guloader | 66cf6cd88bdf354015bf6fe3873cbb92e738177442c6d58bdfa92479e99b5ee5

General

Target

bf86a2ca1461479a33c704c80cef8a6b.bin
Size

435KB
Sample

240426-b5tsvaha7v
MD5

7202be6113c7ba2b532907bea7021ddf
SHA1

81fd90bcc2114ff484ec0bf20393057185cc783d
SHA256

66cf6cd88bdf354015bf6fe3873cbb92e738177442c6d58bdfa92479e99b5ee5
SHA512

dc7c9dc773df8ab102adc08fbbeea4cd17a41279b6c2b0db80a4b08e709c1b2e15359e91b19029aba30fe3a2bef2e78b469e217947a18d24f7faa2fd62e9429d
SSDEEP

6144:TNILT3CfhR6mVLyvhrb4Ck4kd0vgOCaqBErhfZbArh94Rb9i2BrBwfx2blG6xiem:ZILrCOiLKrb1+0dC1I9wKb9imieIBh

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Top

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
mqerms.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
alpwovnb-G3F5OR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  efa6ac55f8dbc8d81f1d82226090b0e7c84fac9a53bf597cbaa6623aff49310d.exe
- Size
  
  690KB
- MD5
  
  bf86a2ca1461479a33c704c80cef8a6b
- SHA1
  
  d1e328e1870c5c8b4cf9bf3af2188150c155a637
- SHA256
  
  efa6ac55f8dbc8d81f1d82226090b0e7c84fac9a53bf597cbaa6623aff49310d
- SHA512
  
  ab4ad977917361feb92122bff68d0bb3a2c8852a6afa78abded5353b2dc59deb8958738420af84e5f0e8630ea6d046e32ba089d25614373a263d173affed05cf
- SSDEEP
  
  12288:60oU0UEneHuDY7nCkEPaT24WxsTI8okD70a2ybmDIj8+uu3M6Je0:mxneHuDYukEPAWxsTILkDB247uu39d
Score

10^/10

guloader downloader persistence remcos top collection rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Scrubbiest.Chy
- Size
  
  57KB
- MD5
  
  36f3eda8b46d735a96cb9165b92d06d3
- SHA1
  
  5b1a49b1eb273416216d37b658609bbef7476a7f
- SHA256
  
  2b3fd293b418e5a6e53a9236a84e66b61e5d2831b19a0618b1fb3333ed8122fa
- SHA512
  
  e280860d5d76bd7ebf97f02c4fb539d7349d616ac94dd2f6e3697a96a89afae4a904cca982863655d63fd8057c16201bc977b8f2929623a5940166b5e7180139
- SSDEEP
  
  1536:orx2kV6Y42Fd/rMDrp0Odx8xKg376Kb3RMNx2yqQRGgD:orlx67C137pjmNx2HQRL
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4