guloader | f99f95fa5cd8015a84c6aef4ce0444b5e26e8c6bff54c13335a4d1a92201418c

General

Target

f99f95fa5cd8015a84c6aef4ce0444b5e26e8c6bff54c13335a4d1a92201418c.exe
Size

2.4MB
Sample

240207-1kqm5abef2
MD5

1414d0efbbb09adb1ba13bf4425674e2
SHA1

6baa8796c4b669fbdcb6bcbdae2a54c83ddee8cc
SHA256

f99f95fa5cd8015a84c6aef4ce0444b5e26e8c6bff54c13335a4d1a92201418c
SHA512

73bb2737f9ef75661a038eac9c5921cd2e5260b4af032a0aa6950b322114181df541b6cb606490bc81bab152f43b5dc5104a7be142f0121da24f951f9fc2c776
SSDEEP

49152:vgzFgXJBY8OQ7HnUjp3i1JNQvjJO0amGSNTgj8tff0JtvViqfKHv1uBERCZju:YzIjr7Hnspy1JNkKJSNTgaXOVGv1uSR5

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

2024

C2

72.11.158.94:1604

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
vexplorers.exe
copy_folder
vexplorers
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-800RNZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  f99f95fa5cd8015a84c6aef4ce0444b5e26e8c6bff54c13335a4d1a92201418c.exe
- Size
  
  2.4MB
- MD5
  
  1414d0efbbb09adb1ba13bf4425674e2
- SHA1
  
  6baa8796c4b669fbdcb6bcbdae2a54c83ddee8cc
- SHA256
  
  f99f95fa5cd8015a84c6aef4ce0444b5e26e8c6bff54c13335a4d1a92201418c
- SHA512
  
  73bb2737f9ef75661a038eac9c5921cd2e5260b4af032a0aa6950b322114181df541b6cb606490bc81bab152f43b5dc5104a7be142f0121da24f951f9fc2c776
- SSDEEP
  
  49152:vgzFgXJBY8OQ7HnUjp3i1JNQvjJO0amGSNTgj8tff0JtvViqfKHv1uBERCZju:YzIjr7Hnspy1JNkKJSNTgaXOVGv1uSR5
Score

10^/10

guloader remcos 2024 collection downloader persistence rat spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  564bb0373067e1785cba7e4c24aab4bf
- SHA1
  
  7c9416a01d821b10b2eef97b80899d24014d6fc1
- SHA256
  
  7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
- SHA512
  
  22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
- SSDEEP
  
  192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL
Score

3^/10
behavioral3 behavioral4