guloader | 158aae7be7b74ab461bb3afcb61d9385f7122ae86c89a32b33312be7d7ce3ec3

General

Target

PO 00759411.exe
Size

717KB
MD5

8b95bfa95fe71502a5aa0f4a2c8a4057
SHA1

cd162d754540a4a6083c3ab9ed1876749c7d87a3
SHA256

158aae7be7b74ab461bb3afcb61d9385f7122ae86c89a32b33312be7d7ce3ec3
SHA512

7ca8363fba2a01b23dd9ea669582ef7d9b04b9b6f7a2fe3fb09d4277cb435ea473473501be8ad7f41bd76264a861f0375d026a3327e3b051cccaca22a699359b
SSDEEP

12288:bzt8QKGxDs2ePvIrxWOgSYJSFj4/uceTCEd1Gx7giPn8Ybtd58nnfy8sMYVM/a:bzKQRxA2kIrZPYJCYm1GhFf8YbtQnKVN

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

155.94.185.15:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FUG8H1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	PO 00759411.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	PO 00759411.exe

Loads dropped DLL 1 IoCs

pid	Process
1340	PO 00759411.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1656	PO 00759411.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1340	PO 00759411.exe
1656	PO 00759411.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 1656	1340	PO 00759411.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1340	PO 00759411.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1656	PO 00759411.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1656	1340	PO 00759411.exe	28
PID 1340 wrote to memory of 1656	1340	PO 00759411.exe	28
PID 1340 wrote to memory of 1656	1340	PO 00759411.exe	28
PID 1340 wrote to memory of 1656	1340	PO 00759411.exe	28
PID 1340 wrote to memory of 1656	1340	PO 00759411.exe	28

C:\Users\Admin\AppData\Local\Temp\PO 00759411.exe
"C:\Users\Admin\AppData\Local\Temp\PO 00759411.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\PO 00759411.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 00759411.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c78221c3c33614e03bd26856de65ad0a

SHA1
bc5beb2d7da4c63cd857c761bf0d063b50d7e5fa

SHA256
b4ba9d88fa1233d520a5cd96be702bd03528deeff6376611c5e0971af6819859

SHA512
da026552c10de8134edbfc9f7dd3bc60502ab2ddbed3eda3f57d8b33ec703232a80113498c6827a58dd5d8e47df3f028430091baacf63cf3b59c40cdbdbc37c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC82.tmp\System.dll

Filesize
11KB

MD5
c9473cb90d79a374b2ba6040ca16e45c

SHA1
ab95b54f12796dce57210d65f05124a6ed81234a

SHA256
b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352

SHA512
eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b

Download Submit
memory/1340-65-0x0000000003650000-0x0000000004507000-memory.dmp

Filesize
14.7MB

Download
memory/1340-67-0x0000000003650000-0x0000000004507000-memory.dmp

Filesize
14.7MB

Download
memory/1656-102-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-66-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-71-0x0000000001470000-0x0000000002327000-memory.dmp

Filesize
14.7MB

Download
memory/1656-95-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-99-0x0000000001470000-0x0000000002327000-memory.dmp

Filesize
14.7MB

Download
memory/1656-101-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-68-0x0000000001470000-0x0000000002327000-memory.dmp

Filesize
14.7MB

Download
memory/1656-105-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-109-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-69-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-113-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-116-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-120-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-124-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-125-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-128-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1656-132-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing