Malware Analysis Report

2025-08-10 19:27

Sample ID 230712-tp7zmsfa4x
Target tmp
SHA256 8c63c1e28683c7aa90cb40df346fe1d5dbc3b2bd994cd883cd7e551518486098
Tags
guloader discovery downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c63c1e28683c7aa90cb40df346fe1d5dbc3b2bd994cd883cd7e551518486098

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

guloader discovery downloader

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-12 16:15

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-12 16:15

Reported

2023-07-12 16:17

Platform

win7-20230712-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1260 set thread context of 2704 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Metronomic\Telefonis\glitzier\nutters.ini C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\arklngdernes\Lowly\brunch\Brugerskrms.lnk C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\Fonts\burning\Miniks64.ini C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\resources\0409\denitrified\alleging\Lightheadedly.sko C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Network

Country Destination Domain Proto
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp

Files

\Users\Admin\AppData\Local\Temp\nsy7CBF.tmp\System.dll

MD5 2ae993a2ffec0c137eb51c8832691bcb
SHA1 98e0b37b7c14890f8a599f35678af5e9435906e1
SHA256 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA512 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

memory/1260-65-0x0000000002D50000-0x0000000005452000-memory.dmp

memory/1260-66-0x0000000002D50000-0x0000000005452000-memory.dmp

memory/2704-67-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2704-68-0x0000000001470000-0x0000000003B72000-memory.dmp

memory/2704-69-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2704-70-0x0000000001470000-0x0000000003B72000-memory.dmp

memory/2704-71-0x0000000000400000-0x0000000001462000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-12 16:15

Reported

2023-07-12 16:17

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2144 set thread context of 4384 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Metronomic\Telefonis\glitzier\nutters.ini C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\arklngdernes\Lowly\brunch\Brugerskrms.lnk C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\Fonts\burning\Miniks64.ini C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\resources\0409\denitrified\alleging\Lightheadedly.sko C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 107.172.148.208:80 107.172.148.208 tcp
US 8.8.8.8:53 208.148.172.107.in-addr.arpa udp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp
US 107.172.148.208:80 107.172.148.208 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nss7475.tmp\System.dll

MD5 2ae993a2ffec0c137eb51c8832691bcb
SHA1 98e0b37b7c14890f8a599f35678af5e9435906e1
SHA256 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA512 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

memory/2144-143-0x0000000003360000-0x0000000005A62000-memory.dmp

memory/2144-144-0x0000000003360000-0x0000000005A62000-memory.dmp

memory/4384-145-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4384-146-0x0000000001660000-0x0000000003D62000-memory.dmp

memory/4384-147-0x0000000001660000-0x0000000003D62000-memory.dmp

memory/4384-148-0x0000000000400000-0x0000000001654000-memory.dmp