guloader | b7d97410c347d47f45e49a7b19736ff47b019c2abd47eb09aba5cd9143b826de

General

Target

b7d97410c347d47f45e49a7b19736ff47b019c2abd47eb09aba5cd9143b826de.exe
Size

394KB
Sample

240529-b9zjwsdf8t
MD5

46f33e36640b9015918a8aa583eef0e2
SHA1

61cd4c1c1811c15917d35b0b8b81526e823c11e0
SHA256

b7d97410c347d47f45e49a7b19736ff47b019c2abd47eb09aba5cd9143b826de
SHA512

412cd977523d2bd4c37d0b7813bd7cc7ac63792d8f56ac8f66c4d45d908e3b02d434f50c39ccb4ddb533e06a3ad8fdcb814403b8c79e13fc51322c2847e9d8f7
SSDEEP

12288:6PV2e33RSsaxpSIWHDJORsu+JgIhygoRu6Xf:ed4saxpSbjsRIrySGf

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

CLIENT

C2

107.150.18.202:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-J3QQTH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b7d97410c347d47f45e49a7b19736ff47b019c2abd47eb09aba5cd9143b826de.exe
- Size
  
  394KB
- MD5
  
  46f33e36640b9015918a8aa583eef0e2
- SHA1
  
  61cd4c1c1811c15917d35b0b8b81526e823c11e0
- SHA256
  
  b7d97410c347d47f45e49a7b19736ff47b019c2abd47eb09aba5cd9143b826de
- SHA512
  
  412cd977523d2bd4c37d0b7813bd7cc7ac63792d8f56ac8f66c4d45d908e3b02d434f50c39ccb4ddb533e06a3ad8fdcb814403b8c79e13fc51322c2847e9d8f7
- SSDEEP
  
  12288:6PV2e33RSsaxpSIWHDJORsu+JgIhygoRu6Xf:ed4saxpSbjsRIrySGf
Score

10^/10

guloader remcos client collection downloader persistence rat spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables built or packed with MPress PE compressor
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fbe295e5a1acfbd0a6271898f885fe6a
- SHA1
  
  d6d205922e61635472efb13c2bb92c9ac6cb96da
- SHA256
  
  a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
- SHA512
  
  2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
- SSDEEP
  
  192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
Score

3^/10
behavioral3 behavioral4