guloader | 0283ac18b6cd19f4ddacef6c878069f856820fd7c7ce5a5b90cbfce31ca5657f | Triage

Sharing

General

Target

6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.zip
Size

11KB
Sample

240922-lwhdkatdjc
MD5

9ed9e93a3e4ee8a5a67d38592925d47d
SHA1

bf4eb99a5803c584066acd8f1dcb0add6986a14f
SHA256

0283ac18b6cd19f4ddacef6c878069f856820fd7c7ce5a5b90cbfce31ca5657f
SHA512

2bef14cc800d9703a268f9cf15282d01a64463885f2d2a7ee79f2941b7f6085057bea89c2171df5dd9c9a398199019e162b8c473567b47132367d375a59dd6d3
SSDEEP

192:ueNVXvUGZKFCEekiSDbYOmRKGcygqgNL7z92jLcEIiZZTpF1Q5eYsEYWU9yg7Msq:um1UGZKsELtbY7oViEahZZTpFcpbxU9O

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe
- Size
  
  33KB
- MD5
  
  3d931d67341a7178eed6018098e82026
- SHA1
  
  28738415421b3631245b7f8939ff625bb2d56d7a
- SHA256
  
  6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5
- SHA512
  
  7ba628cd12f11eede084bdc30a29c1d1092b14ba468bcbab319b327e637ffb49d825298402ec4389f8e9032a4741a8ca015132d47a31336e8cb4e56750f9f979
- SSDEEP
  
  384:Z9vOg3Z9KsZOs0gN/C2NE3+DEytdZbFo/SwiKFTblveb0fyio/:Zp3Z/N/C2K3v2LfwiKFsk4
Score

10^/10

guloader discovery downloader remcos remotehost rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderdiscoverydownloader

behavioral2

guloaderremcosremotehostdiscoverydownloaderrat