guloader | 3901899b68107339513878c5a32c351f4ce28f82c479490a8350922acb04c8e3 | Triage

Sharing

General

Target

3901899b68107339513878c5a32c351f4ce28f82c479490a8350922acb04c8e3
Size

12KB
Sample

240916-mle15asgmk
MD5

3008b31178ac2615f800c60ea1944cb1
SHA1

c09e4fb93aec8c762beebac0e7c453fd8da70318
SHA256

3901899b68107339513878c5a32c351f4ce28f82c479490a8350922acb04c8e3
SHA512

0a7ff145564c8d4417d9b1bc378aebddfb4810701ad986fa40d1ab8255305705ef9259d17df08befc3d50ea4388f67cd45fff2c16160348bf6212705ede0d852
SSDEEP

384:wXHYGtqC9/L4OMjFybvhJgOQpyBxmADoQ/y45Vb:w37qy4GvhJEs3mHsVb

Score

10^/10

guloader remcos remotehost discovery downloader execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Faktura_VAT__U2409161195150793564·pdf.vbs
- Size
  
  39KB
- MD5
  
  a8eaec0ce9a1a02805ca7248d61dce62
- SHA1
  
  3adc63cda4f1d797b49b0ae721cbb41caecda524
- SHA256
  
  c54caab4e2957ad82b579e23bb079984b7aaf13484f8c5989a6b4aa84048bc2c
- SHA512
  
  aac88d2ba244c376eee4ce0ea38050b95e45f682d7f667b11d016e77822484864f5c6b7fa8b0ea6bc98463c2e3dcfd0bdc3bd2bc16204368109512d28ecd472a
- SSDEEP
  
  384:Z9vOg3gWe95Arw8M+OJWlZjYUKsA8r7Opt/in6M6zyQQZWnspmErww6u3TTluQeW:Zp3gWU8MaSpBm6eMs34W30atvp
Score

10^/10

guloader discovery downloader execution remcos remotehost rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloaderexecution

behavioral2

guloaderremcosremotehostdiscoverydownloaderexecutionrat