guloader | 034d0ad83a1a41c3fb2be5110d68a545b2426a337006a7f34a2050a0c7a18b9a

General

Target

034d0ad83a1a41c3fb2be5110d68a545b2426a337006a7f34a2050a0c7a18b9a.exe
Size

511KB
Sample

241025-bdvwtszfml
MD5

24d65daddfed0602d8c90b5dfa47b7bb
SHA1

c46f000d10a66687cefd4a8fee1c8b3e84afd4b9
SHA256

034d0ad83a1a41c3fb2be5110d68a545b2426a337006a7f34a2050a0c7a18b9a
SHA512

09e16a15e18eb08f45f964fa271365e688507d561fc8567ce9417a54283dfb0785ef5a379456bb44cea187d7a5951521347a3e6f139560327460dfd449a6fe33
SSDEEP

12288:OjkqENMhypm0dvksi4P60gnkwNpRp9gS1S:yEmh8rRkvc61k4s

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.195:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9EP276
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  034d0ad83a1a41c3fb2be5110d68a545b2426a337006a7f34a2050a0c7a18b9a.exe
- Size
  
  511KB
- MD5
  
  24d65daddfed0602d8c90b5dfa47b7bb
- SHA1
  
  c46f000d10a66687cefd4a8fee1c8b3e84afd4b9
- SHA256
  
  034d0ad83a1a41c3fb2be5110d68a545b2426a337006a7f34a2050a0c7a18b9a
- SHA512
  
  09e16a15e18eb08f45f964fa271365e688507d561fc8567ce9417a54283dfb0785ef5a379456bb44cea187d7a5951521347a3e6f139560327460dfd449a6fe33
- SSDEEP
  
  12288:OjkqENMhypm0dvksi4P60gnkwNpRp9gS1S:yEmh8rRkvc61k4s
Score

10^/10

guloader remcos remotehost collection discovery downloader rat spyware stealer
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  960a5c48e25cf2bca332e74e11d825c9
- SHA1
  
  da35c6816ace5daf4c6c1d57b93b09a82ecdc876
- SHA256
  
  484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
- SHA512
  
  cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da
- SSDEEP
  
  192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X
Score

3^/10

discovery
behavioral3 behavioral4