guloader | 465c444d20b3e265e924360ced45ea8e6e8ef2cdf46ed4d7ae71ed9e1e4e10ca | Triage

Sharing

General

Target

465c444d20b3e265e924360ced45ea8e6e8ef2cdf46ed4d7ae71ed9e1e4e10ca
Size

352KB
Sample

240818-fx9ljszgjk
MD5

e75439b20cab586a15874a864706f328
SHA1

8e9382773296854a253f9c7840d5b3d54d2f041b
SHA256

465c444d20b3e265e924360ced45ea8e6e8ef2cdf46ed4d7ae71ed9e1e4e10ca
SHA512

9eaf218719e734a5c76393861de269f7ad114aa1f3f803308c85086c85992b5df461e1e6b05e187ca6cd7ea4c7f3361efd1b1803a196914054c8eb32164b6818
SSDEEP

6144:2qlonWp9KdXv6gvNSS8aVr0nbUlUq1IJ8JaDlpiBpe7QRfH91w42/TARn:LonNigvona10Jq1vQZQ73z2/0Rn

Score

10^/10

guloader remcos benchao discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

benchao

C2

tochisglobal.ddns.net:6426

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9R4HLX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d.exe
- Size
  
  519KB
- MD5
  
  aaf009498fd654fe098a30d1ec1d3120
- SHA1
  
  d6de6ea6d8deb0b700cda51e8f366d3a333ffa29
- SHA256
  
  1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d
- SHA512
  
  6c601a13522500196ac58dc3b75ead4b438ddc149a4e1513a0657ea69be98845428f0bd76285218053532bfb59f702e091310dc92e00d9af1a7def2416581460
- SSDEEP
  
  6144:+xwgiJ4h+W4PQgPniiWn14owKYHvYLPG7nIsJmwu1WGFKPVMmNK1ftxU3WaN5rfx:cS4QZyn14rBHcgpJmwuAN7Cfn2v5P
Score

10^/10

discovery guloader remcos benchao downloader rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  af4324802813a5a897db2167fc10e291
- SHA1
  
  916bd47457dcb4247743626e86492436b77bebf8
- SHA256
  
  92cb3b3a7280246743543325d3fe9a7d72c63227f9540d25d5ef27b2ce8856b4
- SHA512
  
  cb3e07c4558049634078808bd419860c6e2855a02bba79541cea80873fe6db58cf667a27c111521df09ef30f92c149736092c473fde28bbb5974be6d7ddab83c
- SSDEEP
  
  48:qcjtDVP10LgQL8QRU8IlmWm7WmnuWK8hSemoMqG5QEv8sF9UwofMU:xVPFQIqlemWm7WmTaehG+Ekq
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  6c38da8922cc37b4bbb77de4a63ad843
- SHA1
  
  4e0533fd11df8bddbd543ed58df7b6060d9f4631
- SHA256
  
  1624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1
- SHA512
  
  ad0be3d7e57da9c304e9b9cac5341b6c76b157456ab44f5579d6c38c830a31c9c3e1e9a875b8f465243c607ea2ede6b0bb77237f17a70a4d4c78606e036c3430
- SSDEEP
  
  192:wA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6gn9Mw:QR7SrtTv53tdtTgwF4SQbGPX36g9Mw
Score

3^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

guloaderremcosbenchaodiscoverydownloaderrat

behavioral3

behavioral4

behavioral5

behavioral6