{ "id": "1afa9ed6-50fd-43fa-b091-bbc4e53febc6", "created_at": "2026-04-06T00:15:36.06157Z", "updated_at": "2026-04-10T13:12:43.367969Z", "deleted_at": null, "sha1_hash": "5087cc215424d90a068117761049cbbbc8a7c3d5", "title": "Recent AZORult activity - SANS Internet Storm Center", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4463953, "plain_text": "Recent AZORult activity - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 21:35:36 UTC\r\nI found a tweet from @ps66uk from on Monday morning 2019-07-10 about an open directory used in malspam to\r\npush an information stealer called AZORult. The open directory is hosted on sfoodfeedf[.]org at\r\nwww.sfoodfeedf[.]org/wp-includes/Requests/Cookie/\r\nShown above:  The open directory at sfoodfeedf[.]org.\r\n@ps66uk already mentioned a file named purchase order.iso which is an ISO file containing an executable file for\r\nAZORult.  However, I found another one in the same directory named 201907060947039062.iso.  Further analysis\r\nshowed it was also AZORult, like the other ISO file.\r\nhttps://isc.sans.edu/diary/25120\r\nPage 1 of 7\n\nShown above:  Getting the other ISO file.\r\nhttps://isc.sans.edu/diary/25120\r\nPage 2 of 7\n\nShown above:  Extracting the EXE file from the ISO on a Windows 7 host.\r\nIn previous AZORult infections in my lab, the malware usually deleted itself after an initial exfiltration of data. \r\nThis one repeatedly did callback traffic, and there was a .vbs file made persistent on my infected Windows host\r\nduring the infection.  This is apparently a more recent variant of AZORult dubbed AZORult++ as described by\r\nKaspersky Labs and followed-up by BleepingComputer.  It's called AZORult++ because it's now compiled in C++\r\nafter formerly being compiled in Delphi.\r\nhttps://isc.sans.edu/diary/25120\r\nPage 3 of 7\n\nShown above:  Traffic from the infection filtered in Wireshark.\r\nShown above:  TCP conversations from my infected Windows host.\r\nhttps://isc.sans.edu/diary/25120\r\nPage 4 of 7\n\nShown above:  An example of the AZORult callback traffic.\r\nShown above:  This AZORult EXE was compiled with C++, a characteristic of AZORult++.\r\nhttps://isc.sans.edu/diary/25120\r\nPage 5 of 7\n\nShown above:  VBS file made persistent on my infected Windows host.\r\nMalware indicators\r\nSHA256 hash: ed7c0a248904a026a0e3cabded2aa55607626b8c6cfc8ba76811feed157ecea8\r\nFile size: 1,232,384 bytes\r\nFile description AZORult EXE\r\nAny.Run analysis \r\nCAPE sandbox analysis\r\nReverse.it analysis\r\nFinal words\r\nhttps://isc.sans.edu/diary/25120\r\nPage 6 of 7\n\nEarlier this month on 2019-07-01, I saw an AZORult sample (also compiled in C++) which did the expected two\r\nHTTP post requests to exfiltrate data, then deleted itself from my infected host.  Today's example proves there can\r\nbe some variation in AZORult infection activity.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/25120\r\nhttps://isc.sans.edu/diary/25120\r\nPage 7 of 7\n\n https://isc.sans.edu/diary/25120 \nShown above: Traffic from the infection filtered in Wireshark. \nShown above: TCP conversations from my infected Windows host.\n Page 4 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://isc.sans.edu/diary/25120" ], "report_names": [ "25120" ], "threat_actors": [], "ts_created_at": 1775434536, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5087cc215424d90a068117761049cbbbc8a7c3d5.pdf", "text": "https://archive.orkl.eu/5087cc215424d90a068117761049cbbbc8a7c3d5.txt", "img": "https://archive.orkl.eu/5087cc215424d90a068117761049cbbbc8a7c3d5.jpg" } }