guloader | 4ea7ab88b5127c37a343f3a7be7d184ce36b8086d0eede593418be394d2f0e06 | Triage

Submit
Reports

Overview

overview

Static

static

1

1a5e416c52...92.exe

windows7-x64

1a5e416c52...92.exe

windows10-2004-x64

Platymeria...ts.ps1

windows7-x64

8

Platymeria...ts.ps1

windows10-2004-x64

8

Scotches.app

macos-10.15-amd64

1

Sharing

General

Target

4ea7ab88b5127c37a343f3a7be7d184ce36b8086d0eede593418be394d2f0e06
Size

834KB
Sample

240417-rnc2rsda7z
MD5

dfa6b1c1db071523eab9c6d00907b52e
SHA1

5c1a3fe0d6345d97ba93a3d1519a6df6b20e047e
SHA256

4ea7ab88b5127c37a343f3a7be7d184ce36b8086d0eede593418be394d2f0e06
SHA512

66a7617ce6659698bd40ca5352e56f475f21ea42c93b3d8c3b143d06a6161fb67b8de7faf961d1c04e588d6e414f4d3e8226127e9a295f851bf3c6bb3805c211
SSDEEP

24576:V07yKmQ8wSwy0og7Rx6ifIDvEvZ9DLEUwp:y7yKYwvouxQvEvLLERp

Score

10^/10

guloader remcos bro collection downloader macos persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

1a5e416c52c05aa813b4baaeddf2a13945fc20d667c13fbafe4e52d73ce17292.exe

Resource

win7-20240221-en

guloader remcos bro downloader persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1a5e416c52c05aa813b4baaeddf2a13945fc20d667c13fbafe4e52d73ce17292.exe

Resource

win10v2004-20240412-en

guloader remcos bro collection downloader persistence rat

windows10-2004-x64

21 signatures

150 seconds

Behavioral task

behavioral3

Sample

Platymeria/Udraabsordets.ps1

Resource

win7-20231129-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral4

Sample

Platymeria/Udraabsordets.ps1

Resource

win10v2004-20240412-en

windows10-2004-x64

10 signatures

150 seconds

Behavioral task

behavioral5

Sample

Scotches.app

Resource

macos-20240410-en

macos-10.15-amd64

0 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

Bro

C2

trfsgysu28opask01.duckdns.org:9702

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
mziseotosg.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
mbvieortc-RKDCUR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1a5e416c52c05aa813b4baaeddf2a13945fc20d667c13fbafe4e52d73ce17292.exe
- Size
  
  951KB
- MD5
  
  01fe5e5c4b48be008eaa91ec7e6f2c5a
- SHA1
  
  d99ffa5535eb4d9399aa85fe5af77028cadaaa85
- SHA256
  
  1a5e416c52c05aa813b4baaeddf2a13945fc20d667c13fbafe4e52d73ce17292
- SHA512
  
  80872c8251ce2cfc1550a7bb272a2f8ef6976eb1b1615a14fc53b4748d62c3f0749f38fa99df3e2c8641ba3ef54567ca6cf867ee4714999f04c72089bb5d24f3
- SSDEEP
  
  24576:ycx2DOGnZwpLrYRJBDwbFZ+9ND/2oKRMiYaSHVDfZ:ycx3GerKfED+uoKR3YaMVDfZ
Score

10^/10

guloader remcos bro downloader persistence rat collection
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Platymeria/Udraabsordets.Lia
- Size
  
  51KB
- MD5
  
  26cd7d4a866ed00259c14fd3b49db0ba
- SHA1
  
  e673f01ca0a7f868763efa179040855d624bf788
- SHA256
  
  ec23b8ccd7b12f810e9ebc31ae5bb5d6a1f5e4eea41405cb19e74dc099eea6bb
- SHA512
  
  a5379755573c631456aa6b15917673f026938cc0bab20d5486bb32543b54a79e69f64b70d9f8ab485f138561a024be41b7830def388c24a1fdbe745c46f544dc
- SSDEEP
  
  1536:4CpmfTVSL++Nq8rRPT8VwJWITjvHkAMLGu1FhOtq7R:bmxSL++NqQ17JWAvHMq0Ey
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4
- Target
  
  Scotches.App
- Size
  
  334KB
- MD5
  
  111510302e6d3db7a95aa3bbc22da619
- SHA1
  
  61ed4d0fb44c0219d3525efabbdc4fd1efa8d6f9
- SHA256
  
  8b1079d62c7307739df4f300d2eff507847bcb237c78f4143047074e716ae78f
- SHA512
  
  93a030d749968f2a9ba3f909b9d81d4490c4eaf958986d10bc6f5d9e29f47a55cdffe6c3e9fbbf7ea6244a2010315abbfd273b18d0cbd1f3eceac81acc455ffa
- SSDEEP
  
  6144:OTYGj0Lv88TxjUPpoHO2t9boR6+8Br4o7wn5t+XW7FUKEquZVmmYu83MTpy7f:h4WUCWPpoHjtVoI+8Bo5t+CWqDJBCyL
Score

1^/10
behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

guloaderremcosbrodownloaderpersistencerat

behavioral2

guloaderremcosbrocollectiondownloaderpersistencerat

behavioral3

behavioral4

behavioral5

© 2018-2024

Terms | Privacy