Malware Analysis Report

2025-04-13 20:36

Sample ID 230915-lw4xkacf98
Target Order List.z
SHA256 3f1294d96f6ceba7b51519f49a7bbd4a22cef0b4b34ffeb114cf017c9b64d28d
Tags
azorult guloader collection discovery downloader infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f1294d96f6ceba7b51519f49a7bbd4a22cef0b4b34ffeb114cf017c9b64d28d

Threat Level: Known bad

The file Order List.z was found to be: Known bad.

Malicious Activity Summary

azorult guloader collection discovery downloader infostealer spyware stealer trojan

Guloader,Cloudeye

Azorult

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks QEMU agent file

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

outlook_win_path

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-15 09:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-15 09:53

Reported

2023-09-15 09:56

Platform

win7-20230831-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order List.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\eviler.sst C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Order List.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order List.exe

"C:\Users\Admin\AppData\Local\Temp\Order List.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 552

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso38DE.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

\Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nso38DE.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

\Users\Admin\AppData\Local\Temp\nso38DE.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

memory/2812-38-0x0000000003850000-0x00000000056FF000-memory.dmp

memory/2812-39-0x0000000003850000-0x00000000056FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-15 09:53

Reported

2023-09-15 09:56

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order List.exe"

Signatures

Azorult

trojan infostealer azorult

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4396 set thread context of 4420 N/A C:\Users\Admin\AppData\Local\Temp\Order List.exe C:\Users\Admin\AppData\Local\Temp\Order List.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\eviler.sst C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order List.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Order List.exe

"C:\Users\Admin\AppData\Local\Temp\Order List.exe"

C:\Users\Admin\AppData\Local\Temp\Order List.exe

"C:\Users\Admin\AppData\Local\Temp\Order List.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
NL 142.251.36.46:443 drive.google.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 doc-10-8g-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-10-8g-docs.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 lrvsd.shop udp
US 188.114.97.0:80 lrvsd.shop tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 188.114.97.0:80 lrvsd.shop tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsu9E36.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

memory/4396-30-0x0000000004A70000-0x000000000691F000-memory.dmp

memory/4396-31-0x00000000771E1000-0x0000000077301000-memory.dmp

memory/4396-32-0x0000000004A70000-0x000000000691F000-memory.dmp

memory/4420-33-0x00000000004A0000-0x000000000234F000-memory.dmp

memory/4396-34-0x0000000073E30000-0x0000000073E37000-memory.dmp

memory/4420-35-0x00000000004A0000-0x000000000234F000-memory.dmp

memory/4420-36-0x0000000077268000-0x0000000077269000-memory.dmp

memory/4420-37-0x0000000077285000-0x0000000077286000-memory.dmp

memory/4420-50-0x0000000072930000-0x0000000073B84000-memory.dmp

memory/4420-51-0x00000000004A0000-0x000000000234F000-memory.dmp

memory/4420-52-0x0000000000060000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A7579D4E\nss3.dll

MD5 556ea09421a0f74d31c4c0a89a70dc23
SHA1 f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256 f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA512 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

C:\Users\Admin\AppData\Local\Temp\A7579D4E\mozglue.dll

MD5 9e682f1eb98a9d41468fc3e50f907635
SHA1 85e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

C:\Users\Admin\AppData\Local\Temp\A7579D4E\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

C:\Users\Admin\AppData\Local\Temp\A7579D4E\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

memory/4420-112-0x00000000771E1000-0x0000000077301000-memory.dmp

memory/4420-113-0x0000000072930000-0x0000000073B84000-memory.dmp

memory/4420-163-0x00000000004A0000-0x000000000234F000-memory.dmp

memory/4420-164-0x0000000072930000-0x0000000073B84000-memory.dmp