Malware Analysis Report

2025-08-05 14:07

Sample ID 230806-lztk1agh97
Target 7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe
SHA256 7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edba
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edba

Threat Level: Known bad

The file 7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-06 09:58

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-06 09:58

Reported

2023-08-06 10:01

Platform

win7-20230712-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\alfaquins.ini C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe"

Network

Country Destination Domain Proto
NL 194.59.218.151:80 194.59.218.151 tcp

Files

\Users\Admin\AppData\Local\Temp\nsoE0C0.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Windows\Resources\0409\alfaquins.ini

MD5 0f9aaea120fd9352cf55694c9500e138
SHA1 bc89504eadbd05cd616470145910a1d5b66c631e
SHA256 24966d03a28e75c5f10be3d0a75a6a2469d88a82cb32c9c8272657f096a89244
SHA512 1f21aa429773c03679d3593c5c3983ac3e4c57c8041a9e6b320bfff4330ac2bcff7bf246481c0a05e27966d24e410eaa3555041eb35036c9bb0ed120831811b6

memory/952-274-0x00000000036C0000-0x0000000004FD0000-memory.dmp

memory/952-275-0x00000000036C0000-0x0000000004FD0000-memory.dmp

memory/952-276-0x0000000077B00000-0x0000000077CA9000-memory.dmp

memory/952-277-0x0000000077CF0000-0x0000000077DC6000-memory.dmp

memory/952-278-0x0000000075020000-0x0000000075026000-memory.dmp

memory/2172-279-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2172-280-0x0000000001470000-0x0000000002D80000-memory.dmp

memory/2172-281-0x0000000077B00000-0x0000000077CA9000-memory.dmp

memory/2172-282-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2172-283-0x0000000001470000-0x0000000002D80000-memory.dmp

memory/2172-284-0x0000000000400000-0x0000000001462000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-06 09:58

Reported

2023-08-06 10:01

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\alfaquins.ini C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edbaexe_JC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
NL 194.59.218.151:80 194.59.218.151 tcp
US 8.8.8.8:53 151.218.59.194.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso8F90.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Windows\Resources\0409\alfaquins.ini

MD5 0f9aaea120fd9352cf55694c9500e138
SHA1 bc89504eadbd05cd616470145910a1d5b66c631e
SHA256 24966d03a28e75c5f10be3d0a75a6a2469d88a82cb32c9c8272657f096a89244
SHA512 1f21aa429773c03679d3593c5c3983ac3e4c57c8041a9e6b320bfff4330ac2bcff7bf246481c0a05e27966d24e410eaa3555041eb35036c9bb0ed120831811b6

memory/4956-353-0x00000000052E0000-0x0000000006BF0000-memory.dmp

memory/4956-354-0x00000000052E0000-0x0000000006BF0000-memory.dmp

memory/4956-355-0x0000000077DA1000-0x0000000077EC1000-memory.dmp

memory/4956-356-0x0000000074C00000-0x0000000074C06000-memory.dmp

memory/4512-357-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4512-358-0x0000000001660000-0x0000000002F70000-memory.dmp

memory/4512-359-0x0000000001660000-0x0000000002F70000-memory.dmp

memory/4512-360-0x0000000077E28000-0x0000000077E29000-memory.dmp

memory/4512-361-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4512-362-0x0000000077DA1000-0x0000000077EC1000-memory.dmp