guloader | 6e849f1461600cf9c9d15613932c2ea2878cf71d3718d12d1c049c37c57d5d72

General

Target

Paidcopy2405.exe
Size

287KB
MD5

0bee9c66a24645fe6468160cd38d3193
SHA1

75d66ad59ae896649cb6967ae0dc6a1384504b12
SHA256

6e849f1461600cf9c9d15613932c2ea2878cf71d3718d12d1c049c37c57d5d72
SHA512

3b3476074cf2038dfa6a072de3bc2cc0e069d2f9288a16b49bc249668d5c0427bbe30d4c0b50b6b2565ada24a1a63d9ac0ce14d6ae03aa8d19cf7bca1581e2d3
SSDEEP

6144:X6bAcJKdUzKcKcgJcgYubVuXLlN5LUumyb4jHqNqoaZOE94ydnNh:IudUzhdcbb6lLUK4jUqbZ1

Score

10^/10

guloader remcos remotehost collection downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.222.58.62:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GVORXS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2296-43-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2296-47-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2296-62-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2608-45-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2608-44-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2608-58-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral1/memory/2608-45-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1680-53-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1680-50-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2608-44-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2296-43-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2296-47-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2608-58-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2296-62-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Loads dropped DLL 1 IoCs

pid	Process
2940	Paidcopy2405.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Paidcopy2405.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2736	Paidcopy2405.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2940	Paidcopy2405.exe
2736	Paidcopy2405.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 2736	2940	Paidcopy2405.exe	28
PID 2736 set thread context of 2608	2736	Paidcopy2405.exe	31
PID 2736 set thread context of 2296	2736	Paidcopy2405.exe	32
PID 2736 set thread context of 1680	2736	Paidcopy2405.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2608	Paidcopy2405.exe
2608	Paidcopy2405.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2940	Paidcopy2405.exe
2736	Paidcopy2405.exe
2736	Paidcopy2405.exe
2736	Paidcopy2405.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	Paidcopy2405.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2736	2940	Paidcopy2405.exe	28
PID 2940 wrote to memory of 2736	2940	Paidcopy2405.exe	28
PID 2940 wrote to memory of 2736	2940	Paidcopy2405.exe	28
PID 2940 wrote to memory of 2736	2940	Paidcopy2405.exe	28
PID 2940 wrote to memory of 2736	2940	Paidcopy2405.exe	28
PID 2940 wrote to memory of 2736	2940	Paidcopy2405.exe	28
PID 2736 wrote to memory of 2608	2736	Paidcopy2405.exe	31
PID 2736 wrote to memory of 2608	2736	Paidcopy2405.exe	31
PID 2736 wrote to memory of 2608	2736	Paidcopy2405.exe	31
PID 2736 wrote to memory of 2608	2736	Paidcopy2405.exe	31
PID 2736 wrote to memory of 2296	2736	Paidcopy2405.exe	32
PID 2736 wrote to memory of 2296	2736	Paidcopy2405.exe	32
PID 2736 wrote to memory of 2296	2736	Paidcopy2405.exe	32
PID 2736 wrote to memory of 2296	2736	Paidcopy2405.exe	32
PID 2736 wrote to memory of 1680	2736	Paidcopy2405.exe	33
PID 2736 wrote to memory of 1680	2736	Paidcopy2405.exe	33
PID 2736 wrote to memory of 1680	2736	Paidcopy2405.exe	33
PID 2736 wrote to memory of 1680	2736	Paidcopy2405.exe	33

C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
"C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
  "C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
    C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe /stext "C:\Users\Admin\AppData\Local\Temp\ljqixahaxjjggrvafhataqr"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
    C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe /stext "C:\Users\Admin\AppData\Local\Temp\odvbylsclrbtrxjmornvldeyme"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
    C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe /stext "C:\Users\Admin\AppData\Local\Temp\yfblzdlvzztytlgqxcaonqypvltrcm"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ljqixahaxjjggrvafhataqr

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\nsy14D9.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/1680-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1680-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1680-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1680-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2296-40-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2296-47-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2296-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2296-43-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2296-42-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2608-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2608-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2608-39-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2608-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2608-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2736-70-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-69-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-79-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-78-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-32-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-77-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-61-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-33-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-64-0x0000000033BF0000-0x0000000033C09000-memory.dmp

Filesize
100KB

Download
memory/2736-68-0x0000000033BF0000-0x0000000033C09000-memory.dmp

Filesize
100KB

Download
memory/2736-67-0x0000000033BF0000-0x0000000033C09000-memory.dmp

Filesize
100KB

Download
memory/2736-76-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-75-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-71-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-72-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-73-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2736-74-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2940-37-0x0000000004370000-0x0000000006C50000-memory.dmp

Filesize
40.9MB

Download
memory/2940-30-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2940-28-0x0000000004370000-0x0000000006C50000-memory.dmp

Filesize
40.9MB

Download
memory/2940-31-0x0000000004370000-0x0000000006C50000-memory.dmp

Filesize
40.9MB

Download
memory/2940-29-0x0000000077421000-0x0000000077522000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing