guloader | 7efed1829051f94d9c430e22e88f59f64350397a1b0d355fd65951aee34d0f13

General

Target

HAWB eHAWB 1 Copy516328125292121001.exe
Size

663KB
Sample

230918-a7g2dsde6s
MD5

350558346cfe1dd301a21470193072db
SHA1

967ba98bbc9db9e98a31b5687cfd2fed6567022d
SHA256

7efed1829051f94d9c430e22e88f59f64350397a1b0d355fd65951aee34d0f13
SHA512

1e1156773d19217f27cc15c3f42c07de19d5a7399c8c40fd11ac1bfca931c1b5bc762ad6b51184f558e99c8e2792b023b1dd7a07b4138262e1df30b63de5cd0e
SSDEEP

12288:wbntTHA1OjiQRmIZ1sCLq3LVI4D1wGFP8vyvQTXCTRDer3yv:wbn83yZVLe7hweEy4Tykr3yv

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Crypted

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
alsoetitgs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
lksoetiug-30FBYC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  HAWB eHAWB 1 Copy516328125292121001.exe
- Size
  
  663KB
- MD5
  
  350558346cfe1dd301a21470193072db
- SHA1
  
  967ba98bbc9db9e98a31b5687cfd2fed6567022d
- SHA256
  
  7efed1829051f94d9c430e22e88f59f64350397a1b0d355fd65951aee34d0f13
- SHA512
  
  1e1156773d19217f27cc15c3f42c07de19d5a7399c8c40fd11ac1bfca931c1b5bc762ad6b51184f558e99c8e2792b023b1dd7a07b4138262e1df30b63de5cd0e
- SSDEEP
  
  12288:wbntTHA1OjiQRmIZ1sCLq3LVI4D1wGFP8vyvQTXCTRDer3yv:wbn83yZVLe7hweEy4Tykr3yv
Score

10^/10

guloader remcos crypted discovery downloader rat hawkeye keylogger spyware stealer trojan
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

HawkEye

Remcos

Checks QEMU agent file

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2