# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/25120** ## Recent AZORult activity **Published: 2019-07-11** **Last Updated: 2019-07-11 09:12:59 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [1 comment(s)](https://isc.sans.edu/forums/diary/Recent+AZORult+activity/25120/#comments) I found [a tweet from @ps66uk from on Monday morning 2019-07-10 about an open directory](https://twitter.com/ps66uk/status/1148876604296368129) used in malspam to push an information stealer called AZORult. The open directory is hosted on sfoodfeedf[.]org at www.sfoodfeedf[.]org/wp-includes/Requests/Cookie/ _Shown above: The open directory at sfoodfeedf[.]org._ [@ps66uk already mentioned a file named purchase order.iso which is an ISO file containing](https://app.any.run/tasks/efc05239-00c1-4d7f-91be-bf1daa0f777a/) an executable file for AZORult. However, I found another one in the same directory named 201907060947039062.iso. Further analysis showed it was also AZORult, like the other ISO file. ----- _Shown above: Getting the other ISO file._ ----- _Shown above: Extracting the EXE file from the ISO on a Windows 7 host._ In previous AZORult infections in my lab, the malware usually deleted itself after an initial exfiltration of data. This one repeatedly did callback traffic, and there was a .vbs file made persistent on my infected Windows host during the infection. This is apparently a more [recent variant of AZORult dubbed AZORult++ as described by Kaspersky Labs and followed-](https://securelist.com/azorult-analysis-history/89922/) up by [BleepingComputer. It's called AZORult++ because it's now compiled in C++ after](https://www.bleepingcomputer.com/news/security/the-azorult-legacy-lives-on-hello-azorult-/) formerly being compiled in Delphi. ----- _Shown above: Traffic from the infection filtered in Wireshark._ _Shown above: TCP conversations from my infected Windows host._ ----- _Shown above: An example of the AZORult callback traffic._ _Shown above: This AZORult EXE was compiled with C++, a characteristic of AZORult++._ ----- _Shown above: VBS file made persistent on my infected Windows host._ **_Malware indicators_** SHA256 hash: ed7c0a248904a026a0e3cabded2aa55607626b8c6cfc8ba76811feed157ecea8 File size: 1,232,384 bytes File description AZORult EXE [Any.Run analysis](https://app.any.run/tasks/ff16f2b1-62a0-4fc2-9c86-5f3c39168314) [CAPE sandbox analysis](https://cape.contextis.com/analysis/85125/) [Reverse.it analysis](https://www.reverse.it/sample/ed7c0a248904a026a0e3cabded2aa55607626b8c6cfc8ba76811feed157ecea8) **_Final words_** ----- [Earlier this month on 2019-07-01, I saw an AZORult sample (also compiled in C++) which](https://app.any.run/tasks/3d8c2ef8-7aa9-462d-bf17-930f066fc274/) did the expected two HTTP post requests to exfiltrate data, then deleted itself from my infected host. Today's example proves there can be some variation in AZORult infection activity. --Brad Duncan brad [at] malware-traffic-analysis.net Keywords: [1 comment(s)](https://isc.sans.edu/forums/diary/Recent+AZORult+activity/25120/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/25120) Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----