{ "id": "86579fa3-40a7-4008-8133-64b55b0d6bf9", "created_at": "2026-04-06T01:30:18.37024Z", "updated_at": "2026-04-10T13:13:04.945544Z", "deleted_at": null, "sha1_hash": "7b05fc1433a685543434e57e506ae9b26691e725", "title": "Infostealer Malware Azorult Being Distributed Through Spam Mails", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1017402, "plain_text": "Infostealer Malware Azorult Being Distributed Through Spam\r\nMails\r\nBy ATCP\r\nPublished: 2020-11-08 · Archived: 2026-04-06 00:11:01 UTC\r\nThe ASEC analysis team recently discovered that Azorult malware is being distributed through spam mails.\r\nAzorult is a kind of Infostealer that accesses a C\u0026C server to receive DLL files and commands used to leak\r\ninformation, and steals information such as user data files and account information to leak it to the server. Besides\r\naccount information of web browsers and email clients, screenshots, cryptocurrency information, and files\r\ndesignated by the attacker with certain paths and extensions can be collected as well.\r\nBecause downloaded commands support a feature to download additional malware, Azorult can also act as a\r\ndownloader. Once all these processes are done, it deletes itself after leaking information and acting as a\r\ndownloader, which makes it different from other types of malware. It does not support methods of operation after\r\nreboot such as registering a Run key. This means that the malware is deleted after simply leaking information\r\ninstead of performing additional behaviors by receiving commands from the attacker while staying hidden. Of\r\ncourse, since it can download additional malware, it can act as a medium for other types of malware.\r\nAs shown in Figure 1, Azorult is mainly distributed through attached files of spam mails. Since AhnLab once\r\nreceived a compressed file named “Estimate Request_Construction Floor Plan.7z,” we can find out that Korean\r\nusers are also targets for the attack.\r\n1. Reset\r\nAzorult creates a mutex when it is executed. The string used is created with the following process. First, the\r\nmalware seeks the privilege of the current process. The attached file is usually double-clicked, so it is executed as\r\na child process of explorer.exe and belongs to a user group. If it is run with an administrator privilege, it belongs\r\nto an Administration group. It might be even run with a system privilege in some cases. It returns S, A, U, and G\r\nfor each function shown below.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 1 of 21\n\nAlso, for MachineGuid, ProductName, UserName, and ComputerName as well as strings added with the\r\npreviously mentioned 4 strings, the malware uses a different algorithm for each string to create a string as shown\r\nbelow. The function is continuously used later in moments such as sending packets.\r\n[Machine Guid-based]-[Product Name-based]-[User Name-based]–[Computer Name-based]-[4\r\nStrings-based]\r\nEx) 112xxx26-86C3DFC7-8EBxxx77-DBxxxA24-C539B8C2\r\nThe string that means the privilege found before (one of the characters S|A|U|G) plus the unique string shown\r\nabove is the string used for creating a mutex. The malware then decodes the encrypted C\u0026C server URL. Lastly, it\r\nfinds the data to be sent when requesting the C\u0026C server.\r\nThis data combines the 0x0355AE data which is the 3-byte XOR key and the unique string created from before\r\nthat is URL-encoded. Before requesting the C\u0026C server, Azorult sends the data encoded with the key to the\r\nserver. XOR key is also sent because the C\u0026C server needs to decode what it has received. Or it might also be that\r\nthe key is sent to allow the server to encode the data it will send.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 2 of 21\n\n2. Downloading Commands and DLL Files\r\n2.1. Decoding\r\nThe malware for the current analysis target received about 4,369KB of encoded data (0x444340) from the C\u0026C\r\nserver. The data includes commands from the C\u0026C server, multiple DLL files to be used for leaking information,\r\nand the string data that the malware will use.\r\nThe encoding method is XOR, with 3 bytes XOR used for requesting C\u0026C and additional 4 bytes XOR decoding\r\nused. As you can see below, the first 0x80000 size of the initially encoded data is decoded with the hard-coded key\r\nvalue of 0x0355AE. This process is the same as the one previously processed for requesting the C\u0026C server. As\r\nsuch, the entire C\u0026C command located at the very front (existing in between tags \u003cc\u003e and \u003c/c\u003e), as well as some\r\nparts of the DLL data, is decrypted. The decrypted result is the string encoded with the Base64 encryption.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 3 of 21\n\nNext, the DLL data which was partially decoded (0x80000 starting from the tag \u003cn\u003e) and the DLL data that was\r\nnot decoded (up to the tag \u003c/n\u003e) are decoded with the 4 bytes XOR key. The key used in this process is\r\n0xC8653001. Lastly, there is the string data in between tags \u003cd\u003e and \u003c/d\u003e. It is not XOR decoded like the C\u0026C\r\ncommand and exists as the Base64 encoded string form.\r\n2.2. Decoded data\r\na. Command\r\nThe command of the C\u0026C server exists in between tags \u003cc\u003e and \u003c/c\u003e. The XOR decoding result shows a string\r\nencoded with Base64. Decoding this command with Base64 shows the following commands.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 4 of 21\n\nThe current analysis target Azorult 6a4824ab00e63c2f1bbf29a24d78b2a4 receives a short command as you can\r\nsee above, but another type of Azorult (c0e0a9d259bbf9faab7fd5049bf6b662) receives a command as shown\r\nbelow.\r\nThe 10 combinations of + and – in the first string are lists of flags that determine the enable status of various\r\ninformation leaking features existing in Azorult. + means enabled, while – means disabled. The flags will be\r\ndiscussed in detail in the information leak part.\r\nNext, the lines starting with F, I, and L mean each command. The F command can designate target paths and\r\nextensions to additionally leak user data. The I command can lookup a user’s IP address. Finally, the L command\r\nacts as a downloader, downloading additional malware. Each command will be discussed in detail in the C\u0026C\r\ncommand part.\r\nb. DLL files with the information leak feature\r\nDLL files were included in between tags \u003cn\u003e and \u003c/n\u003e and encoded with the XOR key. The files decoded with the\r\nXOR process mentioned above exist in the form [DLL name]:[DLL binary]\u003cseparator\u003e[DLL name]…. Let’s look\r\nat the example below. The DLL existing after the DLL separator “|||\u003c[{99C3}]\u003e|||” has the name of “api-ms-win-core-datetime-l1-1-0.dll.” After “:” comes the actual DLL binary.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 5 of 21\n\nThere are 48 decoded DLL files existing in the form shown above, which are dropped in the path \\AppData\\Temp\\\r\n[Unique]\\. These files are loaded before leaking information and then used. See below for the list.\r\napi-ms-win-core-console-l1-1-0.dll\r\napi-ms-win-core-datetime-l1-1-0.dll\r\napi-ms-win-core-debug-l1-1-0.dll\r\napi-ms-win-core-errorhandling-l1-1-0.dll\r\napi-ms-win-core-file-l1-1-0.dll\r\napi-ms-win-core-file-l1-2-0.dll\r\napi-ms-win-core-file-l2-1-0.dll\r\napi-ms-win-core-handle-l1-1-0.dll\r\napi-ms-win-core-heap-l1-1-0.dll\r\napi-ms-win-core-interlocked-l1-1-0.dll\r\napi-ms-win-core-libraryloader-l1-1-0.dll\r\napi-ms-win-core-localization-l1-2-0.dll\r\napi-ms-win-core-memory-l1-1-0.dll\r\napi-ms-win-core-namedpipe-l1-1-0.dll\r\napi-ms-win-core-processenvironment-l1-1-0.dll\r\napi-ms-win-core-processthreads-l1-1-0.dll\r\napi-ms-win-core-processthreads-l1-1-1.dll\r\napi-ms-win-core-profile-l1-1-0.dll\r\napi-ms-win-core-rtlsupport-l1-1-0.dll\r\napi-ms-win-core-string-l1-1-0.dll\r\napi-ms-win-core-synch-l1-1-0.dll\r\napi-ms-win-core-synch-l1-2-0.dll\r\napi-ms-win-core-sysinfo-l1-1-0.dll\r\napi-ms-win-core-timezone-l1-1-0.dll\r\napi-ms-win-core-util-l1-1-0.dll\r\napi-ms-win-crt-conio-l1-1-0.dll\r\napi-ms-win-crt-convert-l1-1-0.dll\r\napi-ms-win-crt-environment-l1-1-0.dll\r\napi-ms-win-crt-filesystem-l1-1-0.dll\r\napi-ms-win-crt-heap-l1-1-0.dll\r\napi-ms-win-crt-locale-l1-1-0.dll\r\napi-ms-win-crt-math-l1-1-0.dll\r\napi-ms-win-crt-multibyte-l1-1-0.dll\r\napi-ms-win-crt-private-l1-1-0.dll\r\napi-ms-win-crt-process-l1-1-0.dll\r\napi-ms-win-crt-runtime-l1-1-0.dll\r\napi-ms-win-crt-stdio-l1-1-0.dll\r\napi-ms-win-crt-string-l1-1-0.dll\r\napi-ms-win-crt-time-l1-1-0.dll\r\napi-ms-win-crt-utility-l1-1-0.dll\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 6 of 21\n\nfreebl3.dll\r\nmozglue.dll\r\nmsvcp140.dll\r\nnss3.dll\r\nnssdbm3.dll\r\nsoftokn3.dll\r\nucrtbase.dll\r\nvcruntime140.dll\r\nc. String data\r\nFor programs to perform certain features, they need data like strings and codes. The same goes for malware. If\r\nthere are strings in the data area of the malware without any modification, it becomes easier to figure out its\r\nfeatures. So most types of malware have their strings encoded and use them after they are decoded during the\r\nexecution process.\r\nAzorult is unique in that it does not have most of its strings used in its malicious behaviors in the binary but\r\nreceives them from the C\u0026C server: strings that are targets for information leak such as “GoogleChrome” and\r\n“firefox,” API strings used for leaking information such as “sqlite3_open” and “sqlite3_prepare_v2,” and SQL\r\nqueries.\r\nThe string data is not encoded with the XOR key and exists as the Base64 string in between tags \u003cd\u003e and \u003c/d\u003e. If\r\nyou decode the Base64 string, you can see 208 strings as shown below.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 7 of 21\n\n3. Stealing Information\r\nAzorult decodes DLL files used to leak information. It then drops and loads them, seeking the API URLs that will\r\nbe used for the leak. Afterward, it steals information following flags related to information leakage received from\r\nthe C\u0026C server as you can see below. There are 10 flags in total. Each enables or disables a certain feature.\r\nFlag: ++++++++-+\r\nOrder Features\r\n0 Unconfirmed\r\n1 Information of various application accounts\r\n2 Web browser Cookie and AutoComplete\r\n3 Coin\r\n4 Skype History\r\n5 Telegram\r\n6 Steam\r\n7 Screenshots\r\n8 Auto-delete\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 8 of 21\n\n9 Web browser History\r\nTable 1. Flags for enabling information leakage feature\r\nThe files are saved as a compressed file of the ZIP format in the memory. It is not dropped as a file and exists only\r\nin the memory. Yet upon extracting the .zip from the memory before it is sent to the C\u0026C server, you can find the\r\nfollowing list of collected information.\r\n\\\r\n…. \\Browsers\\\r\n…….. \\Browsers\\Cookies\\\r\n…….. \\Browsers\\AutoComplete\r\n…….. \\Browsers\\History\\\r\n…. \\Skype\\\r\n…. \\Telegram\\\r\n…. \\Steam\\\r\n…….. \\Steam\\Config\\\r\n…. \\Files\\\r\n…….. \\Files\\User designated directory\\Data to be leaked\r\n…. PasswordsList.txt\r\n…. CookieList.txt\r\n…. Scr.jpg\r\n…. ip.txt\r\n…. System.txt\r\n3.1. ACCOUNT INFORMATION\r\n– zip file save path: \\PasswordsList.txt\r\nAzorult steals account information from various programs. The following list shows programs that are targeted.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 9 of 21\n\nNote that properties discussed in web browser parts such as Cookie and History are the same for Chromium-based\r\nand Mozilla-based web browsers shown below.\r\na. Web Browser\r\n– Targeted programs: Internet Explorer, Vault (including the latest version of IE and past versions of Edge),\r\nChromium-based web browsers (GoogleChrome, GoogleChrome64, InternetMailRu, YandexBrowser,\r\nComodoDragon, Amigo, Orbitum, Bromium, Chromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera,\r\nGoBrowser, Sputnik, Kometa, Uran, QIPSurf, Epic, Brave, CocCoc, CentBrowser, 7Star, ElementsBrowser,\r\nTorBro, Suhba, SaferBrowser, Mustang, Superbird, Chedot, and Torch), and Mozilla-based web browsers\r\n(MozillaFireFox, Waterfox, IceDragon, Cyberfox, and PaleMoon)\r\nIn past versions of Internet Explorer (7 and 8), the AutoComplete password was saved in the registry\r\nHKCU\\Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2. The key’s values are the hash values of\r\nwebsite URLs that correspond to account information, with the data of the value being the account information.\r\nThe data is encoded using DPAI. To decode it, one must know what website is matched to the key.\r\nTo know the information, Azorult uses the CUrlHistory COM object as shown below to know the History of IE.\r\n– CUrlHistory CLSID: 3C374A40-BAE4-11CF-BF7D-00AA006946EE\r\n– IUrlHistoryStg2 IID: AFA0DC11-C313-11d0-831A-00C04FD5AE38\r\nIt obtains the user account information saved in IE with the method of using URLs found in IE History to know\r\nthe values saved in \\IntelliForms\\Storage2 with the CryptUnprotectData() API. It then steals account information\r\nof the Edge web browser saved in Windows Vault.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 10 of 21\n\nLet’s have Google Chrome as an example among Chromium-based web browsers. The malware extracts the\r\naccount information from the \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data file with the\r\nfollowing SQL query.\r\n\u003e SELECT origin_url, username_value, password_value FROM logins\r\nLet’s have Mozilla Firefox as an example among Mozilla-based web browsers. The malware reads the logins.json\r\nfile existing in paths such as \\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\wz0irceq.default-release. The file is a\r\ntext format, parsing strings for items such as hostname, encryptedUsername, and encryptedPassword.\r\nencryptedUsername and encryptedPassword are strings encoded with Base64. As for their decoded results, they\r\ncan be decrypted with functions of nss3.dll such as PK11_GetInternalKeySlot(), PK11_Authenticate(), and\r\nPK11SDR_Decrypt() to know the original account information.\r\nb. Email Client\r\n– Targeted programs: Outlook and Thunderbird\r\nAs Thunderbird is Mozilla-based, the same method mentioned for Firefox above is used. For Outlook, the\r\nmalware extracts values such as EMAIL, POP3, IMAP, SMTP, and HTTP from registry keys shown below.\r\nc. Others\r\n– targeted instant message programs: Psi+ and Pidgn\r\n– targeted FTP client programs: FileZilla and WinSCP\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 11 of 21\n\n3.2. Web Browser Cookie\r\n– zip file save path: \\CookieList.txt and \\Browsers\\Cookies\\[file that will be leaked].txt\r\nIf flags for Cookie and AutoFill are enabled, the malware steals Cookie files of IE, Edge, Chromium-based web\r\nbrowsers, and Mozilla-based web browsers. For IE and Edge, it steals *.txt files and *.cookie files from the\r\nfollowing paths.\r\n\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\\r\n\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\\r\n\\AppData\\Local\\Microsoft\\Windows\\INetCache\\\r\n\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\\r\n\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC#!001\\MicrosoftEdge\\Cookies\\\r\n\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC#!002\\MicrosoftEdge\\Cookies\\\r\n\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\\r\nLet’s have Google Chrome as an example among Chromium-based web browsers. The malware extracts\r\ninformation from the \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies file with one of the following 2\r\nSQL queries.\r\n\u003e SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM\r\ncookies\r\n\u003e SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies\r\nLet’s have Mozilla Firefox as an example among Mozilla-based web browsers. The malware extracts information\r\nfrom the cookies.sqlite file existing in paths such as\r\n\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\wz0irceq.default-release with the following SQL query.\r\n\u003e SELECT host, path, isSecure, expiry, name, value FROM moz_cookies\r\n3.3. Web Browser AutoComplete\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 12 of 21\n\n– zip file save path: \\Browsers\\AutoComplete\\[file that will be leaked].txt\r\nIf flags for Cookie and AutoFill are enabled, the malware steals AutoFill records of Chromium-based and Mozilla-based web browsers. Let’s have Google Chrome as an example among Chromium-based web browsers. The\r\nmalware extracts information from the \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data file with the\r\nfollowing SQL query.\r\n\u003e SELECT name, value FROM autofill\r\nIn Chromium-based web browsers, CreditCard information also becomes a target to be stolen. Following the same\r\nprocess, the malware extracts information from the \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data\r\nfile with the following SQL query.\r\n\u003e SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards\r\nLet’s have Mozilla Firefox as an example among Mozilla-based web browsers. The malware extracts information\r\nfrom the formhistory.sqlite file existing in paths such as\r\n\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\wz0irceq.default-release with the following SQL query.\r\n\u003e SELECT fieldname, value FROM moz_formhistory\r\n3.4. Web Browser History\r\n– zip file save path: \\Browsers\\History\\[file that will be leaked].txt\r\nIf the flag for History is enabled, the malware steals History records of Chromium-based and Mozilla-based web\r\nbrowsers. Let’s have Google Chrome as an example among Chromium-based web browsers. The malware extracts\r\ninformation from the \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History file with the following SQL\r\nquery.\r\n\u003e SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),\\”unixepoch\\”) , urls.title , urls.url FROM\r\nurls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000\r\nLet’s have Mozilla Firefox as an example among Mozilla-based web browsers. The malware extracts information\r\nfrom the places.sqlite file existing in paths such as \\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\wz0irceq.default-release with the following SQL query.\r\n\u003e SELECT DATETIME(moz_historyvisits.visit_date/1000000, \\”unixepoch\\”,\r\n\\”localtime\\”),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id =\r\nmoz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 13 of 21\n\n3.5. Coin Wallet\r\nzip file save path: \\Coins\\autoscan\\ and \\Coins\\Monero\\\r\nIf the flag for Coin is enabled, the malware steals wallet files for various types of cryptocurrency. First, files saved\r\nin the \\Coins\\autoscan\\ folder are those that fit the following conditions as the malware lookups paths within the\r\n\\AppData\\Roaming\\ folder.\r\n– “.wallet,” “wallets\\.wallet,” “wallet.dat,” “wallets\\wallet.dat,” “electrum.dat,” and “wallets\\electrum.dat”\r\nNext, files saved in the \\Coins\\Monero\\ folder are those that have their paths known by the malware referencing\r\nthe wallet_path data of the HKCU\\Software\\monero-project\\monero-core key, those that have .address.txt name\r\nadded to the previous files and those that have .keys added to their names. Afterward, the malware also steals\r\nwallet.dat files and \\wallets\\wallet.dat files from the paths known by referencing the strDataDir data from the\r\nfollowing registry keys.\r\nHKCU\\Software\\Bitcoin\\Bitcoin-Qt\r\nHKCU\\Software\\BitcoinGold\\BitcoinGold-Qt\r\nHKCU\\Software\\BitCore\\BitCore-Qt\r\nHKCU\\Software\\Liteoin\\Litecoin-Qt\r\nHKCU\\Software\\BitcoinABC\\BitcoinABC-Qt\r\nLastly, it steals the following cryptocurrency wallet files existing in paths of \\AppData\\Roaming\\ such as\r\n\\AppData\\Roaming\\Electrum\\wallets\\.\r\n– Electrum, Electrum-LTC, ElectrumG, Electrum-btcp, Ethereum, Exodus, Exodus Eden, Jaxx, and MultiBitHD\r\n3.6. Skype\r\n– zip file save path: \\Skype\\\r\nIf the Skype flag is enabled, the malware steals the main.db file from the \\AppData\\Roaming\\Skype\\ path. When\r\nusers use Skype, the logs are saved in the main.db file. Certain tools can be used to restore the Skype record with\r\nthe file. This means that when the attacker steals the file, Skype-related information such as Skype chat history\r\ncan be leaked.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 14 of 21\n\n3.7. Telegram\r\n– zip file save path: \\Telegram\\\r\nIf the Telegram flag is enabled, the malware steals files starting with “D877F783D5” and “map” existing in the\r\n\\AppData\\Roaming\\Telegram Desktop\\tdata\\ path. These files are settings files related to sessions existing in the\r\nTelegram PC version and can be exploited by the attacker for stealing sessions.\r\n3.8. Steam\r\n– zip file save path: \\Steam\\Config\\[*.vdf], \\Steam\\[ssfn*]\r\nIf the Steam flag is enabled, the malware obtains the Steam path by referencing the SteamPath value of the\r\nHKCU\\Software\\Valve\\Steam key and steals “ssfn*” files existing in the path and “*.vdf” files existing in the\r\ninternal Config folder. These files have the information of sessions and settings of the Steam client. The attacker\r\ncan exploit these files to access a user’s Steam account.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 15 of 21\n\n3.9. Screenshots\r\n– zip file save path: \\scr.jpg\r\nIf the screenshot flag is enabled, the malware takes a screenshot of the current screen and saves it in the\r\ncompressed file with the name scr.jpg.\r\n3.10. System Info\r\n– zip file save path: \\System.txt\r\nAzorult obtains various types of system info and leaks them regardless of C\u0026C commands by default. The\r\nfollowing shows the types of information that are leaked.\r\nMachineID, Malware path, Windows version, Computer name, Resolution, Language, Time, Time\r\nZone, CPU model, Number of CPUs, RAM size, Video card information, List of currently running\r\nprocesses, and List of installed programs\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 16 of 21\n\n4. C\u0026C Command\r\n4.1. Command – F\r\n– zip file save path: \\Files\\[user designated path name]\\[file that will be leaked].txt\r\nThe F command collects files from the user PC and receives settings for the path and extensions. The following\r\nshows 2 examples among F commands received from the C\u0026C server.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 17 of 21\n\nThe format is as follows:\r\n[ F \\t \u003cname of the compressed file\u003e \\t \u003cpath\u003e \\t \u003cextension\u003e \\t \u003cmax size\u003e \\t \u003csubfolder\u003e \\t \u003cshortcut\u003e \\t\r\n\u003cexception path\u003e ]\r\nThe files collected by the F command are located at the Files\\ path inside the compressed file and saved in the\r\nfolder with the name of the compressed file designated by the command. For instance, the first command has the\r\ndata saved in the DOC TXT folder. For paths, environment variables such as %USERPROFILE% and the drive\r\npaths starting with “DSK_” are supported. By designating the route path and calling the GetDriveTypeA()\r\nfunction, the command can return the type of the drive path. 2 means removable storage devices such as USB, 3\r\nmeans normal drives, and 5 means CD-ROM drives. So in the example above, %DSK_23% means that the\r\ncommand will target normal hard drives and USB drives to leak files.\r\nThe third part is about extensions of files that will be collected, and the fourth part is the max size of the collected\r\nfiles in the KB unit. Next are 2 flags +|-. The first one decides whether files within subdirectories will be collected\r\nor not, and the second one decides if shortcut files (.lnk files) will be collected or not. The keywords located at the\r\nlast part are the names of folder paths that will not be collected for information leaks.\r\n4.2. Command – L\r\nAnother Azorult mentioned above received the L command as shown below.\r\nThe L command consists of the form \u003cL\u003e \\t \u003cURL\u003e \\t \u003c+|-\u003e \\t \u003c*|URL\u003e. The +|- flags of the third part decide the\r\nstatus of the SW_HIDE flag when downloaded files are executed. If the flag is + (SW_HIDE), the files will be run\r\nwith their properties hidden.\r\nFor the fourth part, the 2 files all received * as the command, but they can download particular URLs. They only\r\ndownload additional malware if the current list of Cookies includes the keyword. As for the current command *, it\r\ndownloads files regardless of Cookies. Suppose the command received the keyword “AHNLAB.” The following\r\nshows the routine of inspecting the keyword in the list of Cookies.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 18 of 21\n\nThe downloaded files are saved in the name of the URL in the Temp path. If there are files with the same name,\r\nthe files are downloaded in the ProgramData path instead. If the extension of the downloaded files is .exe, the\r\ncommand runs them using the CreateProcessW() function. If not, the files are run using the ShellExecuteExW()\r\nfunction. The process is repeated for each L command.\r\n4.3. Command – l\r\n– zip file save path: \\ip.txt\r\nThe I command received from the current C\u0026C server had the IP address and country code of the infected PC. In\r\nthis case, the received information is simply saved as the ip.txt file.\r\nI xxx.xxx.xx7.166:KR\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 19 of 21\n\nIf there is no IP and country code information of the infected PC in the I command (receiving “?”), the command\r\nobtains information by making a query to http://ip-api.com/json and parses the information to save it as the ip.txt\r\nfile.\r\n5. Leaking Collected Information\r\nAfter obtaining all types of information, Azorult creates a packet to be sent to the C\u0026C server as shown below.\r\nThe structure of the packet is as follows. The strings attached before the zip file are all URL-encoded. The\r\nseparator is the string “2C5A87CB-758C-7293-47BC-475C65D699A584C5-7DC6-DC45-12A47C7DB587-\r\nF89F-78CD-96CA-FD478543C7F4” which is hard-coded in the binary.\r\n\u003csystem info\u003e [separator][separator] \u003cstolen account information\u003e [separator][separator] \u003cstolen Cookies\r\ninformation\u003e [separator][separator] \u003ccompressed file\u003e\r\nThe first size of 0x80000 is decrypted with the 3 bytes XOR key, just like how the C\u0026C command was decrypted.\r\nThe key used here is also 0x0355AE. After sending the XOR-encoded data to the server, the malware uses the L\r\ncommand that it received before to perform downloader behaviors.\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 20 of 21\n\n6. Conclusion\r\nAzorult malware is distributed through spam mails. Therefore, when there is a suspicious-looking email in the\r\ninbox, users must refrain from opening the attachment files within the email. Also, V3 should be updated to the\r\nlatest version so that malware infection can be prevented.\r\n[File Detection]\r\n– Trojan/Win32.Kryptik.C4217978\r\n– Malware/Win32.RL_Generic.R354530\r\n[Behavior Detection]\r\n– Malware/MDP.Behavior.M3108\r\nMD5\r\n6a4824ab00e63c2f1bbf29a24d78b2a4\r\nc0e0a9d259bbf9faab7fd5049bf6b662\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//ciuj[.]ir/masab/index[.]php\r\nhttp[:]//jamesrlongacre[.]ug/index[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/26517/\r\nhttps://asec.ahnlab.com/en/26517/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/26517/" ], "report_names": [ "26517" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439018, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b05fc1433a685543434e57e506ae9b26691e725.pdf", "text": "https://archive.orkl.eu/7b05fc1433a685543434e57e506ae9b26691e725.txt", "img": "https://archive.orkl.eu/7b05fc1433a685543434e57e506ae9b26691e725.jpg" } }