{
	"id": "d1ff68f4-e60a-498b-a920-2657b03fb5e7",
	"created_at": "2026-04-06T01:31:10.900797Z",
	"updated_at": "2026-04-10T13:11:30.802643Z",
	"deleted_at": null,
	"sha1_hash": "daac2aa38b0972f8f89afea3a3435243a08fc567",
	"title": "AZORult Malware: Technical Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 102267,
	"plain_text": "AZORult Malware: Technical Analysis\r\nBy Mostafa ElSheimy\r\nPublished: 2024-09-04 · Archived: 2026-04-06 00:35:26 UTC\r\nEditor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat\r\nintelligence analyst. You can find Mostafa on X and LinkedIn.\r\nIn this malware analysis report, we conduct an in-depth examination of AZORult, a sophisticated credential and\r\npayment card information stealer.\r\nOur walk-through covers the malware’s evolution, including its transition from Delphi to C++ and the\r\nintroduction of .bit domain support. We will examine a sample of AZORult to uncover its behavior, evasion\r\ntechniques, and operational tactics. This analysis aims to enhance understanding of AZORult’s functionality and\r\ninform effective countermeasures. \r\nOverview \r\nAZORult is a sophisticated credential and payment card information stealer that can also act as a downloader for\r\nvarious malware families. Notably, version 2 introduced support for .bit domains, enhancing its capabilities.\r\nAZORult has been observed operating alongside Chthonic and has been deployed by Ramnit. Originally\r\ndeveloped in Delphi, the malware was ported to C++ in 2019, which shows its evolution and increased\r\ncomplexity. \r\nBasic Analysis \r\nLet’s begin our analysis of a sample. Here’s its key details:\r\nSample Hash 90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7\r\nCreation Time 2013-12-25 05:01:38 UTC\r\nIt’s important to note that the creation time has been edited by the author.\r\nThe sample was allegedly created on December 25, 2013\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 1 of 16\n\nFirst we run the sample in the ANY.RUN sandbox to observe its behavior in a real-time and fully interactive\r\nvirtual environment.\r\nView the analysis session.\r\nThe initial sample analyzed in the ANY.RUN sandbox\r\nThe sample initiates two critical processes: \r\nExecutes a PowerShell command \r\nDrops a file belonging to the Azorult malware family \r\nThe PowerShell command launches a script in a hidden window:\r\n\"powershell.exe\" -windowstyle hidden \"$Nummmeret=Get-Content 'C:\\Users\\admin\\AppData\\Local\\Temp\\forgrovelse\\kon\r\nThis command performs the following: \r\nReads the contents of a file located at\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\forgrovelse\\konstituerendes\\Printermanualens.Ear and stores it in\r\nthe variable $Nummmeret. \r\nExtracts a substring from $Nummmeret, starting at index 42833 with a length of 3 characters, and stores\r\nthis substring in the variable $Trojanerens. \r\nAttempts to execute the content of $Trojanerens as a command or script, passing $Nummmeret as an\r\nargument to this command.\r\nIt also drops a file named Declinometer235.exe, the main AZORult payload.\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 2 of 16\n\nANY.RUN displays the SHA-256 hash of the malicious payload file\r\nThe malware tries to contact thirteen IP addresses and one malicious domain.\r\nANY.RUN provides IOCs for malware and phishing samples\r\nAn analysis of the sample using UnpacMe suggested that it was likely not packed.\r\nThe sample has no packer\r\n Let’s see the imports.\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 3 of 16\n\nAZORult malware actively modifies the Windows registry and attempts to delete data\r\nThe malware queries, deletes, and modifies some registry keys, as well as uses an anti-debugging technique. \r\nThe certificate is issued by Pretermit Brunbejdsedes\r\nThe sample has a digital certificate. \r\nAdvanced Analysis\r\nLet’s now open the sample in IDA to take a closer look at its code.\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 4 of 16\n\nCode of the load_SHGetFolderPathW function\r\nWe can see that it loads SHGetFolderPathW.\r\nThe malware loads SHGetFolderPathW\r\nIt gets TEMP path and sets an environment variable containing this path. \r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 5 of 16\n\nGetTempPathW API is used to to retrieve the temporary directory path\r\nIt uses GetTickCount API to detect if their malware is being debugged.\r\nThe malware is equipped with anti-debugging capabilities\r\nDebugging often slows down the execution of a program. By checking the time taken between certain operations,\r\nthe malware can detect anomalies.\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 6 of 16\n\nGetTickCount retrieves the current system time in millisecond\r\nIf the time taken is unusually long, it might indicate the presence of a debugger.\r\nThe malware also creates, writes to, and reads a new file.\r\nCreateFileW function creates or opens a file\r\nWriteFile writes data to a specified file, while ReadFile reads data from a specified file\r\nIt returns the value of these functions to Buffer.\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 7 of 16\n\nThe value of the functions is returned to Buffer\r\nIt queries the value under the key HKEY_CURRENT_USER\\Control Panel\\Desktop\\ResourceLocale.\r\nThe malware tries to identify the language ID of the UI\r\nThis code attempts to gain shutdown privileges by using SeShutdownPrivilege to either disrupt the system by\r\nforcing a shutdown or restart, or to ensure changes take effect after a restart. \r\nThe malware uses SeShutdownPrivilege to reboot the system\r\nThe function interacts with the clipboard, which could be used to steal or manipulate data. \r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 8 of 16\n\nThe malware manipulates the clipboard\r\nAfter looking at the strings section, we found the following: \r\nAZORult uses several system functions\r\noff_40940C contains these strings in .data section:\r\n\"GetDiskFreeSpaceExW\"\r\n\"MoveFileExW\"\r\n\"RegDeleteKeyExW\"\r\n\"OpenProcessToken\"\r\n\"LookupPrivilegeValueW\"\r\n\"AdjustTokenPrivileges\"\r\n\"GetUserDefaultUILanguage\"\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 9 of 16\n\n\"SHAutoComplete\"\r\n\"SHFOLDER\"\r\n\"SHGetFolderPathW\" \r\nLet’s see the xrefs of off_40940C.\r\nGetProcAddress is used to resolve the APIs\r\nIt uses LoadLibraryA and GetProcAddress to resolve these APIs.\r\nThe malware uses GetDiskFreeSpaceExW to check if there is enough disk space available before attempting to\r\ninstall or execute.\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 10 of 16\n\nIf the disk is nearly full, the malware might avoid installation to prevent detection or impact. \r\nLookupPrivilegeValueW/ AdjustTokenPrivileges \r\nMalware uses LookupPrivilegeValueW to get the LUID for a privilege like SE_DEBUG_NAME or\r\nSE_SYSTEM_ENVIRONMENT_NAME, which allow it to perform actions like debugging other processes or\r\nmodifying system settings. \r\nIt uses AdjustTokenPrivileges to: \r\nModify Privileges: By adjusting token privileges, malware can avoid detection by security software or\r\nmake modifications to the system that are not typically allowed under normal user privileges. \r\nAccess Sensitive Operations: Malware might need elevated privileges to modify system settings, access\r\nprotected files, or inject code into other processes. \r\nGetUserDefaultUILanguage \r\nThis API provides the language used for the user interface of Windows. \r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 11 of 16\n\nIt is used to tailor the malware’s behavior or appearance based on the language of the system to avoid detection or\r\nappear more localized. \r\nConclusion \r\nThe AZORult malware represents a highly adaptable and sophisticated threat, evolving significantly since its\r\ninitial development. As observed, AZORult employs various techniques to evade detection and maximize its\r\nimpact, such as anti-debugging measures, use of environment variables, and privilege escalation. \r\nThe malware’s ability to operate in hidden modes, drop additional malicious files, and interact with multiple IP\r\naddresses and domains underscores its potential for widespread damage.\r\nThe use of specific Windows API calls for tasks like checking disk space, adjusting token privileges, and\r\nmanipulating system settings reflects a well-designed strategy to ensure persistence and effectiveness. The\r\npresence of digital certificates and obfuscation techniques further complicates detection and analysis.\r\nAbout ANY.RUN  \r\nANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies\r\nmalware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI\r\nLookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to\r\nincidents faster.  \r\nWith ANY.RUN you can: \r\nDetect malware in seconds. \r\nInteract with samples in real time. \r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 12 of 16\n\nSave time and money on sandbox setup and maintenance \r\nRecord and study all aspects of malware behavior. \r\nCollaborate with your team \r\nScale as you need. \r\nRequest free trial → \r\nIOCs\r\nMD5 Hash\r\n0824428fdccf3c63fc1ca19a1dd7ef74\r\nDNS requests \r\nehzwq[.]shop fp-afd-nocache-ccp.azureedge[.]net\r\nr10.o.lencr[.]org a-ring-fallback[.]msedge[.]net\r\nt-ring-fdv2[.]msedge[.]net reap.skyestates[.]com[.]mt\r\nIP connections\r\n108.167.181.251 20.166.126.56 52.168.117.175 20.223.35.26\r\n2.23.209.130 2.23.209.158 2.23.209.140 13.107.246.45\r\n131.253.33.254 20.99.185.48 2.23.209.140 13.107.246.45\r\n131.253.33.254 20.99.185.48\r\nRegistry keys\r\nHKEY_USERS\\S-1-5-21-575823232-3065301323-1442773979-\r\n1000\\fordjelsesbesvret\\Uninstall\\Spidsfindigeres22\\luftrr\r\nHKEY_CURRENT_USER\\fordjelsesbesvret\\Uninstall\\Spidsfindigeres22\\luftrr\r\nHKEY_CURRENT_USER\\fordjelsesbesvret\\Uninstall\\Spidsfindigeres22luftrr\r\nSpidsfindigeres22\\luftrr\r\nfordjelsesbesvret\\Uninstall\\Spidsfindigeres22\\luftrr\r\nHKEY_CURRENT_USER\\fordjelsesbesvret\r\nHKEY_CURRENT_USER\\fordjelsesbesvret\\Uninstall\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 13 of 16\n\nHKEY_CURRENT_USER\\fordjelsesbesvret\\Uninstall\\Spidsfindigeres22\r\nMutexes \r\nGlobal\\6b9d2ecb-1948-49c6-b61f-9cc3ad1d78d1\r\nGlobal\\AmiProviderMutex_InventoryApplicationFile\r\nGlobal\\OneSettingQueryMutex+compat+encapsulation\r\nLocal\\WERReportingForProcess1284\r\nMITRE ATT\u0026CK TTPs \r\nTACTIC TECHNIQUE MITRE ATT\u0026CK ID \r\nExecution \r\nWindows Management Instrumentation  T1047 \r\nCommand and Scripting Interpreter  T1059 \r\nPowerShell  T1059.001 \r\nScripting  T1064 (deprecated) \r\nNative API  T1106 \r\nShared Modules  T1129 \r\nPersistence \r\nBoot or Logon Autostart Execution  T1547 \r\nShortcut Modification  T1547.009 \r\nHijack Execution Flow  T1574 \r\nDLL Side-Loading  T1574.002 \r\nPrivilege Escalation \r\nProcess Injection  T1055 \r\nBoot or Logon Autostart Execution  T1547 \r\nShortcut Modification  T1547.009 \r\nHijack Execution Flow  T1574 \r\nDLL Side-Loading  T1574.002 \r\nDefense Evasion  Obfuscated Files or Information  T1027 \r\nSoftware Packing  T1027.002 \r\nEmbedded Payloads  T1027.009 \r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 14 of 16\n\nTACTIC TECHNIQUE MITRE ATT\u0026CK ID \r\nMasquerading  T1036 \r\nProcess Injection  T1055 \r\nScripting  T1064 (deprecated) \r\nIndicator Removal  T1070 \r\nTimestomp  T1070.006 \r\nModify Registry  T1112 \r\nDeobfuscate/Decode Files or Information  T1140 \r\nFile and Directory Permissions Modification  T1222 \r\nVirtualization/Sandbox Evasion  T1497 \r\nHide Artifacts  T1564 \r\nHidden Window  T1564.003 \r\nHijack Execution Flow  T1574 \r\nDLL Side-Loading  T1574.002 \r\nCredential Access \r\nOS Credential Dumping  T1003 \r\nUnsecured Credentials  T1552 \r\nCredentials In Files  T1552.001 \r\nCredentials in Registry  T1552.002 \r\nDiscovery \r\nApplication Window Discovery  T1010 \r\nQuery Registry  T1012 \r\nRemote System Discovery  T1018 \r\nProcess Discovery  T1057 \r\nSystem Information Discovery  T1082 \r\nFile and Directory Discovery  T1083 \r\nVirtualization/Sandbox Evasion  T1497 \r\nSoftware Discovery  T1518 \r\nSecurity Software Discovery  T1518.001 \r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 15 of 16\n\nTACTIC TECHNIQUE MITRE ATT\u0026CK ID \r\nCollection \r\nData from Local System  T1005 \r\nEmail Collection  T1114 \r\nClipboard Data  T1115 \r\nVideo Capture  T1125 \r\nApplication Layer Protocol  T1071 \r\nNon-Application Layer Protocol  T1095 \r\nEncrypted Channel  T1573 \r\nImpact \r\nSystem Shutdown/Reboot  T1529 \r\nSystem Shutdown/Reboot  T1529 \r\nMostafa ElSheimy\r\nMostafa ElSheimy\r\nMostafa ElSheimy is a malware reverse engineer and threat intelligence analyst, specializing in analyzing TTPs\r\n(Tactics, Techniques, and Procedures) and crafting YARA rules to detect and counter cyber threats. Mostafa's work\r\nfocuses on dissecting malware to uncover hidden dangers and protect organizations from emerging threats.\r\nFind him on X and LinkedIn.\r\nmostafa-elsheimy\r\nMostafa ElSheimy\r\nMalware Analyst\r\nMostafa ElSheimy is a malware reverse engineer and threat intelligence analyst, specializing in analyzing TTPs\r\n(Tactics, Techniques, and Procedures) and crafting YARA rules to detect and counter cyber threats. Mostafa's work\r\nfocuses on dissecting malware to uncover hidden dangers and protect organizations from emerging threats.\r\nFind him on X and LinkedIn.\r\nSource: https://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nhttps://any.run/cybersecurity-blog/azorult-malware-analysis/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://any.run/cybersecurity-blog/azorult-malware-analysis/"
	],
	"report_names": [
		"azorult-malware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775439070,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/daac2aa38b0972f8f89afea3a3435243a08fc567.pdf",
		"text": "https://archive.orkl.eu/daac2aa38b0972f8f89afea3a3435243a08fc567.txt",
		"img": "https://archive.orkl.eu/daac2aa38b0972f8f89afea3a3435243a08fc567.jpg"
	}
}