Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
29
Global rank
92 infographic chevron month
Month rank
99 infographic chevron week
Week rank
0
IOCs

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Stealer
Type
ex-USSR
Origin
1 January, 2016
First seen
24 September, 2025
Last seen
Also known as
PuffStealer
Rultazo

How to analyze Azorult with ANY.RUN

Type
ex-USSR
Origin
1 January, 2016
First seen
24 September, 2025
Last seen

IOCs

IP addresses
172.67.152.15
23.229.191.64
192.119.110.244
38.68.47.61
194.147.142.232
139.162.75.17
70.35.200.77
194.5.177.120
188.68.208.172
203.159.80.91
51.68.178.28
45.76.167.250
107.189.10.150
18.197.52.125
13.127.215.254
23.83.134.109
193.247.144.166
51.75.30.200
66.151.174.10
23.106.124.196
Hashes
90c467200110d06bb87d305adc23811c4a311ac7eef97a6fda38bf77d8e55cc4
552694bf4ba6757a70bceab4e4e446c6b6fdd26fac5aaa45390a08e72d1f45f6
5d396ddb65bcde0d5c45425d327ab1608b2b7579ac38b3fb4b0e4d14bfa66430
ce739d824f1d6ab398bd7e84c2a23a986ac02f9aea35b15bf9bed16bc05c44dd
4f635247e7b91b2ab53fee1a679785175ee709424deb1e10595aa74410c9a72b
ee0f914953c77d22365c0ae6a02e93eb5bfc55c5bee13149aa50a2acb2a2095d
07649626c93f7f802fcd37139a96212ffe2c2bea78cfb1f896bf94f859d800da
0591dc9e9530e44635a75ee9988b8745418c98a10a765220e38d45bda53103aa
a7644aba8dc0bfdc49829b77b36cf30ea9be628272982efd6026427e92e28f08
bd295e39fce548cdccce3b3d07e5a339f5cdc4f873474977e1c6abf8b828d5d9
dd214f63941c26a9adb4bc43cbb4af27fca9554fe68459ac4a7d95e7676493e3
fe1b4c61d1b55965a4110b896daec0051ebca266c20c8f75d839e42b03587ec4
f464971f202fb14a882785e5452565e43a661e082cf346118d3964b41519d1ed
b73019268d92907ce1ec54cdbe2c67fdf4d0418360bf5dfcbce64ec3a9777751
fe7923ae96944495438303d84d1c084b199ff6c2c512955383c44fbbece7106a
c518f28c30dff3dc82484cb3af71285c4ae95a29416ea54213d6f2096cfc3b72
a8f02fc25974d1419bdb502b80804d2cd7c5d2af2ac05660f2ec3ae01fc52bd4
4b596d782915d44deed5882f59ebd83d0a72743006fc05ce02efe0c77e980b83
94c1905055fcdaf75b65e98667ceb58e8c629aaeddda9e0bb6522d351bf4576f
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f
Domains
xvcvxcxf.ru
marsksfdgdf.ug
otsosukadzima.com
workerjob.ru
onegreatsaver.com
sslserv.duckdns.org
newsofday1.site
babillonngloball.xyz
sendi118.hostlife.link
netmansoft.com
anastaf4.beget.tech
anakonda.site
work.wrklantc.in
karahook.000webhostapp.com
patatas.ac.ug
tralapum.tk
dbxq1.shop
poatiti.ug
dbxo.shop
parcelinn.com
URLs
http://pretorian.ug/msvcp140.dll
http://sergui.ac.ug/ghjk.exe
http://pretorian.ug/softokn3.dll
http://pretorian.ug/nss3.dll
http://pretorian.ug/vcruntime140.dll
http://underdohag.ac.ug/index.php
http://pretorian.ug/main.php
http://pretorian.ug/sqlite3.dll
http://pretorian.ug/freebl3.dll
http://hubvera.ac.ug/ghjk.exe
http://mastitisa.ac.ug/ghjkl.exe
http://pretorian.ug/mozglue.dll
http://pretorian.ug/
http://kode.ac.ug/ghjk.exe
http://prepepe.ac.ug/softokn3.dll
http://prepepe.ac.ug/msvcp140.dll
http://prepepe.ac.ug/sqlite3.dll
http://prepepe.ac.ug/mozglue.dll
http://pretorian.ac.ug/index.php
http://prepepe.ac.ug/vcruntime140.dll
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult stealer was discovered, analyzed, and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomware were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades to the functions of both the stealer and the loader of the virus, additionally allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3. This strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing function.

General description of AZORult malware

A trojan type malware originated in one of the ex-USSR countries. AZORult spyware searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history, and more.

Interestingly, to get into a machine, the virus, in some cases, requires secondary malware like HawkEye or Seamless. Notably, after every bit of useful data is obtained in campaigns with Hermes and Aurora, user files are encrypted, and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution, the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened, and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A kendriknk8523.exe file is then launched, which after a sleep create child process with same name;
  • A child process then proceeds to steal the personal data and connect to the CnC server.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN sandbox.

azorult execution process tree

Figure 1: Illustrates the life cycle of malware. Process tree generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that the attackers sent carried largely employment-related subjects and included an infected and password-protected resume file that triggered the download of the virus.

AZORult malware execution process

text report of the azorult malware analysis

Figure 2: A text report generated by ANY.RUN

AZORult stealer uses a clever technique to trick various antivirus engines. Particularly, the version of the stealer Trojan distributed in the July 2018 spam campaign was activated after unlocking a password-protected document. Since a password protected the document that was attached to the email, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed, with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed several malicious OLE objects into a document and executes arbitrary code on a machine, and even download any file from a remote server and execute it.

How to share your AZORult malware analysis with others?

If you want to share your virus analysis with others, you can create a text report and send it to anyone you want. Just click the "Text report" button. You can save it by using a printer icon in the upper-right corner of the report, or using your browser function by clicking the "Save page as..." or "Print..." buttons. You can also download or share other malware investigations, for example Adwind or Remcos. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking in the checkbox "Add for printing" on the right side of the sections. On the illustration below, the second section won't be included in the report.

text report for azorult Figure 3: Text report

Conclusion

AZORult remains to be a hazardous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangers than during the first days of its lifespan. Particularly, most recent versions of AZORult are distributed in bundles with ransomware and can steal cryptocurrency from the victims.

AZORult's distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. The interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

HAVE A LOOK AT

GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More