guloader | 2181299d4ea8b342a975ace1aed20c49c9ec86d46af6575f31ac1cfcbc240d68

General

Target

KZ710-0038.exe
Size

519KB
MD5

cfd30b0bf833178f0d730ae3703b4c56
SHA1

de278f275878b570ce2a5efb69456555e888eaae
SHA256

2181299d4ea8b342a975ace1aed20c49c9ec86d46af6575f31ac1cfcbc240d68
SHA512

109deb972cf14b889687ffd58587a603fd9bd4b2a744bc4fb033552e8148a7232e8021db973432335a9ea1dcc2518effee11eb57ad85c3b34d2239fcc50461b9
SSDEEP

6144:sp8oOpVQtWBonIuwtkzixAn9EF99+wykDaxfnasuDjvdjplyTztn1xT4p+/l/JbX:po+VIWBonIuwQn9EF99+SDRfnqBr+KsW

Score

10^/10

guloader remcos remotehost collection credential_access discovery downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

162.251.122.106:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-A7EXAF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3636-30-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3636-34-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1236-29-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3636-32-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2476-40-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2476-41-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1236-50-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3636-30-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/3636-34-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/3636-32-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1236-29-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1236-50-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Loads dropped DLL 1 IoCs

pid	Process
2080	KZ710-0038.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	KZ710-0038.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3972	KZ710-0038.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2080	KZ710-0038.exe
3972	KZ710-0038.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2080 set thread context of 3972	2080	KZ710-0038.exe	95
PID 3972 set thread context of 1236	3972	KZ710-0038.exe	98
PID 3972 set thread context of 3636	3972	KZ710-0038.exe	99
PID 3972 set thread context of 2476	3972	KZ710-0038.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KZ710-0038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KZ710-0038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KZ710-0038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KZ710-0038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KZ710-0038.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1236	KZ710-0038.exe
1236	KZ710-0038.exe
2476	KZ710-0038.exe
2476	KZ710-0038.exe
1236	KZ710-0038.exe
1236	KZ710-0038.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2080	KZ710-0038.exe
3972	KZ710-0038.exe
3972	KZ710-0038.exe
3972	KZ710-0038.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	KZ710-0038.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3972	KZ710-0038.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3972	2080	KZ710-0038.exe	95
PID 2080 wrote to memory of 3972	2080	KZ710-0038.exe	95
PID 2080 wrote to memory of 3972	2080	KZ710-0038.exe	95
PID 2080 wrote to memory of 3972	2080	KZ710-0038.exe	95
PID 2080 wrote to memory of 3972	2080	KZ710-0038.exe	95
PID 3972 wrote to memory of 1236	3972	KZ710-0038.exe	98
PID 3972 wrote to memory of 1236	3972	KZ710-0038.exe	98
PID 3972 wrote to memory of 1236	3972	KZ710-0038.exe	98
PID 3972 wrote to memory of 3636	3972	KZ710-0038.exe	99
PID 3972 wrote to memory of 3636	3972	KZ710-0038.exe	99
PID 3972 wrote to memory of 3636	3972	KZ710-0038.exe	99
PID 3972 wrote to memory of 2476	3972	KZ710-0038.exe	100
PID 3972 wrote to memory of 2476	3972	KZ710-0038.exe	100
PID 3972 wrote to memory of 2476	3972	KZ710-0038.exe	100

C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe
"C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe
  "C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe
    C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe /stext "C:\Users\Admin\AppData\Local\Temp\kgzoothljzlfwvkpz"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe
    C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe /stext "C:\Users\Admin\AppData\Local\Temp\uamgolrexhdkgbytifkm"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe
    C:\Users\Admin\AppData\Local\Temp\KZ710-0038.exe /stext "C:\Users\Admin\AppData\Local\Temp\xcrrhekglpvpiquxzpwnrstp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3964,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
ef97cc40677c8e3848c3f61fa6fe8402

SHA1
da624d276950db26edb6eb03a0c95636be3282dd

SHA256
5c89e35631a54806f24a625c45f3ae0145d3cf90073b162959701aeec8f48b2d

SHA512
17af0d5345c7f4c339687102896ae215cd32f7e8bb5225c1567cda8bf0d4c903be44e472caa79f642ffdc50edec5272c2ce1db17ae910c1af69b073a849bb0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgzoothljzlfwvkpz

Filesize
4KB

MD5
cda83eba5a004554ccdc061fd3df499c

SHA1
58ff2ecb9d47be10335e104896c87c62dc328523

SHA256
e384f4d46587646c6e0f9d2ee90b7bc57b49cea936b37cf8ab81ef3c4ce468ac

SHA512
f55ce20f0cf8b603fad765b889607f967c22d377fa4ac417ba1309d0aced9231e197bb4107d1c92bb99f51c04cc68ce26148727a8b694886710100c01f3de597

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz505E.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/1236-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1236-27-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1236-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1236-29-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2080-12-0x00000000029E0000-0x000000000510D000-memory.dmp

Filesize
39.2MB

Download
memory/2080-13-0x0000000076EB1000-0x0000000076FD1000-memory.dmp

Filesize
1.1MB

Download
memory/2080-21-0x00000000029E0000-0x000000000510D000-memory.dmp

Filesize
39.2MB

Download
memory/2080-11-0x00000000029E0000-0x000000000510D000-memory.dmp

Filesize
39.2MB

Download
memory/2080-14-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2476-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2476-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2476-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2476-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3636-30-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3636-28-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3636-32-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3636-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3636-26-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3972-22-0x00000000016C0000-0x0000000003DED000-memory.dmp

Filesize
39.2MB

Download
memory/3972-17-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-16-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-53-0x0000000034DB0000-0x0000000034DC9000-memory.dmp

Filesize
100KB

Download
memory/3972-57-0x0000000034DB0000-0x0000000034DC9000-memory.dmp

Filesize
100KB

Download
memory/3972-56-0x0000000034DB0000-0x0000000034DC9000-memory.dmp

Filesize
100KB

Download
memory/3972-58-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-61-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-15-0x00000000016C0000-0x0000000003DED000-memory.dmp

Filesize
39.2MB

Download
memory/3972-64-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-67-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-70-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-82-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-85-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-88-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3972-91-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing