{ "id": "3b668c59-24be-4bf3-825c-d5353f05a209", "created_at": "2026-04-24T02:19:58.319483Z", "updated_at": "2026-04-25T02:18:11.455654Z", "deleted_at": null, "sha1_hash": "6d51828b1e4ab577dcd127934e36b2547ed3e2a5", "title": "The Emergence of the New Azorult 3.3", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64584, "plain_text": "The Emergence of the New Azorult 3.3\r\nBy deugenio\r\nPublished: 2018-10-17 · Archived: 2026-04-24 02:08:24 UTC\r\nResearch by: Israel Gubi\r\nDuring the past week, Check Point Research spotted a new version of Azorult in the wild being delivered through\r\nthe RIG exploit kit, as well as other sources. Azorult is a long known information stealer and malware\r\ndownloader, with this particular version being advertised in an underground forum since October 4. The version\r\nnumber given to it by its authors is 3.3.\r\nThere are quite a few changes in this newly witnessed variant, the most prominent ones being a new encryption\r\nmethod of the embedded C\u0026C domain string, a new connection method to the C\u0026C and improvement of the\r\nCrypto currency wallets stealer and loader.\r\nThe timing of this update to the malware is not surprising, mainly in light of major leaks for previous versions 3.1\r\nand 3.2, in which panel source code and binary builders were released for the public to use for free. Check Point\r\nshared those leaks to the research community for further investigation last month. Moreover, we have witnessed\r\nand written about another project related to Azorult, dubbed ‘Gazorp’ – a dark web binary builder that allows\r\nanyone to craft the malware’s binaries for free. Having this in minds, it is plausible that the Azorult’s author would\r\nlike to introduce new features to the malware and make it worthy as a product in the underground market.\r\nThe Forum Advertisement\r\nOn October 4, the following update to Azorult was advertised on the exploit.in underground forum by the user\r\nCrydBrox. The updated version number 3.3 is shown below.\r\nFigure 1: Advertisement of Azorult v3.3\r\nThe above states the following improvements and features:\r\n[+] Added support for stealing the following wallet credentials: BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, Exodus Eden\r\nhttps://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/\r\nPage 1 of 7\n\n[+] Cryptocurrency wallet’s stealer component has been improved.\r\n[+] The loader component was fixed and improved, allowing bat files to be loaded and executed with no errors\r\n[+] Lowered AV detection rate, increased successful installation rate\r\n[+] Slight improvement in admin panel’s performance\r\nComparison to previous versions\r\nIn version 3.2, the C\u0026C domain name was xored with a hardcoded key and then encoded with base64. The\r\ncurrent version 3.3 shows a new encryption method to obfuscate the domain name. The script for\r\ndecryption of the domain’s string can be found in the Appendix below.\r\nEvery version of Azorult has a unique xor key for its connection method to the C\u0026C. In version 3.3 the\r\nconnection key is: [0x3, 0x55, 0xae]. Moreover, every version connection message contains a prefix\r\n(‘getcfg=’ in version 3.1 and ‘G’ in version 3.2) prepended to the id hash before xoring with the connection\r\nkey. The prefix in version 3.3 is the connection key, which makes the connection message sent to C\u0026C\r\nstarts with 3 zero bytes.\r\nFigure 2: adding connection key as prefix.\r\nAzorult’s C\u0026C server response is divided into 3 parts separated by tags:\r\n\u003cc\u003e\u003c/c\u003e – the configuration part, encoded with base64\r\n\u003cn\u003e\u003c/n\u003e – DLLs that Azorult copies to a new directory it creates under the %TEMP% folder. The name of the\r\nnew directory is unique for every version of Azorult (‘1M0’ in version 3.1 and ‘2fda’ in version 3.2). In the new\r\nversion, the name of the directory is generated based on the id hash of the victim’s computer. Therefore, the name\r\nof the directory will be different for every victim.\r\nThe algorithm for generating the directory name is as follows:\r\nId_hash=hash_func(guid)-hash_func(product_name)-hash_func(user_name)-          hash_func(computer_name)-\r\nhash_func(guid+product_name+user_name+computer_name)\r\nDirectory_name = hash_func(hash_func(Id_hash))\r\nThe particular implementation of the hash_func method is outlined in a script, which appears in the Appendix\r\nbelow.\r\n\u003cd\u003e\u003c/d\u003e – names of application paths that Azorult harvests data from. In version 3.3,\r\nThe following application names are added:\r\n%appdata%\\ElectrumG\\wallets\\\r\nhttps://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/\r\nPage 2 of 7\n\n\\ElectrumG\r\n%appdata%\\Electrum-btcp\\wallets\\\r\n\\Electrum-btcp\r\nBitcoinGold\\BitcoinGold-Qt\r\nBitCore\\BitCore-Qt\r\nBitcoinABC\\BitcoinABC-Qt\r\n%APPDATA%\\Exodus Eden\\\r\nThe authors of Azorult fixed a bug in the loader functionality that didn’t allow the malware to load bat files and\r\nexecute them successfully. The bug was caused by wrongfully comparing the extension of the loaded file, causing\r\nthe launch of all files with CreateProcessW API as executables instead of ShellExecuteExW. In the new version,\r\nthe authors fixed the comparison method to avoid this bug.\r\nFigure 3: loader extension comparison in versions 3.2 and 3.3. The former introduces a bug.\r\nhttps://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/\r\nPage 3 of 7\n\nAppendix\r\nC\u0026C domain name decryption Python code:\r\ndef decrypt_domain_method_v3_3(encrypted_domain):\r\n   decrypted_domain_array = []\r\n   key_buffer = [0x1e, 0x15, 0x34, 0x49, 0x5e, 0x37, 0x24, 0x2f, 0x58, 0x27, 0x6e, 0xd3, 0xd4, 0x71, 0xd6, 0x73,\r\n0xd8]\r\n   index = 0\r\n   sum = 0\r\n   while index \u003c len(encrypted_domain):\r\n       cur_byte = encrypted_domain[index]\r\n       if cur_byte ==  key_buffer[0]:\r\n           sum += 0x64\r\n       elif cur_byte == key_buffer[1]:\r\n           sum += 0x5a\r\n       elif cur_byte == key_buffer[2]:\r\n           sum += 0x50\r\n       elif cur_byte == key_buffer[3]:\r\n           sum += 0x46\r\n       elif cur_byte == key_buffer[4]:\r\n           sum += 0x3c\r\n       elif cur_byte == key_buffer[5]:\r\n           sum += 0x32\r\n       elif cur_byte == key_buffer[6]:\r\n           sum += 0x28\r\n       elif cur_byte == key_buffe[7]:\r\n           sum += 0x1e\r\n       elif cur_byte == key_buffer[8]:\r\nhttps://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/\r\nPage 4 of 7\n\nsum += 0x14\r\n       elif cur_byte == key_buffer[9]:\r\n           sum += 0x0a\r\n       elif cur_byte == key_buffer[10]:\r\n           sum += 0x8\r\n       elif cur_byte == key_buffer[11]:\r\n           sum += 0x6\r\n       elif cur_byte == key_buffer[12]:\r\n           sum += 0x5\r\n       elif cur_byte == key_buffer[13]:\r\n           sum += 0x4\r\n       elif cur_byte == key_buffer[14]:\r\n           sum += 0x2\r\n       elif cur_byte == key_buffer[15]:\r\n           sum += 0x1\r\n       elif cur_byte == key_buffer[16]:\r\n           decrypted_domain_array.append(chr(sum))\r\n           sum = 0\r\n       elif cur_byte == 0:\r\n           break\r\n       index += 1\r\n   decrypted_domain = ”.join(decrypted_domain_array)\r\n   return decrypted_domain\r\nhash_func method for calculating the generated directory name.\r\ndef hash_func(value):\r\n   xor_key = 0x6521458a\r\nhttps://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/\r\nPage 5 of 7\n\nhash_output = 0\r\n   for index in range(len(value)):\r\n       cur_byte = ord(value[index])\r\n       xor_value = cur_byte ^ xor_key\r\n       hash_output = (hash_output + xor_value) % (2**32)\r\n       right_value = (hash_output \u003c\u003c 0xd) % (2**32)\r\n       left_value = (hash_output \u003e\u003e 0x13) % (2**32)\r\n       diff_value = right_value | left_value % (2**32)\r\n       hash_output = (hash_output – diff_value) % (2**32)\r\n   hash_string = hex(hash_output)[2:-1]\r\n   if len(hash_string) \u003c 8:\r\n       diff = 8 – len(hash_string)\r\n       output_string = (‘0’ * diff) + hash_string\r\n   else:\r\n       output_string = hash_string\r\n   output_string = output_string.upper()\r\n   return output_string\r\nIOCs\r\nMd5:\r\n11147fd9ac12eec66d35b4d483aae71f\r\nd893d8347ecad1a3d85064d2f5bded4f\r\na8d3e403995132f9af33e4557be301a0\r\nC\u0026C:\r\nhttp://infolocalip.com/index.php\r\nhttp://tohertgopening.com/index.php\r\nhttp://certipin.top/index.php\r\nhttps://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/\r\nPage 6 of 7\n\nTE signature: InfoStealer.Win.AZORult.C\r\nSource: https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/\r\nhttps://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/" ], "report_names": [ "the-emergence-of-the-new-azorult-3-3" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-25T02:00:02.834568Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "Quedagh", "IRIDIUM", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "VOODOO BEAR", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots", "Blue Echidna", "FROZENBARENTS" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-25T02:00:04.537109Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-25T02:00:03.345977Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-25T02:00:04.059321Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1776997198, "ts_updated_at": 1777083491, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d51828b1e4ab577dcd127934e36b2547ed3e2a5.pdf", "text": "https://archive.orkl.eu/6d51828b1e4ab577dcd127934e36b2547ed3e2a5.txt", "img": "https://archive.orkl.eu/6d51828b1e4ab577dcd127934e36b2547ed3e2a5.jpg" } }