guloader | 2222cfde2a4fb474984f2dec6e7819fc722889ede5bb9b6bad905e273c52db80

Resubmissions

11-10-2023 08:53

231011-ktqfqace3x 10

11-10-2023 08:40

231011-kk87gabh4w 10

11-10-2023 08:23

231011-kaf3yada69 10

Analysis

max time kernel
411s
max time network
419s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CMR CA4653XT -10-10-2023-7.exe
Size

807KB
MD5

6f7d51ec00fe651601b179d7af7be2cf
SHA1

e199b506d0ac0a5c61af8224f69da19a3940a0dc
SHA256

bc1401e81ad110669077ad7e3f0c57fb80b04b06397e5a4d384c7bb80dec4361
SHA512

97f719f94373e7ed2f38e2915b926176909c9da87cc1d579ee5fd21c347f7b56ae2c614a8ed8ed13872d40ff84f081949915ca74eec2cb348ba8a75c27f046bf
SSDEEP

12288:qYoVFrdkb10/dREKj9g6VdKCRTU9aYTd+PGZb8OQEW+G2DsebUk8s:qYoVHkb6TEiW6VdlTtYTd7p8x/7kF

Score

10^/10

guloader remcos crypted downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Crypted

ourt2949aslumes9.duckdns.org:2401

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
paqlgkfs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
ourvbpld-RBN2WW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Loads dropped DLL 2 IoCs

Processes:

CMR CA4653XT -10-10-2023-7.exe

pid process

1032 CMR CA4653XT -10-10-2023-7.exe
1032 CMR CA4653XT -10-10-2023-7.exe

pid	process
1032	CMR CA4653XT -10-10-2023-7.exe
1032	CMR CA4653XT -10-10-2023-7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Forretningsomraadets = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Mllernes35\\Fnugfri.exe"	wab.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2396 wab.exe
2396 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

CMR CA4653XT -10-10-2023-7.exewab.exe

pid process

1032 CMR CA4653XT -10-10-2023-7.exe
2396 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

CMR CA4653XT -10-10-2023-7.exe

description pid process target process

PID 1032 set thread context of 2396 1032 CMR CA4653XT -10-10-2023-7.exe wab.exe
Drops file in Program Files directory 1 IoCs

Processes:

CMR CA4653XT -10-10-2023-7.exe

description ioc process

File opened for modification C:\Program Files (x86)\Shashlick\communicated.for CMR CA4653XT -10-10-2023-7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1140 2396 WerFault.exe wab.exe
3816 2396 WerFault.exe wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

CMR CA4653XT -10-10-2023-7.exe

pid process

1032 CMR CA4653XT -10-10-2023-7.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2396 wab.exe

pid	process
2396	wab.exe
2396	wab.exe

pid	process
1032	CMR CA4653XT -10-10-2023-7.exe
2396	wab.exe

description	pid	process	target process
PID 1032 set thread context of 2396	1032	CMR CA4653XT -10-10-2023-7.exe	wab.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Shashlick\communicated.for	CMR CA4653XT -10-10-2023-7.exe

pid	pid_target	process	target process
1140	2396	WerFault.exe	wab.exe
3816	2396	WerFault.exe	wab.exe

pid	process
1032	CMR CA4653XT -10-10-2023-7.exe

pid	process
2396	wab.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

CMR CA4653XT -10-10-2023-7.exewab.exe

description	pid	process	target process
PID 1032 wrote to memory of 2396	1032	CMR CA4653XT -10-10-2023-7.exe	wab.exe
PID 1032 wrote to memory of 2396	1032	CMR CA4653XT -10-10-2023-7.exe	wab.exe
PID 1032 wrote to memory of 2396	1032	CMR CA4653XT -10-10-2023-7.exe	wab.exe
PID 1032 wrote to memory of 2396	1032	CMR CA4653XT -10-10-2023-7.exe	wab.exe
PID 1032 wrote to memory of 2396	1032	CMR CA4653XT -10-10-2023-7.exe	wab.exe
PID 2396 wrote to memory of 1140	2396	wab.exe	WerFault.exe
PID 2396 wrote to memory of 1140	2396	wab.exe	WerFault.exe
PID 2396 wrote to memory of 1140	2396	wab.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\CMR CA4653XT -10-10-2023-7.exe
"C:\Users\Admin\AppData\Local\Temp\CMR CA4653XT -10-10-2023-7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1032

C:\Program Files (x86)\windows mail\wab.exe
"C:\Users\Admin\AppData\Local\Temp\CMR CA4653XT -10-10-2023-7.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1248
3⤵
- Program crash
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1248
3⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2396 -ip 2396
1⤵
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsuB61E.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB61E.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB61E.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/1032-24-0x0000000003290000-0x0000000005467000-memory.dmp

Filesize
33.8MB

Download
memory/1032-25-0x0000000003290000-0x0000000005467000-memory.dmp

Filesize
33.8MB

Download
memory/1032-26-0x0000000077101000-0x0000000077221000-memory.dmp

Filesize
1.1MB

Download
memory/1032-27-0x0000000077101000-0x0000000077221000-memory.dmp

Filesize
1.1MB

Download
memory/1032-28-0x0000000073DF0000-0x0000000073DF7000-memory.dmp

Filesize
28KB

Download
memory/2396-29-0x0000000000A00000-0x0000000002BD7000-memory.dmp

Filesize
33.8MB

Download
memory/2396-30-0x0000000000A00000-0x0000000002BD7000-memory.dmp

Filesize
33.8MB

Download
memory/2396-31-0x0000000077188000-0x0000000077189000-memory.dmp

Filesize
4KB

Download
memory/2396-32-0x0000000077101000-0x0000000077221000-memory.dmp

Filesize
1.1MB

Download
memory/2396-34-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-35-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-36-0x0000000000A00000-0x0000000002BD7000-memory.dmp

Filesize
33.8MB

Download
memory/2396-38-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-37-0x0000000000A00000-0x0000000002BD7000-memory.dmp

Filesize
33.8MB

Download
memory/2396-39-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-40-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-41-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-42-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-43-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-44-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-45-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-46-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-47-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-48-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-49-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-50-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-51-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-52-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-53-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-54-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-57-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-58-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-59-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-60-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-61-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-62-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-63-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-64-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-65-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-66-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-68-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-69-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-70-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-71-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-72-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-73-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-74-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-75-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-76-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-77-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-78-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-79-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-80-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-81-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-82-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-83-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-85-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-86-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-87-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-88-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-90-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-91-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-92-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-93-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-94-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-95-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-96-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-97-0x0000000072B90000-0x0000000073DE4000-memory.dmp

Filesize
18.3MB

Download
memory/2396-513-0x0000000000A00000-0x0000000002BD7000-memory.dmp

Filesize
33.8MB

Download