guloader | 7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31

General

Target

7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
Size

901KB
MD5

aa36a03ebaad8cfa9fdc16312951ebba
SHA1

491f103af57cb5c365624231c6f4b4eefed43897
SHA256

7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31
SHA512

2652c66c236563e48016927f7aaaa3bc507516d50cb9833094cd64fa2617c283306139da33694516359033d3fac835376da9c37f4bf7e65102dc53e385241096
SSDEEP

24576:us5A1RMX/MedFbsPfMg1MppWv5oQqGQIg:d+MX7bitM9z

Score

10^/10

guloader remcos remotehost downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.161.212.232:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8UPGPC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Loads dropped DLL 1 IoCs

pid	Process
888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Footfalls\Nicolinas\Isthmistics.ini	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1120	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
1120	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 1120	888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1120	888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	28
PID 888 wrote to memory of 1120	888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	28
PID 888 wrote to memory of 1120	888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	28
PID 888 wrote to memory of 1120	888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	28
PID 888 wrote to memory of 1120	888	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	28

C:\Users\Admin\AppData\Local\Temp\7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
"C:\Users\Admin\AppData\Local\Temp\7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
  "C:\Users\Admin\AppData\Local\Temp\7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DORME.ini

Filesize
31B

MD5
3000f7f0f12b7139ea28160c52098e25

SHA1
9d032395f38d341881019b996e591160d542054b

SHA256
467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1

SHA512
a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd11BF.tmp\System.dll

Filesize
11KB

MD5
e23600029d1b09bdb1d422fb4e46f5a6

SHA1
5d64a2f6a257a98a689a3db9a087a0fd5f180096

SHA256
7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38

SHA512
c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac

Download Submit
memory/888-76-0x00000000037D0000-0x0000000004E97000-memory.dmp

Filesize
22.8MB

Download
memory/888-77-0x00000000037D0000-0x0000000004E97000-memory.dmp

Filesize
22.8MB

Download
memory/1120-110-0x0000000001470000-0x0000000002B37000-memory.dmp

Filesize
22.8MB

Download
memory/1120-114-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-80-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-103-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-107-0x0000000001470000-0x0000000002B37000-memory.dmp

Filesize
22.8MB

Download
memory/1120-108-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-78-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-111-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-113-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-79-0x0000000001470000-0x0000000002B37000-memory.dmp

Filesize
22.8MB

Download
memory/1120-115-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-117-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-119-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-121-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-123-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-125-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-127-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1120-129-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing