guloader | 6e849f1461600cf9c9d15613932c2ea2878cf71d3718d12d1c049c37c57d5d72

General

Target

Paidcopy2405.exe
Size

287KB
MD5

0bee9c66a24645fe6468160cd38d3193
SHA1

75d66ad59ae896649cb6967ae0dc6a1384504b12
SHA256

6e849f1461600cf9c9d15613932c2ea2878cf71d3718d12d1c049c37c57d5d72
SHA512

3b3476074cf2038dfa6a072de3bc2cc0e069d2f9288a16b49bc249668d5c0427bbe30d4c0b50b6b2565ada24a1a63d9ac0ce14d6ae03aa8d19cf7bca1581e2d3
SSDEEP

6144:X6bAcJKdUzKcKcgJcgYubVuXLlN5LUumyb4jHqNqoaZOE94ydnNh:IudUzhdcbb6lLUK4jUqbZ1

Score

10^/10

guloader remcos remotehost collection downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.222.58.62:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GVORXS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2840-53-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2840-45-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3040-44-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3040-61-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral2/memory/3164-54-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3164-56-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2840-53-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3164-52-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2840-45-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3040-44-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3040-61-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Loads dropped DLL 1 IoCs

pid	Process
3452	Paidcopy2405.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Paidcopy2405.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3344	Paidcopy2405.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3452	Paidcopy2405.exe
3344	Paidcopy2405.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3452 set thread context of 3344	3452	Paidcopy2405.exe	87
PID 3344 set thread context of 3040	3344	Paidcopy2405.exe	88
PID 3344 set thread context of 2840	3344	Paidcopy2405.exe	89
PID 3344 set thread context of 3164	3344	Paidcopy2405.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3040	Paidcopy2405.exe
3040	Paidcopy2405.exe
3164	Paidcopy2405.exe
3164	Paidcopy2405.exe
3040	Paidcopy2405.exe
3040	Paidcopy2405.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3452	Paidcopy2405.exe
3344	Paidcopy2405.exe
3344	Paidcopy2405.exe
3344	Paidcopy2405.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	Paidcopy2405.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3344	3452	Paidcopy2405.exe	87
PID 3452 wrote to memory of 3344	3452	Paidcopy2405.exe	87
PID 3452 wrote to memory of 3344	3452	Paidcopy2405.exe	87
PID 3452 wrote to memory of 3344	3452	Paidcopy2405.exe	87
PID 3452 wrote to memory of 3344	3452	Paidcopy2405.exe	87
PID 3344 wrote to memory of 3040	3344	Paidcopy2405.exe	88
PID 3344 wrote to memory of 3040	3344	Paidcopy2405.exe	88
PID 3344 wrote to memory of 3040	3344	Paidcopy2405.exe	88
PID 3344 wrote to memory of 2840	3344	Paidcopy2405.exe	89
PID 3344 wrote to memory of 2840	3344	Paidcopy2405.exe	89
PID 3344 wrote to memory of 2840	3344	Paidcopy2405.exe	89
PID 3344 wrote to memory of 3164	3344	Paidcopy2405.exe	90
PID 3344 wrote to memory of 3164	3344	Paidcopy2405.exe	90
PID 3344 wrote to memory of 3164	3344	Paidcopy2405.exe	90

C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
"C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
  "C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
    C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe /stext "C:\Users\Admin\AppData\Local\Temp\hpijsvbliipv"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
    C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe /stext "C:\Users\Admin\AppData\Local\Temp\jjvutnmmeqhirbk"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe
    C:\Users\Admin\AppData\Local\Temp\Paidcopy2405.exe /stext "C:\Users\Admin\AppData\Local\Temp\udamuffgsyznupyytr"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\App.ini

Filesize
77B

MD5
ddd376a95ddc2715dc01e4fe83bb895f

SHA1
2749ee1ec57060cba70fab5e09ef876dedc3e961

SHA256
19c23c544cb1ac28b9b18c995ead99d5555c5dbb0b46d8b5cddc4e10823eb296

SHA512
9d93f8df126b40237804e07abd2a61a1909eeb75093e1f71bdffe73f39f8300c92d9fe63cd8388f5e4f9967645f942fd4922d6040b96e663d3b9d7bdd98ae0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpijsvbliipv

Filesize
4KB

MD5
18b6368b183e546a35847ae24b4b2913

SHA1
040545f7ac2c987d2a79b5e7f1cf9ab83bd25923

SHA256
54c101b6b1241b6a0574a66e5a5b9bddc6c60a4daf7338dba6fe3f65b27382af

SHA512
68ba8734016705cd12bf9d7ce41d5c823b2ec6ce9ee1ee7e9da9efcd9c88ef1f1b18148d91ad6a271c7a88d4ca098a99198ca709fcf217f9b1fa18f74c48d698

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp51EA.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/2840-43-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2840-42-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2840-45-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2840-53-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3040-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3040-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3040-40-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3040-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3164-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3164-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3164-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3164-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3164-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3344-33-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3344-70-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3344-79-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3344-31-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3344-30-0x0000000001A30000-0x0000000004310000-memory.dmp

Filesize
40.9MB

Download
memory/3344-75-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3344-73-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3344-72-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3344-63-0x0000000034F10000-0x0000000034F29000-memory.dmp

Filesize
100KB

Download
memory/3344-66-0x0000000034F10000-0x0000000034F29000-memory.dmp

Filesize
100KB

Download
memory/3344-67-0x0000000034F10000-0x0000000034F29000-memory.dmp

Filesize
100KB

Download
memory/3344-68-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3344-69-0x0000000001A30000-0x0000000004310000-memory.dmp

Filesize
40.9MB

Download
memory/3344-71-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/3452-38-0x0000000004560000-0x0000000006E40000-memory.dmp

Filesize
40.9MB

Download
memory/3452-27-0x0000000004560000-0x0000000006E40000-memory.dmp

Filesize
40.9MB

Download
memory/3452-28-0x00000000773F1000-0x0000000077511000-memory.dmp

Filesize
1.1MB

Download
memory/3452-29-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3452-32-0x0000000004560000-0x0000000006E40000-memory.dmp

Filesize
40.9MB

Download

Analysis

Sharing