guloader | edb595193fc312592db36cf49e9e32757868f4a10419c4ce9a89f63478bf1b1d

General

Target

07264199.exe
Size

363KB
MD5

dee45488657ddf8345c2e3b06d7bd97a
SHA1

c732e1f57bbd4df5eb074adf0ade814ba0b2ecff
SHA256

edb595193fc312592db36cf49e9e32757868f4a10419c4ce9a89f63478bf1b1d
SHA512

e6ed07d586b79f034b6e1af1779e17766cd155d6a01c97947f5a094c4d01636fd4a47122cb6c14a70c17c14448b27f2869b3e74ffb0b5fc3918404410f257d66
SSDEEP

6144:XIw3EwpCUJ3ATRD/opXz3ekXEV7vQ8z7M4+NSMT2DTpGu47G:2UJQ5Gz/UV7I8z7za2Xpr

Score

10^/10

guloader remcos sowetohost downloader rat

Malware Config

Extracted

Family

remcos

Botnet

SowetoHost

C2

soweto24.sytes.net:2098

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
scs.exe
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-3QH5OR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

07264199.exe07264199.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	07264199.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	07264199.exe

Loads dropped DLL 2 IoCs

Processes:

07264199.exe

pid process

2120 07264199.exe
2120 07264199.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

07264199.exe

pid process

3416 07264199.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

07264199.exe07264199.exe

pid process

2120 07264199.exe
3416 07264199.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

07264199.exe

description pid process target process

PID 2120 set thread context of 3416 2120 07264199.exe 07264199.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3748 3416 WerFault.exe 07264199.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

07264199.exe

pid process

2120 07264199.exe

pid	process
2120	07264199.exe
2120	07264199.exe

pid	process
3416	07264199.exe

pid	process
2120	07264199.exe
3416	07264199.exe

description	pid	process	target process
PID 2120 set thread context of 3416	2120	07264199.exe	07264199.exe

pid	pid_target	process	target process
3748	3416	WerFault.exe	07264199.exe

pid	process
2120	07264199.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

07264199.exe

description	pid	process	target process
PID 2120 wrote to memory of 3416	2120	07264199.exe	07264199.exe
PID 2120 wrote to memory of 3416	2120	07264199.exe	07264199.exe
PID 2120 wrote to memory of 3416	2120	07264199.exe	07264199.exe
PID 2120 wrote to memory of 3416	2120	07264199.exe	07264199.exe

C:\Users\Admin\AppData\Local\Temp\07264199.exe
"C:\Users\Admin\AppData\Local\Temp\07264199.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\07264199.exe
"C:\Users\Admin\AppData\Local\Temp\07264199.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1792
3⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3416 -ip 3416
1⤵
PID:4928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nse793E.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse793E.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse793E.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Imidazolyl.ini
Filesize
37B

MD5
2e6676d90bd2ad7fc51ad7aa5d517779

SHA1
b29f0d8b7a05e60821fd3947597a51c2958de40b

SHA256
19c6bfa0180b3b10165d73c608ede7ae408840ce09edbcf77b23626e452f2106

SHA512
10eed25590e731b492f0cb875dd7bbad1ffb46726398abc3121b573d9d56c03e643abb049ff8f83319422a39edf0577ea68f31ce2f6e31fdca398e5e6ae9b10b

Download Submit
memory/2120-149-0x0000000003330000-0x0000000004604000-memory.dmp

Filesize
18.8MB

Download
memory/2120-150-0x0000000003330000-0x0000000004604000-memory.dmp

Filesize
18.8MB

Download
memory/3416-151-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3416-152-0x0000000001660000-0x0000000002934000-memory.dmp

Filesize
18.8MB

Download
memory/3416-153-0x0000000001660000-0x0000000002934000-memory.dmp

Filesize
18.8MB

Download
memory/3416-166-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3416-170-0x0000000001660000-0x0000000002934000-memory.dmp

Filesize
18.8MB

Download
memory/3416-171-0x0000000001660000-0x0000000002934000-memory.dmp

Filesize
18.8MB

Download

Analysis

Sharing