Recent AZORult activity - SANS Internet Storm Center
By SANS Internet Storm Center
Archived: 2026-04-05 21:35:36 UTC
I found a tweet from @ps66uk from on Monday morning 2019-07-10 about an open directory used in malspam to
push an information stealer called AZORult. The open directory is hosted on sfoodfeedf[.]org at
www.sfoodfeedf[.]org/wp-includes/Requests/Cookie/
Shown above:  The open directory at sfoodfeedf[.]org.
@ps66uk already mentioned a file named purchase order.iso which is an ISO file containing an executable file for
AZORult.  However, I found another one in the same directory named 201907060947039062.iso.  Further analysis
showed it was also AZORult, like the other ISO file.
https://isc.sans.edu/diary/25120
Page 1 of 7

Shown above:  Getting the other ISO file.
https://isc.sans.edu/diary/25120
Page 2 of 7

Shown above:  Extracting the EXE file from the ISO on a Windows 7 host.
In previous AZORult infections in my lab, the malware usually deleted itself after an initial exfiltration of data. 
This one repeatedly did callback traffic, and there was a .vbs file made persistent on my infected Windows host
during the infection.  This is apparently a more recent variant of AZORult dubbed AZORult++ as described by
Kaspersky Labs and followed-up by BleepingComputer.  It's called AZORult++ because it's now compiled in C++
after formerly being compiled in Delphi.
https://isc.sans.edu/diary/25120
Page 3 of 7

Shown above:  Traffic from the infection filtered in Wireshark.
Shown above:  TCP conversations from my infected Windows host.
https://isc.sans.edu/diary/25120
Page 4 of 7

Shown above:  An example of the AZORult callback traffic.
Shown above:  This AZORult EXE was compiled with C++, a characteristic of AZORult++.
https://isc.sans.edu/diary/25120
Page 5 of 7

Shown above:  VBS file made persistent on my infected Windows host.
Malware indicators
SHA256 hash: ed7c0a248904a026a0e3cabded2aa55607626b8c6cfc8ba76811feed157ecea8
File size: 1,232,384 bytes
File description AZORult EXE
Any.Run analysis 
CAPE sandbox analysis
Reverse.it analysis
Final words
https://isc.sans.edu/diary/25120
Page 6 of 7

Earlier this month on 2019-07-01, I saw an AZORult sample (also compiled in C++) which did the expected two
HTTP post requests to exfiltrate data, then deleted itself from my infected host.  Today's example proves there can
be some variation in AZORult infection activity.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Source: https://isc.sans.edu/diary/25120
https://isc.sans.edu/diary/25120
Page 7 of 7

   https://isc.sans.edu/diary/25120 
Shown above: Traffic from the infection filtered in Wireshark. 
Shown above: TCP conversations from my infected Windows host.
    Page 4 of 7