guloader | dcf86088586837cd7d690592bcd0a38c7bfd807b22b0a975da1a8773e551983a

Analysis

max time kernel
43s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB-RO-202644066004734534543534534563456784576373.exe
Size

704KB
MD5

2bf4f7c342a2d3e07f3685b2334f4749
SHA1

ce2fc2a2899b4302ce2d55f732039240cc70529b
SHA256

dcf86088586837cd7d690592bcd0a38c7bfd807b22b0a975da1a8773e551983a
SHA512

b134b95882e7c67c636408fd874ab22f5c15e1965c525cf576df0bf45c56b0b7401c4e616e412682632174c0ac2ac51c3f73dd831e974181da548623ca311c82
SSDEEP

12288:PK5yuMYw7lskuR1fi+6wFF0JC2RTfuBZL+HlLwxOiMCyINCj:C5XMYwZluR10bJ4uHlLhlIkj

Score

10^/10

guloader remcos downloader persistence rat

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 1 IoCs

pid	Process
4328	AWB-RO-202644066004734534543534534563456784576373.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Sheephead.exe"	wab.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\devastate.ini	AWB-RO-202644066004734534543534534563456784576373.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
744	wab.exe
744	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4328	AWB-RO-202644066004734534543534534563456784576373.exe
744	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4328 set thread context of 744	4328	AWB-RO-202644066004734534543534534563456784576373.exe	93

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\hamus.ini	AWB-RO-202644066004734534543534534563456784576373.exe
File opened for modification	C:\Program Files (x86)\duodecimos.ini	AWB-RO-202644066004734534543534534563456784576373.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Forglemmes130\coatee.ini	AWB-RO-202644066004734534543534534563456784576373.exe
File opened for modification	C:\Windows\resources\0409\folders\Sequenser.ini	AWB-RO-202644066004734534543534534563456784576373.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4328	AWB-RO-202644066004734534543534534563456784576373.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
744	wab.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 744	4328	AWB-RO-202644066004734534543534534563456784576373.exe	93
PID 4328 wrote to memory of 744	4328	AWB-RO-202644066004734534543534534563456784576373.exe	93
PID 4328 wrote to memory of 744	4328	AWB-RO-202644066004734534543534534563456784576373.exe	93
PID 4328 wrote to memory of 744	4328	AWB-RO-202644066004734534543534534563456784576373.exe	93
PID 4328 wrote to memory of 744	4328	AWB-RO-202644066004734534543534534563456784576373.exe	93

C:\Users\Admin\AppData\Local\Temp\AWB-RO-202644066004734534543534534563456784576373.exe
"C:\Users\Admin\AppData\Local\Temp\AWB-RO-202644066004734534543534534563456784576373.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Program Files (x86)\windows mail\wab.exe
  "C:\Users\Admin\AppData\Local\Temp\AWB-RO-202644066004734534543534534563456784576373.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss41BD.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Roaming\Smklaasens.lnk

Filesize
1024B

MD5
bb098c83f09f8dbd7f07634d8a700db2

SHA1
912a55c659ee7cdf28c182acb1d90493c3bb5cef

SHA256
5fb5de80d7f33455663456cd2ae1fe7630fa3068b3137932cfdc6fe9211fe392

SHA512
dd7e4a75c67777b01441403d48a91070d3fec29b536610aa779b1103eeeeb8875bf021e3ca9cecdecdd2e70981ec7207909b293347eda2258c8c367bfc835c07

Download Submit
memory/744-295-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-298-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-262-0x0000000002260000-0x000000000501D000-memory.dmp

Filesize
45.7MB

Download
memory/744-266-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-328-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-269-0x0000000002260000-0x000000000501D000-memory.dmp

Filesize
45.7MB

Download
memory/744-270-0x0000000077551000-0x0000000077671000-memory.dmp

Filesize
1.1MB

Download
memory/744-268-0x0000000002260000-0x000000000501D000-memory.dmp

Filesize
45.7MB

Download
memory/744-271-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-272-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-273-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-274-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-275-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-276-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-277-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-278-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-279-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-280-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-281-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-282-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-283-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-284-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-285-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-286-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-287-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-288-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-289-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-290-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-291-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-292-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-294-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-296-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-265-0x0000000077551000-0x0000000077671000-memory.dmp

Filesize
1.1MB

Download
memory/744-264-0x00000000775D8000-0x00000000775D9000-memory.dmp

Filesize
4KB

Download
memory/744-305-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-299-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-301-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-300-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-302-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-303-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-304-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-297-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-306-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-309-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-310-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-311-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-312-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-313-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-314-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-315-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-316-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-317-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-318-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-319-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-320-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-321-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-322-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-324-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-323-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-325-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-326-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/744-327-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4328-259-0x00000000045F0000-0x00000000073AD000-memory.dmp

Filesize
45.7MB

Download
memory/4328-260-0x0000000077551000-0x0000000077671000-memory.dmp

Filesize
1.1MB

Download
memory/4328-261-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4328-263-0x00000000045F0000-0x00000000073AD000-memory.dmp

Filesize
45.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads