guloader | a833220123f1e042399406b33817c857fec4d4471f9332b02abc390e11dae2e4

General

Target

q.exe
Size

380KB
Sample

240429-ncr5rshc23
MD5

c1e9cae3895e47557c49da02e857331d
SHA1

cd606c216cdf514fd64b714037a75250007d90b7
SHA256

a833220123f1e042399406b33817c857fec4d4471f9332b02abc390e11dae2e4
SHA512

f4ede6b4caf0267888fe5cfaacfd808a4ef15c5b87f186211c57a75d77b3d4915e2851662e0528370deec6a4f974dce95ce1bd6df1a62c6675ce0d1bf717a486
SSDEEP

6144:HT4DtVpZI3UNm5XuEneTjst4l4hjVKLWWC4OZol37D3XmkL+VHjFz3+vaEfT:HTgUUEeTmzJKaYOGlXnoDdqlT

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Top

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
mqerms.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
alpwovnb-G3F5OR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  q.exe
- Size
  
  380KB
- MD5
  
  c1e9cae3895e47557c49da02e857331d
- SHA1
  
  cd606c216cdf514fd64b714037a75250007d90b7
- SHA256
  
  a833220123f1e042399406b33817c857fec4d4471f9332b02abc390e11dae2e4
- SHA512
  
  f4ede6b4caf0267888fe5cfaacfd808a4ef15c5b87f186211c57a75d77b3d4915e2851662e0528370deec6a4f974dce95ce1bd6df1a62c6675ce0d1bf717a486
- SSDEEP
  
  6144:HT4DtVpZI3UNm5XuEneTjst4l4hjVKLWWC4OZol37D3XmkL+VHjFz3+vaEfT:HTgUUEeTmzJKaYOGlXnoDdqlT
Score

10^/10

guloader remcos top downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Pidginizing/Halvpunkt240/Forblack231/Otiatric/Ergs.Tha
- Size
  
  54KB
- MD5
  
  1c0b0b1677e6a0e8e41383703430a228
- SHA1
  
  3226cc511cb4ee3c4d8fc85f8309e769b588c59f
- SHA256
  
  056096bc668ccf068617f877b2d960d93fcc3f2bfcf6dc51e3e6ee1a5c83cdb8
- SHA512
  
  b8856417ec13d2be0b53d74ec4a3b22784b5fa6ae0b2fd5d3cb21863103d01526ab60de2432e0532fcb27c36bc39d69e8178b1a8cc08f05a95c6bf591b581902
- SSDEEP
  
  768:NVOb/moCyL71NiFKFbshVB/RKpgdNfg5o6hwWPbIQ4bGkr1iDoxSP8Wej0aQ0wJ+:NVGmoCyH1LbQB/R45Wa/9D+lIJPgj
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4