guloader | 4c978f15572a2b4a8205658fbdad088683c97a15b3b2ebf6104f79d95f7d86a5 | Triage

Sharing

General

Target

4c978f15572a2b4a8205658fbdad088683c97a15b3b2ebf6104f79d95f7d86a5
Size

427KB
Sample

240912-ba9ktasgme
MD5

e2d874fcc4e0e091c9293722cd6adc0f
SHA1

bc420d445cba67a0a49d1470e009cf51ba6d949f
SHA256

4c978f15572a2b4a8205658fbdad088683c97a15b3b2ebf6104f79d95f7d86a5
SHA512

50b4ff19a451e9cd888dea57877f8812984d35d547e3957579b378bc9be475366f841fa99e3d3e2df3fcd0e7d89b8c9cec2d7342de66a7ea3b2e246871bdcea3
SSDEEP

12288:kq0zE8qWCttpN9CwetnaF8t/oPz8pNNnaUX+BdE9G:/W9qWCttv5iPt/BpN0Uub

Score

10^/10

guloader remcos remcohost discovery downloader execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemcoHost

C2

91.92.255.64:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5MDDGY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Inquiry sheet.exe
- Size
  
  735KB
- MD5
  
  aefec84b0cf65067ab3252ffa4138be9
- SHA1
  
  8428b6535d5f0ffd40a11caa713a7b1b053b5fd4
- SHA256
  
  dfa4504070e1c32a693e9f6d89dc381e114efb66e450bb2ebcd4594fa06d1568
- SHA512
  
  01485b43db4f1dc13f94ae3969d1e0e38e16c0fdb94a76e7d3d8241a411f9cc0dd2f9c85f8f84b159d3b0849059e693e9a84a76b32cf58bbd5a323dd0fa63810
- SSDEEP
  
  12288:WnPdCpJPjzlM9caF8tZoP78pNNVyUX+9dc9a:qPdUJPFM9c5tZvpNmUuZ
Score

10^/10

guloader remcos remcohost discovery downloader execution rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderremcosremcohostdiscoverydownloaderexecutionrat

behavioral2

discoveryexecution