Details

Started Tracking this activity when observed the encoded payload (f9ee2a922e43f7e080d14019a42d983004313499d2cb1fd3619d0d6eba417be1) that translates to the empty script similar to that in the Unit42 Blog about Aggah Campaign (https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/).

Was interesting to see the Detections for this script.

Observed that the Pastebin account belonged to HAGGA

Began tracking the related URLs in VT and observed that new script 6415b77dd8ef17f29b7758994b8c3dec5bcfb096ebe9e59ec7e32ebcfc734ed5 (JS with encoded VBS) is been uploaded to some of the links (mentioned below) which previously had the self.close script.

Decoded 6415b.. ,debugged the VBS and observed that an obfuscated powershell code gets executed.

After further debugging, we get the below Powershell Script

This script checks internet connection by pinging google and will only get run if it’s successful.

Payload downloaded from the below 2 links are Obfuscated data which gets converted to PE files in the End-Point.

1) hxxps://pastebin[.]com/raw/f5P3Krsk 

91b594c4bb8b47756b7b2456b7d567b4bede30e1f0258f674af42f1394f04c9a gets downloaded which deobfuscated to DLL File.

e22d550423f05eb685ad060a71d58b306e31c473d2d0cacf5794ec424fd3f393

Import Table Hash is dae02f32a21e03ce65412f6e56942daa

This DLL is obfuscated with ConfuserEx v1.0.0 and is a Code Injector.

2) hxxps://pastebin[.]com/raw/Sh9rS6sy

ec623b38162bba0b68d307f2b8c7f5b11bddc40d5d12f76049afbb8de5aa01fb gets downloaded which decodes to e5094102e9c84fe312bd252fb618fba77a9b9aafc924f5462774b1dd915ecb88 , this is Azorult. 

Import Table Hash is 6d1f2b41411eacafcf447fc002d8cb00

This sample is written in Borland Delphi and we can see the information stealing capability upon analysis. Sample tries to steal data associated with multiple cryptocurrency wallets, bowser information, steam, telegram, skype etc..

Upon Analysis we can see that the sample initiates a C2 connection by sending a POST request to  hxxp://216[.]170[.]126[.]146/done/index[.]php

Sample also creates directory %AppData%\Local\Temp\2fda dumps multiple DLLs (from C2). It also tries to get the country of infected machine by connecting to hxxp://ip-api[.]com. Sample also deletes itself after infecting.

I’m not going into details regarding the detailed analysis of this sample here.

Note: Azorult was observed during the 4th week of September (2019), this link is down now.

IOCs

Hash:

6415b77dd8ef17f29b7758994b8c3dec5bcfb096ebe9e59ec7e32ebcfc734ed5 (Script)
e22d550423f05eb685ad060a71d58b306e31c473d2d0cacf5794ec424fd3f393 (DLL)
e5094102e9c84fe312bd252fb618fba77a9b9aafc924f5462774b1dd915ecb88 (PE)

URLs:

hxxp://216[.]170[.]126[.]146/done/index[.]php
hxxp://pastebin[.]com/raw/b6n6bvkq
hxxp://pastebin[.]com/raw/w34vaca9
hxxp://pastebin[.]com/raw/ly2ja9be
hxxp://pastebin[.]com/raw/9cb6nvif
hxxp://pastebin[.]com/raw/6tujp9jd
hxxp://pastebin[.]com/raw/q1jy1ajg
hxxp://pastebin[.]com/raw/B6N6bVkQ
hxxp://pastebin[.]com/raw/nrscvgcr
hxxp://pastebin[.]com/raw/NrScVgcr
hxxp://pastebin[.]com/raw/jNRGTzTA
hxxps://pastebin[.]com/raw/f5P3Krsk 
hxxps://pastebin[.]com/raw/Sh9rS6sy