guloader | c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b

General

Target

7bd1cce43f6b48c8ddd492e5711fd17f.exe
Size

971KB
MD5

7bd1cce43f6b48c8ddd492e5711fd17f
SHA1

3f650d8993c542682aa61c725ea1bb4ee93d259a
SHA256

c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b
SHA512

fe804b78cd734192664366364b099a5676d58101b9fe03c40c925cfe1cc202a99e04094d0fa93338ed831015d7ccd2ede88f04ab3cf6410542853a5a228face2
SSDEEP

12288:5Ly0SryvXRpHnez0SBkasZa0kITLwn096zdZEkINz3WSV3:5Ly0SG/zHMBbsZadi80qZgNz3R

Score

10^/10

guloader remcos rem_doc2 discovery downloader execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Rem_doc2

C2

107.173.4.16:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DSGECX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	powershell.exe
2620	Conspect124.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\\Forseglingens\\').Drenching;%Begunstigelses% ($Hjtryksryg)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2620	Conspect124.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2140	powershell.exe
2620	Conspect124.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2620	2140	powershell.exe	34

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\omdigtendes.udd	7bd1cce43f6b48c8ddd492e5711fd17f.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\brandbombernes.lnk	7bd1cce43f6b48c8ddd492e5711fd17f.exe
File opened for modification	C:\Windows\Fonts\knytt\Ballistics.mus	7bd1cce43f6b48c8ddd492e5711fd17f.exe
File opened for modification	C:\Windows\resources\villan\Knastakslerne.ini	7bd1cce43f6b48c8ddd492e5711fd17f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bd1cce43f6b48c8ddd492e5711fd17f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conspect124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2608	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Conspect124.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Conspect124.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2140	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2140	2524	7bd1cce43f6b48c8ddd492e5711fd17f.exe	30
PID 2524 wrote to memory of 2140	2524	7bd1cce43f6b48c8ddd492e5711fd17f.exe	30
PID 2524 wrote to memory of 2140	2524	7bd1cce43f6b48c8ddd492e5711fd17f.exe	30
PID 2524 wrote to memory of 2140	2524	7bd1cce43f6b48c8ddd492e5711fd17f.exe	30
PID 2140 wrote to memory of 2620	2140	powershell.exe	34
PID 2140 wrote to memory of 2620	2140	powershell.exe	34
PID 2140 wrote to memory of 2620	2140	powershell.exe	34
PID 2140 wrote to memory of 2620	2140	powershell.exe	34
PID 2140 wrote to memory of 2620	2140	powershell.exe	34
PID 2140 wrote to memory of 2620	2140	powershell.exe	34
PID 2620 wrote to memory of 2712	2620	Conspect124.exe	35
PID 2620 wrote to memory of 2712	2620	Conspect124.exe	35
PID 2620 wrote to memory of 2712	2620	Conspect124.exe	35
PID 2620 wrote to memory of 2712	2620	Conspect124.exe	35
PID 2712 wrote to memory of 2608	2712	cmd.exe	37
PID 2712 wrote to memory of 2608	2712	cmd.exe	37
PID 2712 wrote to memory of 2608	2712	cmd.exe	37
PID 2712 wrote to memory of 2608	2712	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\7bd1cce43f6b48c8ddd492e5711fd17f.exe
"C:\Users\Admin\AppData\Local\Temp\7bd1cce43f6b48c8ddd492e5711fd17f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\Conspect124.exe
    "C:\Users\Admin\AppData\Local\Temp\Conspect124.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Begunstigelses% -windowstyle minimized $Hjtryksryg=(Get-ItemProperty -Path 'HKCU:\Forseglingens\').Drenching;%Begunstigelses% ($Hjtryksryg)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Epochally.Puk

Filesize
342KB

MD5
7e58d69270577649e3fec5909c0e0f20

SHA1
c92de1cdd263a8afab112624f7fe3dd991b11bc3

SHA256
d9271baaae1e38c317ab57e2e2ca4a0f3448b23adb16af5894f0a55f3ccf5728

SHA512
b1c38694c80459b66dc7a34017d6f6a11c57251e9eb6e4f96d14bde9917b0b4d3d85b2875aaf550ce2159dc119ede91705e0a4ab9a7ff78d81f4d20110667ee4

Download Submit
C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa

Filesize
56KB

MD5
21f8b55eff5453c6e94223b12647704a

SHA1
8938162c626c171d76f37deebc2534e53d1870ed

SHA256
6d09c0544b4419ff08386626e6609b03036c999da12afb6ad3f1beb2673c0894

SHA512
e87a707edc2147a63e49900446cdf3eaab287b71b1ea0779a2dc4d696b543692b8e9d85e510b8343f0083f25f8df8349ce68010fec40029d6e09151a98fa92f3

Download Submit
\Users\Admin\AppData\Local\Temp\Conspect124.exe

Filesize
971KB

MD5
7bd1cce43f6b48c8ddd492e5711fd17f

SHA1
3f650d8993c542682aa61c725ea1bb4ee93d259a

SHA256
c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b

SHA512
fe804b78cd734192664366364b099a5676d58101b9fe03c40c925cfe1cc202a99e04094d0fa93338ed831015d7ccd2ede88f04ab3cf6410542853a5a228face2

Download Submit
memory/2140-12-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-9-0x0000000073BD1000-0x0000000073BD2000-memory.dmp

Filesize
4KB

Download
memory/2140-15-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-11-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-17-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-18-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-19-0x00000000065D0000-0x000000000BB36000-memory.dmp

Filesize
85.4MB

Download
memory/2140-10-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-23-0x0000000001540000-0x0000000006AA6000-memory.dmp

Filesize
85.4MB

Download
memory/2620-38-0x00000000004D0000-0x0000000001532000-memory.dmp

Filesize
16.4MB

Download
memory/2620-40-0x00000000004D0000-0x0000000001532000-memory.dmp

Filesize
16.4MB

Download
memory/2620-43-0x00000000004D0000-0x0000000001532000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads