guloader | 21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda | Triage

Sharing

General

Target

21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
Size

609KB
Sample

241009-mrnkfs1clj
MD5

caef1be333db06e88325e3cf82c27fe1
SHA1

24d30b606727d8739c0fcd8f5d0d6c76dfdf7a3c
SHA256

21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda
SHA512

e93bb19b775af0d2928230baa2541f538adb72ff51ff0b8d92cc7c3bcbbbdef6535729d22c190d0b914c281dc1479364745cb073e43ecc0e6ab8af45ca94da3b
SSDEEP

12288:n/v3K20gS7RPJddE9MVl01amNw3I372nX2ixR5dwG36OoZf+:n/CWS7XoKmNw3s2nh5dVKON

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

kezdns.pro:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FUHBXG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
- Size
  
  609KB
- MD5
  
  caef1be333db06e88325e3cf82c27fe1
- SHA1
  
  24d30b606727d8739c0fcd8f5d0d6c76dfdf7a3c
- SHA256
  
  21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda
- SHA512
  
  e93bb19b775af0d2928230baa2541f538adb72ff51ff0b8d92cc7c3bcbbbdef6535729d22c190d0b914c281dc1479364745cb073e43ecc0e6ab8af45ca94da3b
- SSDEEP
  
  12288:n/v3K20gS7RPJddE9MVl01amNw3I372nX2ixR5dwG36OoZf+:n/CWS7XoKmNw3s2nh5dVKON
Score

10^/10

discovery guloader remcos remotehost downloader rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  792b6f86e296d3904285b2bf67ccd7e0
- SHA1
  
  966b16f84697552747e0ddd19a4ba8ab5083af31
- SHA256
  
  c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917
- SHA512
  
  97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c
- SSDEEP
  
  192:rFiQJ771Jt17C8F1A5xjGNNvgFOiLb7lrT/L93:X71Jt48F2eNvgFF/L
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  5aa38904acdcc21a2fb8a1d30a72d92f
- SHA1
  
  a9ce7d1456698921791db91347dba0489918d70c
- SHA256
  
  10675f13abaee592f14382349aa35d82fb52aab4e27eef61d0c83dec1f6b73da
- SHA512
  
  f04740da561d7cd0dea5e839c9e1c339d4a3e63944d3566c94c921a3d170a69918a32dff3f3b43f13d55cc25a2dbb4c21104f062c324308ac5104179766402a3
- SSDEEP
  
  96:AOBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+uHwEX:AhB2flXAVJtjf6cBbcB/N8Ved0PZ
Score

3^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

guloaderremcosremotehostdiscoverydownloaderrat

behavioral3

behavioral4

behavioral5

behavioral6