guloader | cff42a20c90a525f62cf6c71c7362a9b94765f00f25c29faa20f2a0d67090ba8

General

Target

cff42a20c90a525f62cf6c71c7362a9b94765f00f25c29faa20f2a0d67090ba8.exe
Size

501KB
Sample

240913-b6968ayake
MD5

4c906f03f8cbdcd7c66a15f6c8498330
SHA1

91e1270fc52b760ff2913f2db910f78c6051b74d
SHA256

cff42a20c90a525f62cf6c71c7362a9b94765f00f25c29faa20f2a0d67090ba8
SHA512

2ca1a394952bf0cef296f9015585b9a3bc261958350ed19e43adc4e778050320d46ac7f1854093f330a4000e4123361765769db2a569f93750f917e10564f717
SSDEEP

12288:pbZxvzlLYN4fYSq7UpiiArc3mYAR27YAC1/:xZxpflpiFymHR2bI

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

102.165.14.28:26000

102.165.14.28:27000

102.165.14.28:28000

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0V7E34
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  cff42a20c90a525f62cf6c71c7362a9b94765f00f25c29faa20f2a0d67090ba8.exe
- Size
  
  501KB
- MD5
  
  4c906f03f8cbdcd7c66a15f6c8498330
- SHA1
  
  91e1270fc52b760ff2913f2db910f78c6051b74d
- SHA256
  
  cff42a20c90a525f62cf6c71c7362a9b94765f00f25c29faa20f2a0d67090ba8
- SHA512
  
  2ca1a394952bf0cef296f9015585b9a3bc261958350ed19e43adc4e778050320d46ac7f1854093f330a4000e4123361765769db2a569f93750f917e10564f717
- SSDEEP
  
  12288:pbZxvzlLYN4fYSq7UpiiArc3mYAR27YAC1/:xZxpflpiFymHR2bI
Score

10^/10

guloader remcos remotehost collection credential_access discovery downloader rat spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  9625d5b1754bc4ff29281d415d27a0fd
- SHA1
  
  80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
- SHA256
  
  c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
- SHA512
  
  dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
- SSDEEP
  
  192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
Score

3^/10

discovery
behavioral3 behavioral4