guloader | c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98

General

Target

c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
Size

501KB
Sample

241009-rw8tea1fmc
MD5

07174a2dcc7016ccef4cd9cbc04e5652
SHA1

c19c203341b04f71b432f5228daaafb44e25514f
SHA256

c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98
SHA512

bd5910f9123941af67d844bfa09b53c8cd0de863163b32b8bbde4ef85356951bbce2858587727bd2ff8b39dbec9618eccb135051bc150b6217a3d55fbb9cd692
SSDEEP

6144:xC2Evn/IvIrb2m3El3AoZIvdRLM2fwk6IeldVU8lwDDtoNRuv0j1JtX7PXjrnCgN:YnC8Cmu3AMWwk6jdVUcwHeNEgzjLEcvH

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

newfarmn.pro:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KB3GN4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
- Size
  
  501KB
- MD5
  
  07174a2dcc7016ccef4cd9cbc04e5652
- SHA1
  
  c19c203341b04f71b432f5228daaafb44e25514f
- SHA256
  
  c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98
- SHA512
  
  bd5910f9123941af67d844bfa09b53c8cd0de863163b32b8bbde4ef85356951bbce2858587727bd2ff8b39dbec9618eccb135051bc150b6217a3d55fbb9cd692
- SSDEEP
  
  6144:xC2Evn/IvIrb2m3El3AoZIvdRLM2fwk6IeldVU8lwDDtoNRuv0j1JtX7PXjrnCgN:YnC8Cmu3AMWwk6jdVUcwHeNEgzjLEcvH
Score

10^/10

guloader remcos remotehost discovery downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  375e8a08471dc6f85f3828488b1147b3
- SHA1
  
  1941484ac710fc301a7d31d6f1345e32a21546af
- SHA256
  
  4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
- SHA512
  
  5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
- SSDEEP
  
  192:MPtkumJX7zB22kGwfy0mtVgkCPOs91un:9702k5qpds9Qn
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  4bbc9d77ef7f748f8c85750c3a445f0a
- SHA1
  
  d57a8304bb44ccdb3163b880b3c1bb213461399d
- SHA256
  
  482536968672d70279a5204060ff84ace25237f24b1bdf3b02e289d50ea5450c
- SHA512
  
  b9430939daab0c8b7e77b96f2f7f85e8e1abd9f43eccbdf94078f77ef05b31a2a31f04ca3a2eff5aa7cc965029ed437af2eb100c197ef51f128ca827ad20e902
- SSDEEP
  
  96:z7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgN63e:fXhHR0aTQN4gRHdMqJVgNp
Score

3^/10

discovery
behavioral5 behavioral6