Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
26
Global rank
51 infographic chevron month
Month rank
27 infographic chevron week
Week rank
0
IOCs

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Stealer
Type
ex-USSR
Origin
1 January, 2016
First seen
25 March, 2025
Last seen
Also known as
PuffStealer
Rultazo

How to analyze Azorult with ANY.RUN

Type
ex-USSR
Origin
1 January, 2016
First seen
25 March, 2025
Last seen

IOCs

IP addresses
172.67.152.15
162.240.230.249
23.229.191.64
192.119.110.244
104.171.121.51
104.152.185.198
178.216.50.18
209.61.195.213
149.56.173.78
5.188.231.99
37.72.175.157
185.29.11.60
46.183.220.70
185.29.10.12
94.156.65.101
46.183.223.7
51.15.208.114
185.28.39.18
185.43.220.19
185.178.45.193
Domains
myhostiger.ug
diamotrix.world
anastaf4.beget.tech
anakonda.site
work.wrklantc.in
karahook.000webhostapp.com
patatas.ac.ug
tralapum.tk
dbxq1.shop
poatiti.ug
dbxo.shop
parcelinn.com
gqc4.shop
logt0.shop
b2i1.shop
darkmago.ac.ug
dbxk.shop
taliz-group.shop
podologie-werne.de
m9re1.shop
URLs
http://j4b2.icu/TL341/index.php
http://broadwayanimalhospital.ca/wp-blog/index.php
http://gd53.cfd/TL341/index.php
http://5gw4d.xyz/PL341/index.php
http://k1d5.icu/TP341/index.php
http://87.106.100.210:6001/index.php
http://0x21.in:8000/_az/
http://zmxzm.com/index.php
http://176.10.119.115/7yhnm434/panel/admin.php
http://parcelinn.com/wp-content/images/index.php
http://parcelinn.com/cgi-sys/suspendedpage.cgi
http://kb1u.icu/GI341/index.php
http://stug.xyz/index.php
http://ls14.icu/HK341/index.php
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php
http://51.15.241.168/AED77D05-A028-477C-B013-04F33F1385C3/index.php
http://upqx.ru/1210776429.php
http://upqx.ru/favicon.ico
http://195.245.112.115/index.php
http://savacons.com/wp-az/index.php
Last Seen at

Recent blog posts

post image
TI Lookup Named Best Threat Intelligence Serv...
watchers 387
comments 0
post image
Decoding a Malware Analyst: Essential Skills...
watchers 447
comments 0
post image
Expose Android Malware in Seconds: ANY.RUN Sa...
watchers 3026
comments 0

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult stealer was discovered, analyzed, and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomware were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades to the functions of both the stealer and the loader of the virus, additionally allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3. This strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing function.

General description of AZORult malware

A trojan type malware originated in one of the ex-USSR countries. AZORult spyware searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history, and more.

Interestingly, to get into a machine, the virus, in some cases, requires secondary malware like HawkEye or Seamless. Notably, after every bit of useful data is obtained in campaigns with Hermes and Aurora, user files are encrypted, and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution, the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened, and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A kendriknk8523.exe file is then launched, which after a sleep create child process with same name;
  • A child process then proceeds to steal the personal data and connect to the CnC server.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN sandbox.

azorult execution process tree

Figure 1: Illustrates the life cycle of malware. Process tree generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that the attackers sent carried largely employment-related subjects and included an infected and password-protected resume file that triggered the download of the virus.

AZORult malware execution process

text report of the azorult malware analysis

Figure 2: A text report generated by ANY.RUN

AZORult stealer uses a clever technique to trick various antivirus engines. Particularly, the version of the stealer Trojan distributed in the July 2018 spam campaign was activated after unlocking a password-protected document. Since a password protected the document that was attached to the email, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed, with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed several malicious OLE objects into a document and executes arbitrary code on a machine, and even download any file from a remote server and execute it.

How to share your AZORult malware analysis with others?

If you want to share your virus analysis with others, you can create a text report and send it to anyone you want. Just click the "Text report" button. You can save it by using a printer icon in the upper-right corner of the report, or using your browser function by clicking the "Save page as..." or "Print..." buttons. You can also download or share other malware investigations, for example Adwind or Remcos. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking in the checkbox "Add for printing" on the right side of the sections. On the illustration below, the second section won't be included in the report.

text report for azorult Figure 3: Text report

Conclusion

AZORult remains to be a hazardous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangers than during the first days of its lifespan. Particularly, most recent versions of AZORult are distributed in bundles with ransomware and can steal cryptocurrency from the victims.

AZORult's distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. The interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

HAVE A LOOK AT

Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
Quasar RAT screenshot
Quasar RAT
quasar trojan rat
Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More