guloader | eb1183f6f4fa252c4f3b66ae4424bc7785eaf3089ba89dafc86e5a8393ff6c01 | Triage

Sharing

General

Target

SIGN_O0305538279_pdf.zip
Size

332KB
Sample

240412-cwajaafg2v
MD5

41ce071356f16846742bf93e004be202
SHA1

723e7a6087653fdb6405c43ab233ae53070d41a2
SHA256

eb1183f6f4fa252c4f3b66ae4424bc7785eaf3089ba89dafc86e5a8393ff6c01
SHA512

7be22157fbfe0a9bdb321f64aeccf014ca17b2c521e7763bcac373df7701c765c6d4ba91dffaffe24bf1021b2ae8769d43395f4179580f1196e835707d339d4b
SSDEEP

6144:wmnARJy5JBaK5o0eZ9VtzBi0PJZ7IbFUe7LAB/Oujh5DUUck3LO49hlSwHRq:JAw5o0Y7zXPIc/7jhFJck3hSN

Score

10^/10

guloader remcos remotehost downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KQ00DZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  SIGN_O0305538279·pdf.vbs
- Size
  
  674KB
- MD5
  
  ee18a12f0c79b4ac228025b83ec43938
- SHA1
  
  f29ad3e06b23e7aacca219fd747fde72f9d5162a
- SHA256
  
  22a2cfbda9c7a790c6d1c3771c5a93cabc30abacb83670c73f3844fc49b23416
- SHA512
  
  cbeecf8447415a4050f9e79304287d8eab0000f7a2a4afee5b4c350ef76dae228d4fcf7dc2ba0563ba2723a8596c6b08c11bca77b95dde0b14270ab0bb0baea6
- SSDEEP
  
  12288:3c/6T75JYBpvoalqV9PjpfgtQY+yveJ0Psg/:3c65uBpD0bPjpfZMeyz
Score

10^/10

guloader remcos remotehost downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderremcosremotehostdownloaderpersistencerat

behavioral2