guloader | 56c0cea73bf798f06be6c3cd0c834c0c7446a65e26be683ca66ec0347818fb15 | Triage

Submit
Reports

Overview

overview

Static

static

1

Drejn255.vbe

windows7-x64

Drejn255.vbe

windows10-2004-x64

Sharing

General

Target

Drejn255.vbe
Size

89KB
Sample

230206-lfc4xadb57
MD5

8cf3e9eb785e9a3cefd64443a1f30bd2
SHA1

74583b42b8b8e1883bd2b055d5c560e18d3d71f0
SHA256

56c0cea73bf798f06be6c3cd0c834c0c7446a65e26be683ca66ec0347818fb15
SHA512

ae7f3558cae8640b66465a3f3c12ac672bfdacb3f2509bb619f75156f7569e289d67e3ef78b30331b24b58aa41d9d9c9e2fc1b30f712903f77c518d3b56bb4ec
SSDEEP

1536:VATmpA5OwzckQJVtIGMT8mTH/Wxfi0PS6aW1VHpWAFi:STiyDzKJE8mTH+xfi0PS6HVJli

Score

10^/10

guloader remcos remotehost collection downloader persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

Drejn255.vbe

Resource

win7-20220812-en

guloader remcos remotehost collection downloader persistence rat

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Drejn255.vbe

Resource

win10v2004-20221111-en

guloader remcos remotehost collection downloader persistence rat

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=14hXc2YnYQ5ZQ9yYI2eO9_NIGnUr-R83L

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.236.76.65:50544

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FBR71N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Drejn255.vbe
- Size
  
  89KB
- MD5
  
  8cf3e9eb785e9a3cefd64443a1f30bd2
- SHA1
  
  74583b42b8b8e1883bd2b055d5c560e18d3d71f0
- SHA256
  
  56c0cea73bf798f06be6c3cd0c834c0c7446a65e26be683ca66ec0347818fb15
- SHA512
  
  ae7f3558cae8640b66465a3f3c12ac672bfdacb3f2509bb619f75156f7569e289d67e3ef78b30331b24b58aa41d9d9c9e2fc1b30f712903f77c518d3b56bb4ec
- SSDEEP
  
  1536:VATmpA5OwzckQJVtIGMT8mTH/Wxfi0PS6aW1VHpWAFi:STiyDzKJE8mTH+xfi0PS6HVJli
Score

10^/10

guloader remcos remotehost collection downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

guloaderremcosremotehostcollectiondownloaderpersistencerat

behavioral2

guloaderremcosremotehostcollectiondownloaderpersistencerat

© 2018-2024

Terms | Privacy