URL:

https://file-proxy.imoulife.com/easy4ip-oms-sg/file_transfer/dubhe/473aaa73083d4a6c88cc7f76a48b2644/6173d76f8.exe

Full analysis: https://app.any.run/tasks/239f2878-3e1e-4f22-a400-d693ff207ad9
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: April 09, 2024, 01:29:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
guloader
Indicators:
MD5:

1537DCA860C128FE18CA8E321D7EA0FE

SHA1:

E1FB85BFB83A5B2032F20CE5A37FBBD749F5E4F7

SHA256:

223DD2F7A37C4BADC007FD931F21B72BA3C1B4AEBD5E31CBAC4626FA00A83C64

SSDEEP:

3:N8oXKeLEMGKwUHKaRULWDnKRgPYwKKOTQjRyxmdA:2ofGXu9/P5X8a44A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 6173d76f8.exe (PID: 840)

    • GULOADER PACKER has been detected (YARA)

      • 6173d76f8.exe (PID: 840)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 6173d76f8.exe (PID: 840)

    • The process creates files with name similar to system file names

      • 6173d76f8.exe (PID: 840)

    • Executable content was dropped or overwritten

      • 6173d76f8.exe (PID: 840)

  • INFO

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 1836)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 4000)

    • Application launched itself

      • iexplore.exe (PID: 1836)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 4000)

    • Checks supported languages

      • 6173d76f8.exe (PID: 840)

    • Reads the computer name

      • 6173d76f8.exe (PID: 840)

    • The process uses the downloaded file

      • iexplore.exe (PID: 1836)

    • Create files in a temporary directory

      • 6173d76f8.exe (PID: 840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe 6173d76f8.exe no specs #GULOADER PACKER 6173d76f8.exe

Process information

PID
CMD
Path
Indicators
Parent process
840"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\6173d76f8.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\6173d76f8.exe
iexplore.exe
User:
admin
Company:
杭州华橙网络科技有限公司
Integrity Level:
HIGH
Description:
乐橙客户端安装程序
Version:
2.8.3
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\6173d76f8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1836"C:\Program Files\Internet Explorer\iexplore.exe" "https://file-proxy.imoulife.com/easy4ip-oms-sg/file_transfer/dubhe/473aaa73083d4a6c88cc7f76a48b2644/6173d76f8.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2320"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\6173d76f8.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\6173d76f8.exeiexplore.exe
User:
admin
Company:
杭州华橙网络科技有限公司
Integrity Level:
MEDIUM
Description:
乐橙客户端安装程序
Exit code:
3221226540
Version:
2.8.3
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\6173d76f8.exe
c:\windows\system32\ntdll.dll
4000"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1836 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
22 853
Read events
22 703
Write events
98
Delete events
52

Modification events

(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31099421
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31099421
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
14
Text files
14
Unknown types
4

Dropped files

PID
Process
Filename
Type
4000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
4000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0A17BC17FF10008872A7205D0D43E2_608DEF97DFACECDA8E97C6F270153A4Fbinary
MD5:
SHA256:
4000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0A17BC17FF10008872A7205D0D43E2_608DEF97DFACECDA8E97C6F270153A4Fbinary
MD5:
SHA256:
4000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8F8712BCE78D28F9C5E3E950CD93EADA_F75A4E03C33D1A838193AA032A2D6CDEbinary
MD5:
SHA256:
4000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8F8712BCE78D28F9C5E3E950CD93EADA_F75A4E03C33D1A838193AA032A2D6CDEbinary
MD5:
SHA256:
4000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\6173d76f8[1].exeexecutable
MD5:
SHA256:
1836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:
SHA256:
1836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:
SHA256:
1836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].binbinary
MD5:
SHA256:
1836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9AA5.tmpxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
23
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4000
iexplore.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?545e1839169dd0e6
unknown
unknown
4000
iexplore.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f78d505714a595e3
unknown
unknown
4000
iexplore.exe
GET
200
163.181.56.214:80
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoEcNCWvIoSyJCm34Ju7Es%3D
unknown
unknown
1836
iexplore.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b0be6f4ad90be2e5
unknown
unknown
4000
iexplore.exe
GET
200
163.181.56.214:80
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSmVYFXwi%2FRq9wx3PKhB8lC%2FFYUyAQUkZ9eMRWuEJ%2BtYMH3wcyqSDQvDCYCEAKDZeFxxtd0nnHalj9ed2c%3D
unknown
unknown
1836
iexplore.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?70d85e3b0e586cab
unknown
unknown
1836
iexplore.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e55f0cb727843010
unknown
unknown
1836
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
1080
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0754c686571bd23f
unknown
unknown
1836
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4000
iexplore.exe
47.254.141.37:443
file-proxy.imoulife.com
Alibaba US Technology Co., Ltd.
DE
unknown
4000
iexplore.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
4000
iexplore.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
4000
iexplore.exe
163.181.56.214:80
ocsp.dcocsp.cn
Zhejiang Taobao Network Co.,Ltd
DE
unknown
1836
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
1836
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1836
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
file-proxy.imoulife.com
  • 47.254.141.37
unknown
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
  • 93.184.221.240
whitelisted
ocsp.dcocsp.cn
  • 163.181.56.214
  • 163.181.56.211
  • 163.181.56.209
  • 163.181.56.212
  • 163.181.56.210
  • 163.181.56.213
  • 163.181.56.216
  • 163.181.56.215
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://file-proxy.imoulife.com/easy4ip-oms-sg/file_transfer/dubhe/473aaa73083d4a6c88cc7f76a48b2644/6173d76f8.exe