guloader | cae72040b23f41152097cdd9ca3500fb0b82f6c64479d125472edd7b2d0f37c6

General

Target

PO-1812-BNS0023.exe
Size

261KB
MD5

0c666f4fa1b26d33fab8f9f36fa3ae90
SHA1

974326eec40369e3c0a894340d9fda2547e4553c
SHA256

cae72040b23f41152097cdd9ca3500fb0b82f6c64479d125472edd7b2d0f37c6
SHA512

bc1b0464af1ba79ece544991e66425d741003f6d650f2446e4056ed0eb7ab78e8812f9850b67c67dd0fb7472ab97a5860d6274953dc5d07d47e2880e5defc6c4
SSDEEP

6144:UR0+Ik/yw+H0/GcsBUOQPzt3ge4N5vwfegJf3Ih/:/u+USqOQPB3z4N5ofxI/

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.255.113.251:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KP2QJQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	PO-1812-BNS0023.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	PO-1812-BNS0023.exe

Loads dropped DLL 1 IoCs

pid	Process
1228	PO-1812-BNS0023.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
776	PO-1812-BNS0023.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1228	PO-1812-BNS0023.exe
776	PO-1812-BNS0023.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1228 set thread context of 776	1228	PO-1812-BNS0023.exe	27

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\forestillingskraft\Whencever\Diagrammatiske\Chattel.Kom	PO-1812-BNS0023.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1228	PO-1812-BNS0023.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
776	PO-1812-BNS0023.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 776	1228	PO-1812-BNS0023.exe	27
PID 1228 wrote to memory of 776	1228	PO-1812-BNS0023.exe	27
PID 1228 wrote to memory of 776	1228	PO-1812-BNS0023.exe	27
PID 1228 wrote to memory of 776	1228	PO-1812-BNS0023.exe	27
PID 1228 wrote to memory of 776	1228	PO-1812-BNS0023.exe	27

C:\Users\Admin\AppData\Local\Temp\PO-1812-BNS0023.exe
"C:\Users\Admin\AppData\Local\Temp\PO-1812-BNS0023.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\PO-1812-BNS0023.exe
  "C:\Users\Admin\AppData\Local\Temp\PO-1812-BNS0023.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
168B

MD5
537c61d788866a17feb8908188cfe619

SHA1
ddaa6365081e9703337f4c55443a59bf4b417495

SHA256
67bfaf6a6888584febaf9df1f14e675ea8536a7a8116551699139089e65f4056

SHA512
2b63df76f6fc23e031fc1a94ca1079e0875a6ac57cefcda8c9464217af0affc0922798c5246475818b00ff4b9668d1355d5fa23fb9375d87c4bbd8a2043dc747

Download Submit
\Users\Admin\AppData\Local\Temp\nsd41E3.tmp\System.dll

Filesize
11KB

MD5
6ad39193ed20078aa1b23c33a1e48859

SHA1
95e70e4f47aa1689cc08afbdaef3ec323b5342fa

SHA256
b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2

SHA512
78c89bb8c86f3b68e5314467eca4e8e922d143335081fa66b01d756303e1aec68ed01f4be7098dbe06a789ca32a0f31102f5ba408bc5ab28e61251611bb4f62b

Download Submit
memory/776-85-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-89-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-116-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-72-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-74-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-78-0x0000000001470000-0x0000000002454000-memory.dmp

Filesize
15.9MB

Download
memory/776-80-0x0000000001470000-0x0000000002454000-memory.dmp

Filesize
15.9MB

Download
memory/776-81-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-69-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-70-0x0000000001470000-0x0000000002454000-memory.dmp

Filesize
15.9MB

Download
memory/776-113-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-93-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-97-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-100-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-104-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-108-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/776-112-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1228-68-0x0000000003860000-0x0000000004844000-memory.dmp

Filesize
15.9MB

Download
memory/1228-71-0x0000000003860000-0x0000000004844000-memory.dmp

Filesize
15.9MB

Download

Analysis

Sharing