guloader | c4a1a8af4c1336e8e69e1914959cbf3bc4bfe5221639a163244d19fd60e8af19

General

Target

OFFER REQUEST.exe
Size

348KB
MD5

12f1f8b544a44c9e417a7265a4c02a4c
SHA1

20b172d83dcdb9974b8e222f14ea1e48eeccbfbe
SHA256

c4a1a8af4c1336e8e69e1914959cbf3bc4bfe5221639a163244d19fd60e8af19
SHA512

a462d5c3828d6fc6a40ff0dcb166abc6116008add3e8eb92be9b04ccd923c0b2abcc489eeb8b19c0805607063e76660948c9b5c985f0fff599080c94149c8acf
SSDEEP

6144:tIw3EwpCED/b1Myi5LQyUXme7HkSv7QFkMaTfKSzRm9C42+krMwUuDP:Aob1MyaQLmesdhgRmIdgyz

Score

10^/10

guloader remcos babynwahost downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

babynwaHost

C2

callito2024.sytes.net:2097

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
ssc.exe
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-JLXQ0I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OFFER REQUEST.exeOFFER REQUEST.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	OFFER REQUEST.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	OFFER REQUEST.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OFFER REQUEST.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	OFFER REQUEST.exe

Executes dropped EXE 1 IoCs

Processes:

ssc.exe

pid process

3524 ssc.exe
Loads dropped DLL 2 IoCs

Processes:

OFFER REQUEST.exe

pid process

1908 OFFER REQUEST.exe
1908 OFFER REQUEST.exe

pid	process
3524	ssc.exe

pid	process
1908	OFFER REQUEST.exe
1908	OFFER REQUEST.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OFFER REQUEST.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run\	OFFER REQUEST.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-JLXQ0I = "\"C:\\Users\\Admin\\AppData\\Roaming\\ssc.exe\""	OFFER REQUEST.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	OFFER REQUEST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-JLXQ0I = "\"C:\\Users\\Admin\\AppData\\Roaming\\ssc.exe\""	OFFER REQUEST.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

OFFER REQUEST.exe

pid process

2468 OFFER REQUEST.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

OFFER REQUEST.exeOFFER REQUEST.exe

pid process

1908 OFFER REQUEST.exe
2468 OFFER REQUEST.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

OFFER REQUEST.exe

description pid process target process

PID 1908 set thread context of 2468 1908 OFFER REQUEST.exe OFFER REQUEST.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

OFFER REQUEST.exe

pid process

1908 OFFER REQUEST.exe

pid	process
2468	OFFER REQUEST.exe

pid	process
1908	OFFER REQUEST.exe
2468	OFFER REQUEST.exe

description	pid	process	target process
PID 1908 set thread context of 2468	1908	OFFER REQUEST.exe	OFFER REQUEST.exe

pid	process
1908	OFFER REQUEST.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

OFFER REQUEST.exeOFFER REQUEST.exe

description	pid	process	target process
PID 1908 wrote to memory of 2468	1908	OFFER REQUEST.exe	OFFER REQUEST.exe
PID 1908 wrote to memory of 2468	1908	OFFER REQUEST.exe	OFFER REQUEST.exe
PID 1908 wrote to memory of 2468	1908	OFFER REQUEST.exe	OFFER REQUEST.exe
PID 1908 wrote to memory of 2468	1908	OFFER REQUEST.exe	OFFER REQUEST.exe
PID 2468 wrote to memory of 3524	2468	OFFER REQUEST.exe	ssc.exe
PID 2468 wrote to memory of 3524	2468	OFFER REQUEST.exe	ssc.exe
PID 2468 wrote to memory of 3524	2468	OFFER REQUEST.exe	ssc.exe

C:\Users\Admin\AppData\Local\Temp\OFFER REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\OFFER REQUEST.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\OFFER REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\OFFER REQUEST.exe"
2⤵
- Checks QEMU agent file
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Roaming\ssc.exe
"C:\Users\Admin\AppData\Roaming\ssc.exe"
3⤵
- Executes dropped EXE
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsr72E5.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr72E5.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr72E5.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Imidazolyl.ini
Filesize
37B

MD5
2e6676d90bd2ad7fc51ad7aa5d517779

SHA1
b29f0d8b7a05e60821fd3947597a51c2958de40b

SHA256
19c6bfa0180b3b10165d73c608ede7ae408840ce09edbcf77b23626e452f2106

SHA512
10eed25590e731b492f0cb875dd7bbad1ffb46726398abc3121b573d9d56c03e643abb049ff8f83319422a39edf0577ea68f31ce2f6e31fdca398e5e6ae9b10b

Download Submit
C:\Users\Admin\AppData\Roaming\ssc.exe
Filesize
348KB

MD5
12f1f8b544a44c9e417a7265a4c02a4c

SHA1
20b172d83dcdb9974b8e222f14ea1e48eeccbfbe

SHA256
c4a1a8af4c1336e8e69e1914959cbf3bc4bfe5221639a163244d19fd60e8af19

SHA512
a462d5c3828d6fc6a40ff0dcb166abc6116008add3e8eb92be9b04ccd923c0b2abcc489eeb8b19c0805607063e76660948c9b5c985f0fff599080c94149c8acf

Download Submit
C:\Users\Admin\AppData\Roaming\ssc.exe
Filesize
348KB

MD5
12f1f8b544a44c9e417a7265a4c02a4c

SHA1
20b172d83dcdb9974b8e222f14ea1e48eeccbfbe

SHA256
c4a1a8af4c1336e8e69e1914959cbf3bc4bfe5221639a163244d19fd60e8af19

SHA512
a462d5c3828d6fc6a40ff0dcb166abc6116008add3e8eb92be9b04ccd923c0b2abcc489eeb8b19c0805607063e76660948c9b5c985f0fff599080c94149c8acf

Download Submit
C:\Users\Admin\AppData\Roaming\ssc.exe
Filesize
348KB

MD5
12f1f8b544a44c9e417a7265a4c02a4c

SHA1
20b172d83dcdb9974b8e222f14ea1e48eeccbfbe

SHA256
c4a1a8af4c1336e8e69e1914959cbf3bc4bfe5221639a163244d19fd60e8af19

SHA512
a462d5c3828d6fc6a40ff0dcb166abc6116008add3e8eb92be9b04ccd923c0b2abcc489eeb8b19c0805607063e76660948c9b5c985f0fff599080c94149c8acf

Download Submit
memory/1908-149-0x0000000003210000-0x00000000049D6000-memory.dmp

Filesize
23.8MB

Download
memory/1908-150-0x0000000003210000-0x00000000049D6000-memory.dmp

Filesize
23.8MB

Download
memory/2468-153-0x0000000001660000-0x0000000002E26000-memory.dmp

Filesize
23.8MB

Download
memory/2468-154-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2468-167-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2468-171-0x0000000001660000-0x0000000002E26000-memory.dmp

Filesize
23.8MB

Download
memory/2468-152-0x0000000001660000-0x0000000002E26000-memory.dmp

Filesize
23.8MB

Download
memory/2468-151-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/2468-182-0x0000000001660000-0x0000000002E26000-memory.dmp

Filesize
23.8MB

Download
memory/2468-184-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads