guloader | 6f40097d34750d8d94cb3131e4c6643d47ea6541997ae4f18e01ef14189a988c

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE.exe
Size

294KB
MD5

f5da0115ae4a3eb7b325a8756b1013f7
SHA1

7832e5c3f52a4227e49b77968b2e316a4f575363
SHA256

198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
SHA512

7389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b
SSDEEP

6144:GT4DtMmNNsXLWs9baMwEyGnTaaZOMnUivg5FLJTQhli0xk74/S:GT9XLWszTa9Mdvg5FxQXi0xx/S

Score

10^/10

guloader remcos remotehost downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

darren2023.sytes.net:2115

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
scs.exe
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-3YNKQ0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 4 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INVOICE.exeINVOICE.exescs.exescs.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	INVOICE.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	INVOICE.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	scs.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	scs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INVOICE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	INVOICE.exe

Executes dropped EXE 1 IoCs

Processes:

scs.exe

pid process

3344 scs.exe
Loads dropped DLL 3 IoCs

Processes:

INVOICE.exescs.exescs.exe

pid process

1168 INVOICE.exe
3344 scs.exe
1936 scs.exe

pid	process
3344	scs.exe

pid	process
1168	INVOICE.exe
3344	scs.exe
1936	scs.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INVOICE.exescs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	INVOICE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\""	INVOICE.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run\	scs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\""	scs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	scs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\""	scs.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run\	INVOICE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\""	INVOICE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

INVOICE.exescs.exe

pid process

2076 INVOICE.exe
1936 scs.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

INVOICE.exeINVOICE.exescs.exescs.exe

pid process

1168 INVOICE.exe
2076 INVOICE.exe
3344 scs.exe
1936 scs.exe

pid	process
2076	INVOICE.exe
1936	scs.exe

pid	process
1168	INVOICE.exe
2076	INVOICE.exe
3344	scs.exe
1936	scs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

INVOICE.exescs.exe

description	pid	process	target process
PID 1168 set thread context of 2076	1168	INVOICE.exe	INVOICE.exe
PID 3344 set thread context of 1936	3344	scs.exe	scs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

INVOICE.exescs.exe

pid process

1168 INVOICE.exe
3344 scs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

scs.exe

pid process

1936 scs.exe

pid	process
1168	INVOICE.exe
3344	scs.exe

pid	process
1936	scs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

INVOICE.exeINVOICE.exescs.exe

description	pid	process	target process
PID 1168 wrote to memory of 2076	1168	INVOICE.exe	INVOICE.exe
PID 1168 wrote to memory of 2076	1168	INVOICE.exe	INVOICE.exe
PID 1168 wrote to memory of 2076	1168	INVOICE.exe	INVOICE.exe
PID 1168 wrote to memory of 2076	1168	INVOICE.exe	INVOICE.exe
PID 2076 wrote to memory of 3344	2076	INVOICE.exe	scs.exe
PID 2076 wrote to memory of 3344	2076	INVOICE.exe	scs.exe
PID 2076 wrote to memory of 3344	2076	INVOICE.exe	scs.exe
PID 3344 wrote to memory of 1936	3344	scs.exe	scs.exe
PID 3344 wrote to memory of 1936	3344	scs.exe	scs.exe
PID 3344 wrote to memory of 1936	3344	scs.exe	scs.exe
PID 3344 wrote to memory of 1936	3344	scs.exe	scs.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
2⤵
- Checks QEMU agent file
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Roaming\scs.exe
"C:\Users\Admin\AppData\Roaming\scs.exe"
3⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3344

C:\Users\Admin\AppData\Roaming\scs.exe
"C:\Users\Admin\AppData\Roaming\scs.exe"
4⤵
- Checks QEMU agent file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
1fcc10720c843f6603490145bb6369ae

SHA1
bcdccd807446f061a9a6aed47fcb687668a3ffd7

SHA256
bf8d204e51e5e78aca46a7de2a16083977bd562e123b78c00972516158b02529

SHA512
794e90bd7732729ebb83828e26b3f84be39c5b8ea5849fa3bef6b53973d03fb817a4dd932d6a3d6e1a0a250c7cea47107a9c433b3326023b67fac65ec0e489ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5654EC63294C39DE7CC060CB799182CF
Filesize
471B

MD5
474a5d47cc23e28fea70e3d32fe95427

SHA1
db4e4a58803bea6ecdaf992a4fc73d90ddd4c375

SHA256
831b3e8febf102b90cf79251960c1ea2f436e39dd5d5ca71facde10f67a19dd7

SHA512
960dadceb3dc32f947ca8f25912020869b8c123601a6b5f4a07960eb87e25aa6e13686425f0975e7bb6f21ab2a88df030729d12350dfc95e9056eaacebf0dede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_A40DDA23AC660EBD6C048B34D97187FB
Filesize
471B

MD5
aee967595d5b11fc508d102c6c93dd93

SHA1
1b51ae5b5f9a4b7e3c51bb4307c9eacd4ea2a85e

SHA256
3cbc3af47f5b1e142bb6cb5fed8154476b773f1b9a95623b5bb5ba94957ff309

SHA512
56638d9f7e75c56e3ff0ac24ed6a44355787803c60958640cbf9137dfcd886c0efbbdc53f893d89014a4431492f9c84d49080f344e04358f51c4a30108541db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
46b3c366fbb3d590146be14c20aac2e3

SHA1
78f589a3b1d5ea9d0a7acbddc80cb11c548a9d12

SHA256
f1cb30699c4b148b678b56cf6f73069814858c6c67dd3a1ed1fdd2ba1bf4865d

SHA512
0c70ddeaa7e5d5f4bca4c032d27466043aa913b415ab5cfc81c693c578196c793cf4cdb2499db4d93e7e5524c1f29cdfb4bc00e2c8b161502f0850df3a191af4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5654EC63294C39DE7CC060CB799182CF
Filesize
406B

MD5
6cd7c961b07af433e925a79ea5fe0c02

SHA1
f0f5827b21146f69e48fd931098353478b452b6a

SHA256
2199f56182fe9e14084cee56f3049c646d375fa29d48c2e0328639a897d82d23

SHA512
2faeff81907adeb18679bf4c41515d50b17611bffb87eadfbcad3f60bac36031658823977ef26a226d8fd8c014ef28b7da06d384924a47cde13058c22e8ddc6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
04b6e81dffcd85715472b768923442fd

SHA1
d058f3074e5c8e2e3848bd02ae77365c504cde62

SHA256
225ac586fb54cd3e8e3ddce44f592ff16a67a6d158fd4c468a05068cc8ddc3ef

SHA512
b2a8e3382bec12eda2a5832d025ac364d71afd0635eb507841aec7bc8e8da769ffbf96138d6a055fc540da13d279f09cf90bf9e543b3e50a05992f1f21562aa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_A40DDA23AC660EBD6C048B34D97187FB
Filesize
406B

MD5
10cc2e2fffa0d6d6475e1dd972288a02

SHA1
edc1bf6e56c9923b244aa92c93b27376246959eb

SHA256
ff3dc83aabb79ec40bbef1e359112571d825a54435610fe1991bed7df8a4558e

SHA512
4e63e407236ecfeed5908eb68848026051fe2abd9a279fadb7cc90d9953959cab736e6946398ceaf51b8b5ea03b12087aa78b58881cc11cd691cb23bd8267d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6C09.tmp\System.dll
Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu6C09.tmp\System.dll
Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8ED8.tmp\System.dll
Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Detachably\Valrappen\Folkboat\D248\Photopolymerisation\Polyvirulent\Nondisputatious\taphaners.Suk
Filesize
101KB

MD5
90c93001b331654e0a76b3144fd6f742

SHA1
6478ad6bc23175e2f5ebbbffc1ac36520bc247c7

SHA256
e775321e2e41bc4a886d1ca80bb25f19751d427ca9615ea9e79c7ac36ea4c7c5

SHA512
60193a84d61b33f6d99b88660f9bfd26fba1f4ef033d5df7c3311fc15e552ef40fbf266b359cce94d3a62b68fc4d7d841734161dac42fee53fbc9560d68a400a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Detachably\Valrappen\Folkboat\Unluckiness\subentitle\Unnimbed\Hallowmas.Blo
Filesize
244KB

MD5
ad9e7ae8ca3b7e776a04e3cfe1f2a4d6

SHA1
a9078da2ddf2c2d30ba231a2fce357965f7b1e01

SHA256
aa6585275558bf692a3fcb8857dda6d2e33932d0c0b46a838e321e83b5a4983c

SHA512
74247fcf01f5b8bd5f73efb481f8e24961704d832ef89e5bdd61e64104f75ead5021429a1f6595070eb02711b4f0bf5d9ec1ce033e70204f34e6c152d27307fd

Download Submit
C:\Users\Admin\AppData\Roaming\scs.exe
Filesize
294KB

MD5
f5da0115ae4a3eb7b325a8756b1013f7

SHA1
7832e5c3f52a4227e49b77968b2e316a4f575363

SHA256
198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d

SHA512
7389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b

Download Submit
C:\Users\Admin\AppData\Roaming\scs.exe
Filesize
294KB

MD5
f5da0115ae4a3eb7b325a8756b1013f7

SHA1
7832e5c3f52a4227e49b77968b2e316a4f575363

SHA256
198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d

SHA512
7389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b

Download Submit
C:\Users\Admin\AppData\Roaming\scs.exe
Filesize
294KB

MD5
f5da0115ae4a3eb7b325a8756b1013f7

SHA1
7832e5c3f52a4227e49b77968b2e316a4f575363

SHA256
198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d

SHA512
7389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b

Download Submit
C:\Users\Admin\AppData\Roaming\scs.exe
Filesize
294KB

MD5
f5da0115ae4a3eb7b325a8756b1013f7

SHA1
7832e5c3f52a4227e49b77968b2e316a4f575363

SHA256
198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d

SHA512
7389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b

Download Submit
memory/1168-141-0x00000000049D0000-0x0000000005BFD000-memory.dmp

Filesize
18.2MB

Download
memory/1168-140-0x00000000049D0000-0x0000000005BFD000-memory.dmp

Filesize
18.2MB

Download
memory/1936-206-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1936-205-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1936-204-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1936-186-0x0000000001660000-0x000000000288D000-memory.dmp

Filesize
18.2MB

Download
memory/1936-203-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1936-201-0x0000000001660000-0x000000000288D000-memory.dmp

Filesize
18.2MB

Download
memory/1936-199-0x0000000001660000-0x000000000288D000-memory.dmp

Filesize
18.2MB

Download
memory/1936-195-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2076-148-0x0000000001660000-0x000000000288D000-memory.dmp

Filesize
18.2MB

Download
memory/2076-142-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2076-143-0x0000000001660000-0x000000000288D000-memory.dmp

Filesize
18.2MB

Download
memory/2076-144-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2076-175-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2076-158-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2076-162-0x0000000001660000-0x000000000288D000-memory.dmp

Filesize
18.2MB

Download
memory/2076-173-0x0000000001660000-0x000000000288D000-memory.dmp

Filesize
18.2MB

Download
memory/3344-183-0x0000000004890000-0x0000000005ABD000-memory.dmp

Filesize
18.2MB

Download
memory/3344-182-0x0000000004890000-0x0000000005ABD000-memory.dmp

Filesize
18.2MB

Download