guloader | d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d

General

Target

d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
Size

112KB
MD5

a0a43077ce1076346b76d810b37b3452
SHA1

beaea5e9c198eb914542c567d6aa2ac405291bbe
SHA256

d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d
SHA512

f27723630567b84d0e7db9af7a6e354223d3f477d69254c47ee018a2e43ebcea63da830144c0b9c0cc1292cd41c26e0ac0d630e6ed1b482e2250a8db9fae8ea6
SSDEEP

1536:czITVdWJBDPHidw5C8i1PsVrg/+3DGCHyIk0AWj9ehGE:hTkxZbDGvIk0w

Score

10^/10

guloader remcos downloader persistence rat

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exeielowutil.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ielowutil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ielowutil.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	ielowutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wharrowspleenens5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Arsenolitepretex9\\Blaasure.exe"	ielowutil.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ielowutil.exe

pid process

2360 ielowutil.exe
2360 ielowutil.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exeielowutil.exe

pid process

5004 d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
2360 ielowutil.exe

pid	process
2360	ielowutil.exe
2360	ielowutil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe

description	pid	process	target process
PID 5004 set thread context of 2360	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ielowutil.exe

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe

pid	process
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exeielowutil.exe

pid process

5004 d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
2360 ielowutil.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe

description	pid	process	target process
PID 5004 wrote to memory of 388	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 388	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 388	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 5012	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 5012	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 5012	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 2652	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 2652	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 2652	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 2140	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 2140	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 2140	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 3088	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 3088	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 3088	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1572	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1572	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1572	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 3684	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 3684	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 3684	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1740	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1740	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1740	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 4032	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 4032	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 4032	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 4116	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 4116	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 4116	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1052	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1052	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 1052	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ieinstal.exe
PID 5004 wrote to memory of 2360	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ielowutil.exe
PID 5004 wrote to memory of 2360	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ielowutil.exe
PID 5004 wrote to memory of 2360	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ielowutil.exe
PID 5004 wrote to memory of 2360	5004	d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe	ielowutil.exe

C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:388

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:5012

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:2652

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:2140

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:3088

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:1572

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:3684

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:1740

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:4032

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:4116

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
PID:1052

C:\Program Files (x86)\internet explorer\ielowutil.exe
"C:\Users\Admin\AppData\Local\Temp\d17564de48674471080c2872ecf291979d81c640a964f1be000dc4bdb73d3a9d.exe"
2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-143-0x0000000077030000-0x00000000771D3000-memory.dmp

Filesize
1.6MB

Download
memory/2360-144-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2360-146-0x0000000077030000-0x00000000771D3000-memory.dmp

Filesize
1.6MB

Download
memory/2360-145-0x0000000077030000-0x00000000771D3000-memory.dmp

Filesize
1.6MB

Download
memory/2360-140-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2360-139-0x0000000000000000-mapping.dmp

Download
memory/2360-142-0x00007FFC3B6B0000-0x00007FFC3B8A5000-memory.dmp

Filesize
2.0MB

Download
memory/5004-135-0x00007FFC3B6B0000-0x00007FFC3B8A5000-memory.dmp

Filesize
2.0MB

Download
memory/5004-138-0x0000000077030000-0x00000000771D3000-memory.dmp

Filesize
1.6MB

Download
memory/5004-134-0x0000000002250000-0x0000000002265000-memory.dmp

Filesize
84KB

Download
memory/5004-141-0x0000000077030000-0x00000000771D3000-memory.dmp

Filesize
1.6MB

Download
memory/5004-137-0x0000000002250000-0x0000000002265000-memory.dmp

Filesize
84KB

Download
memory/5004-136-0x0000000077030000-0x00000000771D3000-memory.dmp

Filesize
1.6MB

Download
memory/5004-147-0x0000000002250000-0x0000000002265000-memory.dmp

Filesize
84KB

Download
memory/5004-148-0x0000000077030000-0x00000000771D3000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads