guloader | 92d1e524ad186c9eee020e49e42a4b420b8ddaa5f2174690295786df3d9f7cd9

General

Target

PR 1000231795.exe
Size

749KB
MD5

cae3afdd724de922b10dd64584e774f1
SHA1

d03bc1c01bd39d1aac23a3bfddf36f47c99f0dcd
SHA256

92d1e524ad186c9eee020e49e42a4b420b8ddaa5f2174690295786df3d9f7cd9
SHA512

8ca15921c8fbd3ecd3cdb05e4587b3836ca71c14032fd80ea50b121e7c7d57e4ba6c58329188649ab52749e631b3fc41fbec56d0ae3160aaee41a0162f2abd8b
SSDEEP

12288:mcBqxnyFHaxV22XOPIUuXiBi/ixxZskvmtPA9Ts0Xz2xZN8EwQUlE7WUC6uI2N6:mGqtyFHaxywzXiumxZNwAy0jmv8XQUOP

Score

10^/10

guloader remcos remotehost discovery downloader execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

23.227.202.48:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UQVC8D
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2424	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2608	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2424	powershell.exe
2608	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 2608	2424	powershell.exe	34

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Stupidestes112\Exclusionist.big	PR 1000231795.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\divisionally.Acr	PR 1000231795.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PR 1000231795.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2424	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2608	wabmig.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2424	1916	PR 1000231795.exe	30
PID 1916 wrote to memory of 2424	1916	PR 1000231795.exe	30
PID 1916 wrote to memory of 2424	1916	PR 1000231795.exe	30
PID 1916 wrote to memory of 2424	1916	PR 1000231795.exe	30
PID 2424 wrote to memory of 2608	2424	powershell.exe	34
PID 2424 wrote to memory of 2608	2424	powershell.exe	34
PID 2424 wrote to memory of 2608	2424	powershell.exe	34
PID 2424 wrote to memory of 2608	2424	powershell.exe	34
PID 2424 wrote to memory of 2608	2424	powershell.exe	34
PID 2424 wrote to memory of 2608	2424	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\PR 1000231795.exe
"C:\Users\Admin\AppData\Local\Temp\PR 1000231795.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Sustainment163=Get-Content 'C:\Users\Admin\AppData\Local\pyromanis\Fahrenheittermometret\Harquebusade\Vehefterne\Ewery.Cal';$Underretningernes=$Sustainment163.SubString(702,3);.$Underretningernes($Sustainment163)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Program Files (x86)\windows mail\wabmig.exe
    "C:\Program Files (x86)\windows mail\wabmig.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
f740b7d7a8de055fb32ebe7ecaea41a1

SHA1
e50cc35200883a94b18632b996417cb2e08611f2

SHA256
c8a3e295ce516dcb028e7aaecf53ec0ba9ab2653bfe231b94a8c8ce7e5d9da82

SHA512
703d9c60fd7a2ef399d22fc30620f195b5d83274aae149f02a7bc834d05bd934fe758300fed89a3fb613208d3f56c047d65c5d05adc442a6a50e3213d28f0d81

Download Submit
C:\Users\Admin\AppData\Local\pyromanis\Fahrenheittermometret\Harquebusade\Vehefterne\Ewery.Cal

Filesize
70KB

MD5
c3441391a31d9f2d0e3a28796b372ed7

SHA1
17b1fbd3ed6e55a2fa9136d58a4c83dfe5b4d8a1

SHA256
c126133825166f5edd56a7bc04f1e62604896b169d2eb23259877e6c3d824da9

SHA512
5f8caf6dd323652d820baa7f6d9e58755edd4defaddc0694c1e2d425834fe47a31b4d2e69164ff7a11c7704497d1bf2d27607bd9d18861f96ae2302ca889e31d

Download Submit
C:\Users\Admin\AppData\Local\pyromanis\Fahrenheittermometret\Harquebusade\Velgennemproevet.Sub

Filesize
352KB

MD5
0f9a0ca4a24509bd1d2745a6df9103c4

SHA1
d17e12c3cd1c04e315fd978e33530c5e19e5d0d3

SHA256
fb5f515aebeaf042d08c97ae56cbf0bee9997f870447916da7a1127760468e3b

SHA512
dd1064f628b4443d3c3ccf27374dd587b1daa4a04442e4b61c19f71d6dc43a7faf5a37dcb187caaa5afa083d8c7bd07497bff2c7784b0064ad86dc2e6bf5ce98

Download Submit
memory/2424-9-0x0000000074531000-0x0000000074532000-memory.dmp

Filesize
4KB

Download
memory/2424-11-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-10-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-12-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-15-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-17-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-18-0x00000000066C0000-0x000000000955D000-memory.dmp

Filesize
46.6MB

Download
memory/2424-19-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-24-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-40-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-28-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-31-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-20-0x0000000001D10000-0x0000000004BAD000-memory.dmp

Filesize
46.6MB

Download
memory/2608-34-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-37-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-21-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-43-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-46-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-49-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-52-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-55-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-58-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download
memory/2608-61-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing