{
	"id": "194bfbde-73aa-4ee2-94ae-a0675ba85ee4",
	"created_at": "2026-04-06T00:08:20.539605Z",
	"updated_at": "2026-04-10T13:11:33.181429Z",
	"deleted_at": null,
	"sha1_hash": "e9fed1810d863c8e8dc15945245375d11c62b113",
	"title": "AZORult++: Rewriting history",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 243533,
	"plain_text": "AZORult++: Rewriting history\r\nBy Alexander Eremin\r\nPublished: 2019-03-22 · Archived: 2026-04-05 14:06:38 UTC\r\nThe AZORult Trojan is one of the most commonly bought and sold stealers in Russian forums. Despite the\r\nrelatively high price tag ($100), buyers like AZORult for its broad functionality (for example, the use of .bit\r\ndomains as C\u0026C servers to ensure owner anonymity and to make it difficult to block the C\u0026C server), as well as\r\nits high performance. Many comment leavers recommend it.\r\nBut at the back end of 2018, the main seller, known under the handle CrydBrox, stopped selling the malware:\r\n“All software has a shelf life. It’s run out for AZORult.\r\nIt is with joy and sadness that I announce that sales are closed forever.”\r\nSome attribute the move to AZORult 3.2 having become too widely available, likewise the source code of the\r\nbotnet control panel. This version of the malware spread to other forums where even users without special skills\r\ncan download and configure it for their own purposes. So the imminent demise of AZORult was apparently down\r\nto a lack of regular updates and its overly wide distribution. Yet the story of AZORult does not end there.\r\nIn a nutshell\r\nAZORult is a Trojan stealer that collects various data on infected computers and sends it to the C\u0026C server,\r\nincluding browser history, login credentials, cookies, files from folders as specified by the C\u0026C server (for\r\nexample, all TXT files from the Desktop folder), cryptowallet files, etc.; the malware can also be used as a loader\r\nto download other malware. Kaspersky Lab products detect the stealer as Trojan-PSW.Win32.Azorult. Our\r\nstatistics show that since the start of 2019, users in Russia and India are the most targeted.\r\nhttps://securelist.com/azorult-analysis-history/89922/\r\nPage 1 of 5\n\nGeography of users attacked by Trojan-PSW.Win32.Azorult, 01.01.2019 — 03.18.2019\r\nFrom Delphi to C++\r\nIn early March 2019, a number of malicious files detected by our products caught the eye. Although similar to\r\nAZORult already known to us, unlike the original malware, they were written not in Delphi, but in C++. A clear\r\nhint at the link between them comes from a section of code left by the developer.\r\nIt appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in\r\nC++; this version we call AZORult++. The presence of lines containing a path to debugging files likely indicates\r\nthat the malware is still in development, since developers usually try to remove such code as soon as feasible.\r\nAZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If\r\nAZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani,\r\nBelarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing.\r\nhttps://securelist.com/azorult-analysis-history/89922/\r\nPage 2 of 5\n\nA more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3, the last iteration to be\r\nsold. In particular, there is no loader functionality and no support for stealing saved passwords from many of the\r\nbrowsers supported by AZORult 3.3. At the same time, many signature features of the Delphi-based version 3.3\r\nare present in AZORult++, including the algorithm for communication with the C\u0026C server, the command format,\r\nthe structure and method of storing harvested data, and encryption keys.\r\nLike AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C\u0026C server.\r\nWhat’s more, this key we had already encountered in various modifications of version 3.3.\r\nExamples of different versions of AZORult in operation (data encrypted using XOR)\r\nThe malware collects stolen data in RAM and does not write to the hard drive to keep its actions hidden. A\r\ncomparison of the data sent in the first packet (the ID of the infected device) shows that AZORult++ uses a shorter\r\nstring than AZORult 3.3 for identification:\r\nhttps://securelist.com/azorult-analysis-history/89922/\r\nPage 3 of 5\n\nThe server response also contains far less data. In version 3.3, the response contained a command in the form\r\n“++++-+–+-“, specifying the bot configuration and a link for downloading additional malware, plus several binary\r\nfiles needed for the stealer to work. The string “++++-+–+-” is parsed by the Trojan character-by-character; “+” in\r\na specific position signifies a command to execute certain actions (for example, harvesting of cryptowallet files).\r\nThe current version of AZORult++ employs a shorter, yet similar command:\r\nIt is worth mentioning separately that the resulting configuration string is not processed correctly; the code\r\nexecution does not depend on the value “+” or “-” in the string, since the characters are checked against \\x00 for a\r\nmatch. In other words, the resulting command does not affect the stealer’s behavior:\r\nThis seems to be an error on the part of the developer, which suggests again that the project is in the very early\r\nstages of development. Going forward, these bugs are expected to be eliminated and the functionality of\r\nAZORult++ expanded.\r\n++ up the sleeve\r\nFor all its flaws, AZORult++ could actually be more dangerous than its predecessor due to its ability to establish a\r\nremote connection to the desktop. To do so, AZORult++ creates a user account using the NetUserAdd() function\r\n(username and password are specified in the AZORult++ code), before adding this account to the Administrators\r\ngroup:\r\nhttps://securelist.com/azorult-analysis-history/89922/\r\nPage 4 of 5\n\nNext, AZORult++ hides the newly created account by setting the value of the Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist registry key to 0. Likewise, through setting registry key\r\nvalues, a Remote Desktop Protocol (RDP) connection is allowed:\r\nThe malicious cherry on the cake is a call to ShellExecuteW() to open a port to establish a remote connection to\r\nthe desktop:\r\nAfter that, the infected computer is ready to accept the incoming RDP connection, which allows the cybercriminal\r\n— armed with the victim’s IP address and account information — to connect to the infected computer and seize\r\ncomplete control of it.\r\nConclusion\r\nDuring development, AZORult underwent several changes related to the expansion of its functionality. Moreover,\r\ndespite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to\r\nestablish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect\r\nits functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name\r\nthat buyers will recognize.\r\nIoC\r\nC\u0026C servers\r\nhttp://ravor.ac[.]ug\r\nhttp://daticho.ac[.]ug\r\nMD5\r\n08EB8F2E441C26443EB9ABE5A93CD942\r\n5B26880F80A00397BC379CAF5CADC564\r\nB0EC3E594D20B9D38CC8591BAFF0148B\r\nFE8938F0BAAF90516A90610F6E210484\r\nSource: https://securelist.com/azorult-analysis-history/89922/\r\nhttps://securelist.com/azorult-analysis-history/89922/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/azorult-analysis-history/89922/"
	],
	"report_names": [
		"89922"
	],
	"threat_actors": [],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e9fed1810d863c8e8dc15945245375d11c62b113.pdf",
		"text": "https://archive.orkl.eu/e9fed1810d863c8e8dc15945245375d11c62b113.txt",
		"img": "https://archive.orkl.eu/e9fed1810d863c8e8dc15945245375d11c62b113.jpg"
	}
}