guloader | 1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae

General

Target

1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae.vbs
Size

14KB
Sample

240523-bj3tmagc28
MD5

cc0d3bd0295d7e43b783d4a0c36ca3e7
SHA1

c995bccdd522edc92374da5f8dba5fbbb702d8c5
SHA256

1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae
SHA512

3772f7ac137307c3a3380b6b5c316bd62a07d2aab162650cfead07ed660cd2971220f7d5d88d2db25c122143c6c921991cc899381d5c7c1c078cda819fbf33d2
SSDEEP

192:pmZrDl6E84tSjHVq6UyG+Z0tw/uWhq/V0rXCeVE6pW9CAhlxy4fnp:cBvzCHVqD+Z0tw/uWkNiXC74kD7xjfnp

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

UJU WORK CLOUDEYE 2024

C2

myfrontmannysix.ddns.net:4939

backupfrontmanny.duckdns.org:4939

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
ioul.exe
copy_folder
uiyk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-JTLOM3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae.vbs
- Size
  
  14KB
- MD5
  
  cc0d3bd0295d7e43b783d4a0c36ca3e7
- SHA1
  
  c995bccdd522edc92374da5f8dba5fbbb702d8c5
- SHA256
  
  1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae
- SHA512
  
  3772f7ac137307c3a3380b6b5c316bd62a07d2aab162650cfead07ed660cd2971220f7d5d88d2db25c122143c6c921991cc899381d5c7c1c078cda819fbf33d2
- SSDEEP
  
  192:pmZrDl6E84tSjHVq6UyG+Z0tw/uWhq/V0rXCeVE6pW9CAhlxy4fnp:cBvzCHVqD+Z0tw/uWkNiXC74kD7xjfnp
Score

10^/10

guloader remcos uju work cloudeye 2024 collection downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2