guloader | 9612bdf95adfb2b39930e025fa8e7b14ac96112b232586ddd45fc839eb59c836

Sharing

Copy URL

Twitter E-mail

General

Target

9612bdf95adfb2b39930e025fa8e7b14ac96112b232586ddd45fc839eb59c836.exe
Size

367KB
Sample

240523-b7b1tahd55
MD5

575a456e17b2f57fd8916c13085b5aac
SHA1

b49687b43069bd67acc14066d8cdd53f19ac59d1
SHA256

9612bdf95adfb2b39930e025fa8e7b14ac96112b232586ddd45fc839eb59c836
SHA512

494cf5a2fa7296e0e61d18fa6c89ddc4e943db3e6690c4edf26cd18fe0099be1dd0dc4f4184c86156cd0ddc3eb671e90ee7eb8521a83be237e7037f7cf1bee12
SSDEEP

6144:wQ606xhLEeGsClQTAgJeCNoDObrV6BOJaB+f+aBL5k84mK3OqFyhvnv/F:wNTwaAgoCNoDO6uaBM+8kOKlyhvnHF

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

CEYE

64.188.26.202:1604

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Vexploio.exe
copy_folder
Vexplo
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RXKA3P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  9612bdf95adfb2b39930e025fa8e7b14ac96112b232586ddd45fc839eb59c836.exe
- Size
  
  367KB
- MD5
  
  575a456e17b2f57fd8916c13085b5aac
- SHA1
  
  b49687b43069bd67acc14066d8cdd53f19ac59d1
- SHA256
  
  9612bdf95adfb2b39930e025fa8e7b14ac96112b232586ddd45fc839eb59c836
- SHA512
  
  494cf5a2fa7296e0e61d18fa6c89ddc4e943db3e6690c4edf26cd18fe0099be1dd0dc4f4184c86156cd0ddc3eb671e90ee7eb8521a83be237e7037f7cf1bee12
- SSDEEP
  
  6144:wQ606xhLEeGsClQTAgJeCNoDObrV6BOJaB+f+aBL5k84mK3OqFyhvnv/F:wNTwaAgoCNoDO6uaBM+8kOKlyhvnHF
Score

10^/10

guloader remcos ceye downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/Banner.dll
- Size
  
  4KB
- MD5
  
  0d5428f7920274caedfa8f2ae980e196
- SHA1
  
  ce2ca2381a4b9ed9f06f6af5a183a840de290c3f
- SHA256
  
  4083bef584ad6793b3d57e3e3f764a31afac876412df65c5da5afee76bbd1e10
- SHA512
  
  78419752f3e6579f7caf1f9bab70a46ac2b0a7c5f08eb8604e927baea611c182133ce8d58929a059f22e6c2befb5ff0c24ee6500d0708bc884a65e395ea7c4cf
Score

1^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/BgImage.dll
- Size
  
  7KB
- MD5
  
  9436196007f65f0ae96f64b1c8b2572e
- SHA1
  
  4b004b5c2865c9450876be83faa8cc96e1d12c01
- SHA256
  
  286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9
- SHA512
  
  5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e
- SSDEEP
  
  96:8egk1LFJaO1/radJEaYtv1Zs4lkL8y3A2EN8Cmy3uT24j7J3kWyy/:t7TJa2roqJyA2EN8diuTHje
Score

1^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  8b3830b9dbf87f84ddd3b26645fed3a0
- SHA1
  
  223bef1f19e644a610a0877d01eadc9e28299509
- SHA256
  
  f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
- SHA512
  
  d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
- SSDEEP
  
  192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  82c3f38cd34739872af07443c65d0bd8
- SHA1
  
  1f4ee2d394404a291eda6419f856adaf4b960237
- SHA256
  
  59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311
- SHA512
  
  3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d
- SSDEEP
  
  192:ow8cSzvTyl4tgi8pPjQM0PuAg0YNy+IFtSP:lBSzm+t18pZ0WAg0R+IFg
Score

3^/10
behavioral10 behavioral9
- Target
  
  Rapparees/Depredatory/Sabbatters.app
- Size
  
  1KB
- MD5
  
  6d05f4d490578ac56f35a2fb0fdc48c3
- SHA1
  
  98cbe66769dca00383a1e6345a0af8d8f5158802
- SHA256
  
  68c60b54d23a7eac7decbd381934147857868b1b5f14a5087cc7d691f68670d6
- SHA512
  
  0d038240e209b7b478d66800c76668fe40b10ffca149b1920946fb025ba5f1be9f20cd75e689cae6c9e5d9c2f722bf54b5bc2783602a0379def34be48e6753b5
Score

4^/10

evasion
behavioral11

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11