guloader | 7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31

General

Target

7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31
Size

901KB
Sample

230509-pmrseshg2s
MD5

aa36a03ebaad8cfa9fdc16312951ebba
SHA1

491f103af57cb5c365624231c6f4b4eefed43897
SHA256

7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31
SHA512

2652c66c236563e48016927f7aaaa3bc507516d50cb9833094cd64fa2617c283306139da33694516359033d3fac835376da9c37f4bf7e65102dc53e385241096
SSDEEP

24576:us5A1RMX/MedFbsPfMg1MppWv5oQqGQIg:d+MX7bitM9z

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.161.212.232:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8UPGPC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31
- Size
  
  901KB
- MD5
  
  aa36a03ebaad8cfa9fdc16312951ebba
- SHA1
  
  491f103af57cb5c365624231c6f4b4eefed43897
- SHA256
  
  7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31
- SHA512
  
  2652c66c236563e48016927f7aaaa3bc507516d50cb9833094cd64fa2617c283306139da33694516359033d3fac835376da9c37f4bf7e65102dc53e385241096
- SSDEEP
  
  24576:us5A1RMX/MedFbsPfMg1MppWv5oQqGQIg:d+MX7bitM9z
Score

10^/10

guloader remcos remotehost downloader rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Remcos

Checks QEMU agent file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2