guloader | 034d0ad83a1a41c3fb2be5110d68a545b2426a337006a7f34a2050a0c7a18b9a

General

Target

Belialist.exe
Size

511KB
MD5

24d65daddfed0602d8c90b5dfa47b7bb
SHA1

c46f000d10a66687cefd4a8fee1c8b3e84afd4b9
SHA256

034d0ad83a1a41c3fb2be5110d68a545b2426a337006a7f34a2050a0c7a18b9a
SHA512

09e16a15e18eb08f45f964fa271365e688507d561fc8567ce9417a54283dfb0785ef5a379456bb44cea187d7a5951521347a3e6f139560327460dfd449a6fe33
SSDEEP

12288:OjkqENMhypm0dvksi4P60gnkwNpRp9gS1S:yEmh8rRkvc61k4s

Score

10^/10

guloader remcos remotehost collection discovery downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.195:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9EP276
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4996-47-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4996-46-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4996-45-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2572-39-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/456-38-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2572-40-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/456-51-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2572-39-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/2572-40-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/456-38-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/456-51-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Loads dropped DLL 2 IoCs

pid	Process
2316	Belialist.exe
2316	Belialist.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Belialist.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1400	Belialist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2316	Belialist.exe
1400	Belialist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 1400	2316	Belialist.exe	91
PID 1400 set thread context of 456	1400	Belialist.exe	98
PID 1400 set thread context of 2572	1400	Belialist.exe	99
PID 1400 set thread context of 4996	1400	Belialist.exe	100

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\misjoinder.ini	Belialist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belialist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belialist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belialist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belialist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belialist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
456	Belialist.exe
456	Belialist.exe
4996	Belialist.exe
4996	Belialist.exe
456	Belialist.exe
456	Belialist.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2316	Belialist.exe
1400	Belialist.exe
1400	Belialist.exe
1400	Belialist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	Belialist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1400	Belialist.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1400	2316	Belialist.exe	91
PID 2316 wrote to memory of 1400	2316	Belialist.exe	91
PID 2316 wrote to memory of 1400	2316	Belialist.exe	91
PID 2316 wrote to memory of 1400	2316	Belialist.exe	91
PID 2316 wrote to memory of 1400	2316	Belialist.exe	91
PID 1400 wrote to memory of 456	1400	Belialist.exe	98
PID 1400 wrote to memory of 456	1400	Belialist.exe	98
PID 1400 wrote to memory of 456	1400	Belialist.exe	98
PID 1400 wrote to memory of 2572	1400	Belialist.exe	99
PID 1400 wrote to memory of 2572	1400	Belialist.exe	99
PID 1400 wrote to memory of 2572	1400	Belialist.exe	99
PID 1400 wrote to memory of 4996	1400	Belialist.exe	100
PID 1400 wrote to memory of 4996	1400	Belialist.exe	100
PID 1400 wrote to memory of 4996	1400	Belialist.exe	100

C:\Users\Admin\AppData\Local\Temp\Belialist.exe
"C:\Users\Admin\AppData\Local\Temp\Belialist.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\Belialist.exe
  "C:\Users\Admin\AppData\Local\Temp\Belialist.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\Belialist.exe
    C:\Users\Admin\AppData\Local\Temp\Belialist.exe /stext "C:\Users\Admin\AppData\Local\Temp\sawkyhqxzfs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:456
- - C:\Users\Admin\AppData\Local\Temp\Belialist.exe
    C:\Users\Admin\AppData\Local\Temp\Belialist.exe /stext "C:\Users\Admin\AppData\Local\Temp\cvbczaaznnkxaa"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\Belialist.exe
    C:\Users\Admin\AppData\Local\Temp\Belialist.exe /stext "C:\Users\Admin\AppData\Local\Temp\mxgnzsltbvccdghopo"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a4d242ba92959e7032ece22b9fee54f0

SHA1
079796ca07d1047450b96389309e20d795eaf82b

SHA256
78b7e726af1bd2910e068f8db4867182641ace0879cace4682eb89023f890568

SHA512
bec8fe176c7a2a4907b974a044411788ef47a38a1b037052fe68f71ce437933543460a4e5355c08afac9fc36454b12531ebc0c4ffc101a8a3347fbb85e839aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseD051.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\sawkyhqxzfs

Filesize
4KB

MD5
c3c5f2de99b7486f697634681e21bab0

SHA1
00f90d495c0b2b63fde6532e033fdd2ade25633d

SHA256
76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

SHA512
7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

Download Submit
memory/456-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/456-32-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/456-34-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/456-38-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1400-30-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-67-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-25-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-97-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-94-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-91-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-88-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-85-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-24-0x00000000016D0000-0x0000000003F2E000-memory.dmp

Filesize
40.4MB

Download
memory/1400-82-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-79-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-31-0x00000000016D0000-0x0000000003F2E000-memory.dmp

Filesize
40.4MB

Download
memory/1400-64-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-61-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1400-54-0x0000000034F10000-0x0000000034F29000-memory.dmp

Filesize
100KB

Download
memory/1400-58-0x0000000034F10000-0x0000000034F29000-memory.dmp

Filesize
100KB

Download
memory/1400-57-0x0000000034F10000-0x0000000034F29000-memory.dmp

Filesize
100KB

Download
memory/2316-21-0x00000000772D1000-0x00000000773F1000-memory.dmp

Filesize
1.1MB

Download
memory/2316-20-0x0000000004A00000-0x000000000725E000-memory.dmp

Filesize
40.4MB

Download
memory/2316-22-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2316-23-0x0000000004A00000-0x000000000725E000-memory.dmp

Filesize
40.4MB

Download
memory/2572-37-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-40-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-35-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2572-39-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4996-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4996-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4996-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4996-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4996-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing