guloader | 7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31

General

Target

7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
Size

901KB
MD5

aa36a03ebaad8cfa9fdc16312951ebba
SHA1

491f103af57cb5c365624231c6f4b4eefed43897
SHA256

7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31
SHA512

2652c66c236563e48016927f7aaaa3bc507516d50cb9833094cd64fa2617c283306139da33694516359033d3fac835376da9c37f4bf7e65102dc53e385241096
SSDEEP

24576:us5A1RMX/MedFbsPfMg1MppWv5oQqGQIg:d+MX7bitM9z

Score

10^/10

guloader remcos remotehost downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.161.212.232:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8UPGPC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Loads dropped DLL 1 IoCs

pid	Process
4740	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Footfalls\Nicolinas\Isthmistics.ini	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1200	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4740	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
1200	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 1200	4740	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4740	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1200	4740	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	89
PID 4740 wrote to memory of 1200	4740	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	89
PID 4740 wrote to memory of 1200	4740	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	89
PID 4740 wrote to memory of 1200	4740	7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe	89

C:\Users\Admin\AppData\Local\Temp\7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
"C:\Users\Admin\AppData\Local\Temp\7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe
  "C:\Users\Admin\AppData\Local\Temp\7dec684e4f8201ed9aa44dca7eed761a0e2c62f0df0d6a6d3bf70d2993bcaa31.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfBADB.tmp\System.dll

Filesize
11KB

MD5
e23600029d1b09bdb1d422fb4e46f5a6

SHA1
5d64a2f6a257a98a689a3db9a087a0fd5f180096

SHA256
7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38

SHA512
c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac

Download Submit
C:\Users\Admin\AppData\Roaming\DORME.ini

Filesize
31B

MD5
3000f7f0f12b7139ea28160c52098e25

SHA1
9d032395f38d341881019b996e591160d542054b

SHA256
467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1

SHA512
a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2

Download Submit
memory/1200-175-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-179-0x0000000001660000-0x0000000002D27000-memory.dmp

Filesize
22.8MB

Download
memory/1200-159-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-160-0x0000000001660000-0x0000000002D27000-memory.dmp

Filesize
22.8MB

Download
memory/1200-161-0x0000000001660000-0x0000000002D27000-memory.dmp

Filesize
22.8MB

Download
memory/1200-174-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-187-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-186-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-180-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-181-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-182-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-183-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-184-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1200-185-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4740-158-0x0000000004B80000-0x0000000006247000-memory.dmp

Filesize
22.8MB

Download
memory/4740-157-0x0000000004B80000-0x0000000006247000-memory.dmp

Filesize
22.8MB

Download

Analysis

Sharing