guloader | 3197738de2658c3532a95a03d2ab9505e0008b8d09f047756927601415feff15 | Triage

Submit
Reports

Overview

overview

Static

static

3

#2023-04-0...ON.pdf

windows7-x64

1

#2023-04-0...ON.pdf

windows10-2004-x64

Sharing

General

Target

#2023-04-04 NORTHMASON.pdf
Size

134KB
Sample

230404-rkq48ahd5z
MD5

3849b10c3fc8b2cbc838e9fdf007df59
SHA1

6eb5ca689e20e1b338bebc386755d17a426e523a
SHA256

3197738de2658c3532a95a03d2ab9505e0008b8d09f047756927601415feff15
SHA512

31196d8ecdd10ec55abac514190ac5f588f5ec6b59e180a27d1c1d6becb7fffa34cec245704910778224de919079464120b170ba24a6f66de0d0b88aafa65ddd
SSDEEP

3072:98Rh3Afi+h4P/gsNzvXxjsjNlr+7KX7XjwMR4dy:9YqfiUTOXxjsjjrwKX7XjwMR4dy

Score

10^/10

guloader remcos adobepdf downloader link pdf persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

#2023-04-04 NORTHMASON.pdf

Resource

win7-20230220-en

windows7-x64

1 signatures

300 seconds

Behavioral task

behavioral2

Sample

#2023-04-04 NORTHMASON.pdf

Resource

win10v2004-20230221-en

guloader remcos adobepdf downloader persistence rat

windows10-2004-x64

26 signatures

300 seconds

Malware Config

Extracted

Family

remcos

Botnet

AdobePDF

C2

apdfhost.online:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-X1WV4F
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  #2023-04-04 NORTHMASON.pdf
- Size
  
  134KB
- MD5
  
  3849b10c3fc8b2cbc838e9fdf007df59
- SHA1
  
  6eb5ca689e20e1b338bebc386755d17a426e523a
- SHA256
  
  3197738de2658c3532a95a03d2ab9505e0008b8d09f047756927601415feff15
- SHA512
  
  31196d8ecdd10ec55abac514190ac5f588f5ec6b59e180a27d1c1d6becb7fffa34cec245704910778224de919079464120b170ba24a6f66de0d0b88aafa65ddd
- SSDEEP
  
  3072:98Rh3Afi+h4P/gsNzvXxjsjNlr+7KX7XjwMR4dy:9YqfiUTOXxjsjjrwKX7XjwMR4dy
Score

10^/10

guloader remcos adobepdf downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

guloaderremcosadobepdfdownloaderpersistencerat

© 2018-2024

Terms | Privacy