guloader | a833220123f1e042399406b33817c857fec4d4471f9332b02abc390e11dae2e4

General

Target

q.exe
Size

380KB
MD5

c1e9cae3895e47557c49da02e857331d
SHA1

cd606c216cdf514fd64b714037a75250007d90b7
SHA256

a833220123f1e042399406b33817c857fec4d4471f9332b02abc390e11dae2e4
SHA512

f4ede6b4caf0267888fe5cfaacfd808a4ef15c5b87f186211c57a75d77b3d4915e2851662e0528370deec6a4f974dce95ce1bd6df1a62c6675ce0d1bf717a486
SSDEEP

6144:HT4DtVpZI3UNm5XuEneTjst4l4hjVKLWWC4OZol37D3XmkL+VHjFz3+vaEfT:HTgUUEeTmzJKaYOGlXnoDdqlT

Score

10^/10

guloader remcos top downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Top

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
mqerms.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
alpwovnb-G3F5OR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Mesoderms% -windowstyle minimized $Priorized82=(Get-ItemProperty -Path 'HKCU:\\runos\\').Exsolved;%Mesoderms% ($Priorized82)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

3048 wab.exe
3048 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2820 powershell.exe
3048 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2820 set thread context of 3048 2820 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2008 reg.exe

pid	process
3048	wab.exe
3048	wab.exe

description	pid	process	target process
PID 2820 set thread context of 3048	2820	powershell.exe	wab.exe

pid	process
2008	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2820 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2820 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

q.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2884 wrote to memory of 2820	2884	q.exe	powershell.exe
PID 2884 wrote to memory of 2820	2884	q.exe	powershell.exe
PID 2884 wrote to memory of 2820	2884	q.exe	powershell.exe
PID 2884 wrote to memory of 2820	2884	q.exe	powershell.exe
PID 2820 wrote to memory of 2736	2820	powershell.exe	cmd.exe
PID 2820 wrote to memory of 2736	2820	powershell.exe	cmd.exe
PID 2820 wrote to memory of 2736	2820	powershell.exe	cmd.exe
PID 2820 wrote to memory of 2736	2820	powershell.exe	cmd.exe
PID 2820 wrote to memory of 3048	2820	powershell.exe	wab.exe
PID 2820 wrote to memory of 3048	2820	powershell.exe	wab.exe
PID 2820 wrote to memory of 3048	2820	powershell.exe	wab.exe
PID 2820 wrote to memory of 3048	2820	powershell.exe	wab.exe
PID 2820 wrote to memory of 3048	2820	powershell.exe	wab.exe
PID 2820 wrote to memory of 3048	2820	powershell.exe	wab.exe
PID 3048 wrote to memory of 2692	3048	wab.exe	cmd.exe
PID 3048 wrote to memory of 2692	3048	wab.exe	cmd.exe
PID 3048 wrote to memory of 2692	3048	wab.exe	cmd.exe
PID 3048 wrote to memory of 2692	3048	wab.exe	cmd.exe
PID 2692 wrote to memory of 2008	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 2008	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 2008	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 2008	2692	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\q.exe
"C:\Users\Admin\AppData\Local\Temp\q.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Pareiasaurus=Get-Content 'C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Pidginizing\Halvpunkt240\Forblack231\Otiatric\Ergs.Tha';$Zoneindelingerne=$Pareiasaurus.SubString(56195,3);.$Zoneindelingerne($Pareiasaurus)"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2736

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mesoderms% -windowstyle minimized $Priorized82=(Get-ItemProperty -Path 'HKCU:\runos\').Exsolved;%Mesoderms% ($Priorized82)"
4⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mesoderms% -windowstyle minimized $Priorized82=(Get-ItemProperty -Path 'HKCU:\runos\').Exsolved;%Mesoderms% ($Priorized82)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2a76b31fb8fe9b2cadb76780defbe912

SHA1
ef11de80345f42a0f4a849d757f455f6f29e0efb

SHA256
f9f609635c029f7567af2fd2bcda342ad1da68968b580a6920f8a7331c3a1430

SHA512
49aa85fe0417f89cb78ffb450856df2f29c5680865bf8a3b5d06d8feb31d82c52a59b551918605d5552927e0a1a887367dee062d81b75a6a41232c4c44ba4cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
95b12cff6314807a27021862353b153a

SHA1
071e17488417f5abd6a31559767681938b1b60ba

SHA256
47ad188835043d422b414328144a4f139529003db141249c74565c7013570bf7

SHA512
d8012a1dec8b1bdbb580c49bebee160b7e6abdab06a8ce3aceef9f63ecf158787d3614720f86ae1f4d9793fca7d4ebfff9ecf34b1272b55168386afcf5d1eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7303.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Bilipurpurin.Sla
Filesize
322KB

MD5
a6b465587a24051a3267f7097e93b1cf

SHA1
74bfbb11eaf146ea85a7fe21371e4810c7539fa3

SHA256
88761c61c887cc09658beef749102a2b17cc1752a10087146899e2ac8cf340c5

SHA512
321d1cc296e456df43e722a1551959ad4aa5be868f88ad7fe4d08c6b35d2cdedb813f7869be130c6b69cd31199c56adc2cc1a2052ee3720197e659c6a39a1be5

Download Submit
C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Pidginizing\Halvpunkt240\Forblack231\Otiatric\Ergs.Tha
Filesize
54KB

MD5
1c0b0b1677e6a0e8e41383703430a228

SHA1
3226cc511cb4ee3c4d8fc85f8309e769b588c59f

SHA256
056096bc668ccf068617f877b2d960d93fcc3f2bfcf6dc51e3e6ee1a5c83cdb8

SHA512
b8856417ec13d2be0b53d74ec4a3b22784b5fa6ae0b2fd5d3cb21863103d01526ab60de2432e0532fcb27c36bc39d69e8178b1a8cc08f05a95c6bf591b581902

Download Submit
memory/2820-14-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/2820-13-0x0000000073B00000-0x00000000740AB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-12-0x0000000006620000-0x0000000008575000-memory.dmp

Filesize
31.3MB

Download
memory/2820-6-0x0000000073B00000-0x00000000740AB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-7-0x0000000073B00000-0x00000000740AB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-8-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/3048-120-0x0000000000690000-0x00000000016F2000-memory.dmp

Filesize
16.4MB

Download
memory/3048-121-0x0000000001700000-0x0000000003655000-memory.dmp

Filesize
31.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads