link
)
Azorult 3.3 & Cracked (PERSONAL USE ONLY)
Azorult v3.3
The above states the following improvements and features:
[+] Added support for stealing the following wallet credentials: BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, Exodus Eden
[+] Cryptocurrency wallet’s stealer component has been improved.
[+] The loader component was fixed and improved, allowing bat files to be loaded and executed with no errors
[+] Lowered AV detection rate, increased successful installation rate
[+] Slight improvement in admin panel’s performance
Comparison to previous versions
In version 3.2, the C&C domain name was xored with a hardcoded key and then encoded with base64. The current version 3.3 shows a new encryption method to obfuscate the domain name. The script for decryption of the domain’s string can be found in the Appendix below.
Every version of Azorult has a unique xor key for its connection method to the C&C. In version 3.3 the connection key is: [0x3, 0x55, 0xae]. Moreover, every version connection message contains a prefix (‘getcfg=’ in version 3.1 and ‘G’ in version 3.2) prepended to the id hash before xoring with the connection key. The prefix in version 3.3 is the connection key, which makes the connection message sent to C&C starts with 3 zero bytes.
Figure 2: adding connection key as prefix.
Azorult’s C&C server response is divided into 3 parts separated by tags:
<c></c> – the configuration part, encoded with base64
<n></n> – DLLs that Azorult copies to a new directory it creates under the %TEMP% folder. The name of the new directory is unique for every version of Azorult (‘1M0’ in version 3.1 and ‘2fda’ in version 3.2). In the new version, the name of the directory is generated based on the id hash of the victim’s computer. Therefore, the name of the directory will be different for every victim.
The algorithm for generating the directory name is as follows:
Id_hash=hash_func(guid)-hash_func(product_name)-hash_func(user_name)- hash_func(computer_name)-hash_func(guid+product_name+user_name+computer_name)
Directory_name = hash_func(hash_func(Id_hash))
The particular implementation of the hash_func method is outlined in a script, which appears in the Appendix below.
<d></d> – names of application paths that Azorult harvests data from. In version 3.3,
DOWNLOAD
Password
Please leave feedback
IF determined anything posted used for malicious purposes, all threads will be deleted and future ones stop.
Azorult v3.3
The above states the following improvements and features:
[+] Added support for stealing the following wallet credentials: BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, Exodus Eden
[+] Cryptocurrency wallet’s stealer component has been improved.
[+] The loader component was fixed and improved, allowing bat files to be loaded and executed with no errors
[+] Lowered AV detection rate, increased successful installation rate
[+] Slight improvement in admin panel’s performance
Comparison to previous versions
In version 3.2, the C&C domain name was xored with a hardcoded key and then encoded with base64. The current version 3.3 shows a new encryption method to obfuscate the domain name. The script for decryption of the domain’s string can be found in the Appendix below.
Every version of Azorult has a unique xor key for its connection method to the C&C. In version 3.3 the connection key is: [0x3, 0x55, 0xae]. Moreover, every version connection message contains a prefix (‘getcfg=’ in version 3.1 and ‘G’ in version 3.2) prepended to the id hash before xoring with the connection key. The prefix in version 3.3 is the connection key, which makes the connection message sent to C&C starts with 3 zero bytes.
Figure 2: adding connection key as prefix.
Azorult’s C&C server response is divided into 3 parts separated by tags:
<c></c> – the configuration part, encoded with base64
<n></n> – DLLs that Azorult copies to a new directory it creates under the %TEMP% folder. The name of the new directory is unique for every version of Azorult (‘1M0’ in version 3.1 and ‘2fda’ in version 3.2). In the new version, the name of the directory is generated based on the id hash of the victim’s computer. Therefore, the name of the directory will be different for every victim.
The algorithm for generating the directory name is as follows:
Id_hash=hash_func(guid)-hash_func(product_name)-hash_func(user_name)- hash_func(computer_name)-hash_func(guid+product_name+user_name+computer_name)
Directory_name = hash_func(hash_func(Id_hash))
The particular implementation of the hash_func method is outlined in a script, which appears in the Appendix below.
<d></d> – names of application paths that Azorult harvests data from. In version 3.3,
DOWNLOAD
Password
Please leave feedback
IF determined anything posted used for malicious purposes, all threads will be deleted and future ones stop.