guloader | c4e9719f719092bcb6dac7893d6e3601a32ff93a9ff5d51ba55af82cebd902f5 | Triage

Submit
Reports

Overview

overview

Static

static

3

HSBC PAYME...DF.exe

windows7-x64

HSBC PAYME...DF.exe

windows10-2004-x64

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Raasejlenes106.app

macos-10.15-amd64

4

Sharing

General

Target

HSBC PAYMENT CONFIRMATION COPY.PDF.exe
Size

692KB
Sample

240521-c3kylafa98
MD5

904ff58ae02442b30663c9be0f4d9e77
SHA1

9009f89ab55e84c8bbf70303247c62f8048deb77
SHA256

c4e9719f719092bcb6dac7893d6e3601a32ff93a9ff5d51ba55af82cebd902f5
SHA512

46aceab3cd6a6ba0ad1405d4c4f124863f4fc07a5dd0ee7df2c210c285eeb0c367d91d4e7e6e7c4865e6f494dbd3c211fb09ff4485621f69e819be3ebbb722fa
SSDEEP

12288:K2Co9kUzVAtb/WMdXDKDAObjsZt7P68BmPE:Kt39W8aTbjsH7P

Score

10^/10

guloader remcos remotehost collection downloader evasion macos rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

HSBC PAYMENT CONFIRMATION COPY.PDF.exe

Resource

win7-20240508-en

guloader remcos remotehost collection downloader rat spyware stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

HSBC PAYMENT CONFIRMATION COPY.PDF.exe

Resource

win10v2004-20240226-en

guloader remcos remotehost collection downloader rat spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Behavioral task

behavioral3

Sample

$PLUGINSDIR/System.dll

Resource

win7-20240508-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral4

Sample

$PLUGINSDIR/System.dll

Resource

win10v2004-20240508-en

windows10-2004-x64

2 signatures

150 seconds

Behavioral task

behavioral5

Sample

Raasejlenes106.app

Resource

macos-20240410-en

macos-10.15-amd64

1 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

93.95.115.2:9462

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VI6D4O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  HSBC PAYMENT CONFIRMATION COPY.PDF.exe
- Size
  
  692KB
- MD5
  
  904ff58ae02442b30663c9be0f4d9e77
- SHA1
  
  9009f89ab55e84c8bbf70303247c62f8048deb77
- SHA256
  
  c4e9719f719092bcb6dac7893d6e3601a32ff93a9ff5d51ba55af82cebd902f5
- SHA512
  
  46aceab3cd6a6ba0ad1405d4c4f124863f4fc07a5dd0ee7df2c210c285eeb0c367d91d4e7e6e7c4865e6f494dbd3c211fb09ff4485621f69e819be3ebbb722fa
- SSDEEP
  
  12288:K2Co9kUzVAtb/WMdXDKDAObjsZt7P68BmPE:Kt39W8aTbjsH7P
Score

10^/10

guloader remcos remotehost collection downloader rat spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  75ed96254fbf894e42058062b4b4f0d1
- SHA1
  
  996503f1383b49021eb3427bc28d13b5bbd11977
- SHA256
  
  a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
- SHA512
  
  58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
- SSDEEP
  
  192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Score

3^/10
behavioral3 behavioral4
- Target
  
  Raasejlenes106.app
- Size
  
  233KB
- MD5
  
  158b99c7bfaa74f4be68700ce566a550
- SHA1
  
  d1969716076d71e474ce83670e80cb1b6299ad40
- SHA256
  
  de89eb65a4e1a9879ecb935e5e2f98ababa3fc08486bc94f619a0d2ccb97e969
- SHA512
  
  1b3cea9638433730a1dddb2470f26fb2095a4fc0a2deb060c5206b28c27842428825f25cb9d8470f03c4172b662096b75c14956ee8a4c13c1a47d848a8ad02e1
- SSDEEP
  
  384:pmcJvhCqDL5dxCdvxQ/RQHEwR9EQ3n8X6upt:rJg8JQJCaVMvt
Score

4^/10

evasion
behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Resource Forking

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderremcosremotehostcollectiondownloaderratspywarestealer

behavioral2

guloaderremcosremotehostcollectiondownloaderratspywarestealer

behavioral3

behavioral4

behavioral5

© 2018-2024

Terms | Privacy