AZORult is one of the best known malware within the Stealer family. It is usually sold on Russian forums for prices ranging up to $100. This malware has been used by a large number of important threat actors, including some dedicated to crime such as FIN11 or TA505 (GracefulSpider) or others that are part of a state-sponsored model such as GorgonGroup from Pakistan.

This malware usually starts from an initial point as documents via Spear-Phishing or compromised web pages and is characterized by performing different file drops that later will execute and check the connection to the C&C, after this, it will steal information and create persistence or a backdoor to, before performing the exfiltration of the data, have opportunities to persist in the system and thus, the actor continue obtaining information from the system to which the affected computer belongs and sometimes pivot.

_Technical Anlysis

As mentioned above, this malware is most commonly found after Spear-Phishing or a Web site that has been compromised. After this, its main objective will be to obtain data from elements such as search engines, FTP or emails.

An example of what its steps would be is as follows:


Once we have a general understanding of what this malware is and what are its steps, we visualize how several samples would be executed to have the widest possible context, since, being a malware that several groups use and with the possibility of being able to buy it, we find different versions of AZORult coexisting

After reviewing dozens of samples the most common is to see executions of this one doing the first phase launching several cmd.exe to support itself in the execution while dropping other files in temporary paths or using sleeps through PS to avoid the sandbox analysis timeout or delay the execution.


During this phase, different files are launched from behind in folders such as:


Here we will see different files among which, depending on the version, we can find scripts and other binaries that support the execution or the following file, which will be AZORult.

Before the execution of the Stealer, depending on the version, it performs different actions such as:

Create tasks to create persistence:

schtasks /create /tn /tr "<FilePath>" /sc minute /mo 1 /F

Modify Office settings, where we can see how the Resilience or the MRU that would make changes which will indicate that you will not be able to recover Office files that you have open and that your Office history will disappear. In this case, performed on Word, which indicates that you are covering your back, as one of the samples came from Spear-Phishing


Killing other processes:

Taskkill /F /IM winword.exe

Or run the AZORult, which is your final objective as your initial “Dropper” part. It is worth noting, that the AZORult seen, mostly were either .NET obfuscated with SmartAssembly or AutoIT (The most common) or NullSoft, I also found some in C++


Once the stealer is deployed, it will perform some actions in one way or another, since, as I said, several versions usually coexist at the same time. We can see how they usually have obfuscation and/or anti-analysis techniques


We can see from anti-dbg where it is observed if there is any thread with the DBG, or locating the HEAP flags, in short, I have seen different ways to avoid that we analyze it at low level.

Subsequently, we can see how he tries to avoid reinfection with Mutex, but not all samples used the mutex.


During the rest of the execution, I notice how it actually tries to control at several points which processes are running on the system, usually linked to anti-analysis as well since it allows us to see if there are any applications that we do not want to be running


To later look for permissions that it has in execution via Token to then be able to execute elements in a different thread with the context from which it has obtained all the information related to the credentials of the main process.


In other words, we can check if the process(Thread) in execution has enough privileges to take the thread context and execute whatever we want in the thread with the same privileges, or with the privileges of another user :)

I also find the ability to control the device by remotely shutting it down or suspending it using the Suspend + Force flag quite interesting



In the meantime, we forget the most important parts here, which are, the information theft, where according to different samples we can see that it obtains information from elements such as:

  • Mail informaton
  • Wallets
  • FTP
  • Browsers information (Cookies, History…)
  • SSH (Putty|WinSCP)


Once you have obtained everything you wanted you make requests to the C&C with all the data you have obtained. It is worth noting that most samples I have found of AZORult, before running most of its functions had a check where checks if it reached the C2, if this did not happen, automatically stopped the execution, this is quite common because it avoids that if some analysts focus on the Sandbox and the C2 falls, we can not analyze the content of what comes next, besides generating an extra layer of protection, as sometimes analysts analyze malware without internet traffic.


I have found myself analyzing quite a few samples that did not have C2 and I have had to bypass the checks or directly understand with the dissaasembly that I was doing with the context of the rest of the samples, since as you know, C&Cs come and go and usually fall relatively quickly due to the great work done by the community and the companies reporting them.

Finally, it is usually observed in VT how the samples I am analyzing are related to each other to check if it leads me to IP/Domains that are highly reported, to find more samples and therefore, different versions, to see if there is any collection where I can get more context from the intelligence part, and so on


_Summary of behaviour


Dropper > Infection > C2 communication > Information theft > Persistence and backdoor creation > Encryption > Data exfiltration

Office Manipulation:

(PrntPrc) Winword|Excel | TempFile > (ChildPrc) cmd.exe | powershell.exe > (cmd contains) \Resiliency /f
(PrntPrc) Winword|Excel | TempFile > (ChildPrc) cmd.exe | powershell.exe > (cmd contains) \File MRU /v


(Cmd) schtasks /create /tn /tr "<FilePath>" /sc minute /mo 1 /F

Timeout | Ping abuse to auto-delete:

(Cmd) cmd.exe /c C:\Windows\system32\timeout.exe 3 & del "<FilePath>"
(Cmd) cmd.exe /c ping && del "C:\Users\admin\AppData\Local\Temp\<FolderPath>\<FileName>.exe" >> NUL

Suspicious file reading sensitive information:

(Path Temp|Roaming|ProgramData)Prc > ReadFile > (Path contains) \Wallet\ | \Wallets\ | \Recentservers.xml | \accounts.xml
(Path Temp|Roaming|ProgramData)Prc > QueryReg > (Reg contains) \monero | \Bitcoin | \BitCore | \LiteCoin | \WinSCP | \Url History