{ "id": "35848ef7-3c87-43ba-b773-c53ae8c748a6", "created_at": "2026-04-06T00:17:34.163428Z", "updated_at": "2026-04-10T03:21:42.066098Z", "deleted_at": null, "sha1_hash": "5f13bac99b7397f733929ff1b506438b3d134aeb", "title": "Decrypting AzoRult traffic for fun and profit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 553588, "plain_text": "Decrypting AzoRult traffic for fun and profit\r\nBy NexusFuzzy\r\nPublished: 2021-02-06 · Archived: 2026-04-05 22:54:21 UTC\r\n5 min read\r\nFeb 6, 2021\r\nPress enter or click to view image in full size\r\nThere will be times in your career when you will be presented with a traffic capture and get the task to determine\r\nwhat happened and if any data was stolen.\r\nIn this post, I will show you how you can squeeze all those juicy information from a PCAP traffic capture from an\r\nAzorult infection.\r\nAt the end, you will be able to answer which data has been stolen so you can act accordingly. Let’s start!\r\nGetting sample data\r\nHead over to https://any.run and search for “Azorult” in public submissions or use the PCAP you already got\r\nPress enter or click to view image in full size\r\nhttps://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05\r\nPage 1 of 3\n\nMost likely you will find a lot of samples\r\nYou will find a lot of samples without actual network traffic since the command and control server was already\r\noffline when any.run analyzed the sample. Have a look at samples which show POST requests\r\nPress enter or click to view image in full size\r\nYou might need some patience\r\nNow comes the fun part! As you might have noticed, the POST request data is encrypted in some way. Turns out,\r\nit is just XORed with a 3 byte key which unfortunately is not the same for all variants. What now? Make “some”\r\neducated guesses?\r\nGet NexusFuzzy’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFear not, I created a tool which first tries to decrypt it with keys I found in the wild and if this is not successful, it\r\nwill start to brute force the key. This is possible with the help of a known plaintext attack since I learned through\r\nmanually reversing AzoRult that the plaintext stolen data contains strings like “\u003cinfo” which we can look for after\r\nevery decryption try.\r\nYou can get it here: https://GitHub.com/hariomenkel/AzoBrute\r\nOnce downloaded, let it run against the extracted POST request and hopefully, you’ll receive the key.\r\nPlease consider creating an issue at the AzoBrute GitHub repository with your key so I can add it to the list of\r\nkeys which are tried before trying brute force. Sharing is caring!\r\nhttps://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05\r\nPage 2 of 3\n\nOnce you have the key, copy it — you will need it for another tool\r\nSource: https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05\r\nhttps://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05" ], "report_names": [ "decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05" ], "threat_actors": [], "ts_created_at": 1775434654, "ts_updated_at": 1775791302, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f13bac99b7397f733929ff1b506438b3d134aeb.pdf", "text": "https://archive.orkl.eu/5f13bac99b7397f733929ff1b506438b3d134aeb.txt", "img": "https://archive.orkl.eu/5f13bac99b7397f733929ff1b506438b3d134aeb.jpg" } }