Malware Analysis Report

2025-08-05 14:06

Sample ID 230804-vj4wgaea5w
Target 617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe
SHA256 617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1

Threat Level: Known bad

The file 617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Enumerates physical storage devices

Program crash

NSIS installer

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-04 17:02

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-04 17:02

Reported

2023-08-04 17:04

Platform

win7-20230712-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst8576.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

memory/2412-62-0x0000000003840000-0x00000000042B7000-memory.dmp

memory/2412-63-0x0000000003840000-0x00000000042B7000-memory.dmp

memory/2412-64-0x0000000077030000-0x00000000771D9000-memory.dmp

memory/2412-65-0x0000000003840000-0x00000000042B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-04 17:02

Reported

2023-08-04 17:04

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\617edc0de1e77f1822ef3e93986f705758ba7ee38b59725d01cf6cabd5d98ef1exe_JC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3444 -ip 3444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1052

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsm15B7.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

memory/3444-140-0x00000000049E0000-0x0000000005457000-memory.dmp

memory/3444-141-0x00000000049E0000-0x0000000005457000-memory.dmp

memory/3444-142-0x00000000049E0000-0x0000000005457000-memory.dmp