guloader | 6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5 | Triage

Sharing

General

Target

6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe
Size

33KB
Sample

240923-vt6g2svajk
MD5

3d931d67341a7178eed6018098e82026
SHA1

28738415421b3631245b7f8939ff625bb2d56d7a
SHA256

6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5
SHA512

7ba628cd12f11eede084bdc30a29c1d1092b14ba468bcbab319b327e637ffb49d825298402ec4389f8e9032a4741a8ca015132d47a31336e8cb4e56750f9f979
SSDEEP

384:Z9vOg3Z9KsZOs0gN/C2NE3+DEytdZbFo/SwiKFTblveb0fyio/:Zp3Z/N/C2K3v2LfwiKFsk4

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe
- Size
  
  33KB
- MD5
  
  3d931d67341a7178eed6018098e82026
- SHA1
  
  28738415421b3631245b7f8939ff625bb2d56d7a
- SHA256
  
  6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5
- SHA512
  
  7ba628cd12f11eede084bdc30a29c1d1092b14ba468bcbab319b327e637ffb49d825298402ec4389f8e9032a4741a8ca015132d47a31336e8cb4e56750f9f979
- SSDEEP
  
  384:Z9vOg3Z9KsZOs0gN/C2NE3+DEytdZbFo/SwiKFTblveb0fyio/:Zp3Z/N/C2K3v2LfwiKFsk4
Score

10^/10

guloader remcos remotehost discovery downloader rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderremcosremotehostdiscoverydownloaderrat

behavioral2

guloaderdiscoverydownloader