guloader | 86501b9b040efe6e4e14f4cc59f5a3de7f271a1843067c5f88b28732506e5871

General

Target

86501b9b040efe6e4e14f4cc59f5a3de7f271a1843067c5f88b28732506e5871
Size

228KB
Sample

240417-saqldaee7x
MD5

fdd5e4a6cfb853cd2151cfc7da171204
SHA1

4f9a2b364901bd1532d341e4fec81fe4e2b7e39a
SHA256

86501b9b040efe6e4e14f4cc59f5a3de7f271a1843067c5f88b28732506e5871
SHA512

5b22bcb559e9cc57475d767360fd3a99f80363ac08c67afdc033d0dfb133c7915d8545be405bce0f8c2b2ac934a3a4d351c01ef73df5d33186f8450e3658ff87
SSDEEP

6144:M5miD9g8k7l+Z+RBxXDy1GHjo0PIx9Odj5:shql+ZEBxXDy1ujt49Odj5

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.147.140.205:4040

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RJDWXW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
- Size
  
  242KB
- MD5
  
  4e4bc21a1c1a34037e44db52a50086d5
- SHA1
  
  1419003d268ef43d3128c11f92e9533793b07320
- SHA256
  
  59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4
- SHA512
  
  2ee099ce340f23a535726a4310d0e40fabd23e3e4ded625fe4fc18ea2cda3c6346d28a14f91c73f01161d572e30090de124ca32e05265ce387dc737869db27a0
- SSDEEP
  
  6144:jmGIhq8Q9AiAaK1Ga4my15stpehMPoCYRZ5oXuc81/L:qu8xpQm/abCMZcuc81T
Score

10^/10

guloader remcos remotehost downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  ec0504e6b8a11d5aad43b296beeb84b2
- SHA1
  
  91b5ce085130c8c7194d66b2439ec9e1c206497c
- SHA256
  
  5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
- SHA512
  
  3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57
- SSDEEP
  
  96:YjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkNq3m+s:JbogRtJzTlNR8qD85uGgmkNr
Score

3^/10
behavioral5 behavioral6