Malware Analysis Report

2025-04-13 12:43

Sample ID 250320-d9ektssvet
Target 20032025_0342_17032025_HSBC_PAYMENT_ADVICE.zip
SHA256 77f10cc3bf2e9534ed7354b016c467e3affcebab83eb77508d7990e5b7be2cad
Tags
azorult guloader discovery downloader infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77f10cc3bf2e9534ed7354b016c467e3affcebab83eb77508d7990e5b7be2cad

Threat Level: Known bad

The file 20032025_0342_17032025_HSBC_PAYMENT_ADVICE.zip was found to be: Known bad.

Malicious Activity Summary

azorult guloader discovery downloader infostealer trojan

Azorult family

Azorult

Guloader,Cloudeye

Guloader family

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-20 03:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-20 03:42

Reported

2025-03-20 03:47

Platform

win7-20250207-en

Max time kernel

118s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe

"C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe"

C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe

"C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kenkyo.x24.eu udp
NL 5.255.110.9:443 kenkyo.x24.eu tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.206:80 r10.o.lencr.org tcp
US 8.8.8.8:53 j4b2.icu udp
US 8.8.8.8:53 j4b2.icu udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsyC987.tmp\System.dll

MD5 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 10c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512 cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

\Users\Admin\AppData\Local\Temp\nsyC987.tmp\LangDLL.dll

MD5 174708997758321cf926b69318c6c3f5
SHA1 645488089bf320f6864e0d0bc284c85216e56fbd
SHA256 f577b66492e97c7b8bf515398d8deb745abafd74f56fc03e67fce248ebbeb873
SHA512 214433597e04ca1ff9b4fe092d5d2997707a7c56f0f82c85d586088a200e4455028f3b9427d87b4f06f9252557d5be4b7a9138ea6a8d045df6209421fd8ca054

memory/2128-40-0x0000000003F50000-0x000000000541B000-memory.dmp

memory/2128-41-0x0000000077A21000-0x0000000077B22000-memory.dmp

memory/2128-42-0x0000000077A20000-0x0000000077BC9000-memory.dmp

memory/1384-43-0x00000000014E0000-0x00000000029AB000-memory.dmp

memory/1384-44-0x0000000077A20000-0x0000000077BC9000-memory.dmp

memory/1384-58-0x0000000000470000-0x00000000014D2000-memory.dmp

memory/1384-59-0x00000000014E0000-0x00000000029AB000-memory.dmp

memory/1384-60-0x0000000000470000-0x00000000014D2000-memory.dmp

memory/1384-61-0x0000000000470000-0x00000000014D2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-20 03:42

Reported

2025-03-20 03:47

Platform

win10v2004-20250314-en

Max time kernel

105s

Max time network

215s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe

"C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe"

C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe

"C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_ADVICE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 kenkyo.x24.eu udp
NL 5.255.110.9:443 kenkyo.x24.eu tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.198:80 r10.o.lencr.org tcp
US 8.8.8.8:53 j4b2.icu udp
US 8.8.8.8:53 j4b2.icu udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsm591D.tmp\System.dll

MD5 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 10c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512 cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

C:\Users\Admin\AppData\Local\Temp\nsm591D.tmp\LangDLL.dll

MD5 174708997758321cf926b69318c6c3f5
SHA1 645488089bf320f6864e0d0bc284c85216e56fbd
SHA256 f577b66492e97c7b8bf515398d8deb745abafd74f56fc03e67fce248ebbeb873
SHA512 214433597e04ca1ff9b4fe092d5d2997707a7c56f0f82c85d586088a200e4455028f3b9427d87b4f06f9252557d5be4b7a9138ea6a8d045df6209421fd8ca054

memory/1572-43-0x00000000049D0000-0x0000000005E9B000-memory.dmp

memory/1572-44-0x0000000077761000-0x0000000077881000-memory.dmp

memory/1572-45-0x0000000010004000-0x0000000010005000-memory.dmp

memory/1572-47-0x00000000049D0000-0x0000000005E9B000-memory.dmp

memory/2240-48-0x00000000016D0000-0x0000000002B9B000-memory.dmp

memory/2240-49-0x00000000777E8000-0x00000000777E9000-memory.dmp

memory/2240-50-0x0000000077805000-0x0000000077806000-memory.dmp

memory/2240-59-0x0000000002BA0000-0x0000000002BC7000-memory.dmp

memory/2240-57-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2240-58-0x00000000016D0000-0x0000000002B9B000-memory.dmp

memory/2240-61-0x0000000077761000-0x0000000077881000-memory.dmp

memory/2240-60-0x0000000000470000-0x00000000016C4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-20 03:42

Reported

2025-03-20 03:47

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-03-20 03:42

Reported

2025-03-20 03:47

Platform

win10v2004-20250314-en

Max time kernel

161s

Max time network

287s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 6048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 6048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 6048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6048 -ip 6048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-03-20 03:42

Reported

2025-03-20 03:47

Platform

win7-20241010-en

Max time kernel

238s

Max time network

244s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 228

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-03-20 03:42

Reported

2025-03-20 03:47

Platform

win10v2004-20250314-en

Max time kernel

102s

Max time network

215s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3824 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3824 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3824 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A