guloader | d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af

General

Target

578b5b7120dd9e637a2fd145190e7157.exe
Size

84KB
MD5

578b5b7120dd9e637a2fd145190e7157
SHA1

66b765c634843c74e2f29a96f157156176490a46
SHA256

d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af
SHA512

347715e6911acf2ac76a515416b548d472198788c76e1a4ab7f4d9e9c039ccc78e6d8aabd3d666467c2417ae9a49e92a81dbc65c5ac1d1f303b49955cf56bb44

Score

10^/10

guloader remcos remotehost downloader rat

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

RemoteHost

C2

wavesvc32.duckdns.org:1144

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-Y7MVCF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

578b5b7120dd9e637a2fd145190e7157.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	578b5b7120dd9e637a2fd145190e7157.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

578b5b7120dd9e637a2fd145190e7157.exeieinstal.exe

pid process

532 578b5b7120dd9e637a2fd145190e7157.exe
3776 ieinstal.exe
3776 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

578b5b7120dd9e637a2fd145190e7157.exe

description pid process target process

PID 532 set thread context of 3776 532 578b5b7120dd9e637a2fd145190e7157.exe ieinstal.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

578b5b7120dd9e637a2fd145190e7157.exe

pid process

532 578b5b7120dd9e637a2fd145190e7157.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

578b5b7120dd9e637a2fd145190e7157.exe

pid process

532 578b5b7120dd9e637a2fd145190e7157.exe

pid	process
532	578b5b7120dd9e637a2fd145190e7157.exe
3776	ieinstal.exe
3776	ieinstal.exe

description	pid	process	target process
PID 532 set thread context of 3776	532	578b5b7120dd9e637a2fd145190e7157.exe	ieinstal.exe

pid	process
532	578b5b7120dd9e637a2fd145190e7157.exe

pid	process
532	578b5b7120dd9e637a2fd145190e7157.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

578b5b7120dd9e637a2fd145190e7157.exe

description	pid	process	target process
PID 532 wrote to memory of 3776	532	578b5b7120dd9e637a2fd145190e7157.exe	ieinstal.exe
PID 532 wrote to memory of 3776	532	578b5b7120dd9e637a2fd145190e7157.exe	ieinstal.exe
PID 532 wrote to memory of 3776	532	578b5b7120dd9e637a2fd145190e7157.exe	ieinstal.exe
PID 532 wrote to memory of 3776	532	578b5b7120dd9e637a2fd145190e7157.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\578b5b7120dd9e637a2fd145190e7157.exe
"C:\Users\Admin\AppData\Local\Temp\578b5b7120dd9e637a2fd145190e7157.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\578b5b7120dd9e637a2fd145190e7157.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-116-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/532-120-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/532-119-0x00007FFB6BC10000-0x00007FFB6BDEB000-memory.dmp

Filesize
1.9MB

Download
memory/532-121-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/3776-117-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/3776-118-0x0000000002E00000-mapping.dmp

Download
memory/3776-123-0x0000000077CE0000-0x0000000077E6E000-memory.dmp

Filesize
1.6MB

Download
memory/3776-122-0x00007FFB6BC10000-0x00007FFB6BDEB000-memory.dmp

Filesize
1.9MB

Download
memory/3776-125-0x000000001E710000-0x000000001E711000-memory.dmp

Filesize
4KB

Download
memory/3776-126-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing