guloader | e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf

General

Target

orders_PI 008-01.exe
Size

885KB
MD5

5009d8c72623d30ce09149187c66d37c
SHA1

5c6035f099f16ff4753198e5f631ba410e98227f
SHA256

e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf
SHA512

5908f38589b4097fd96f35129bbfa344a7940193ef0df6dab4e514106e7054c8ea9b3e97f9ebb7ff36fdbbd7c724cd1500e37f6c1ea6013f51842d39a642b5c1
SSDEEP

12288:i3nIF6bq58AFe0TenvBdHdpUXjwxipfpQGYAGau5yxX9O9R:i3IFsmez5pdpUXjUiNuGYpawA9uR

Score

10^/10

guloader remcos remotehost collection discovery downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

162.251.122.106:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BHLA3T
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1944-312-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2388-316-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2388-322-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1944-311-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1932-310-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1944-313-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1932-325-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1944-312-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1944-311-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1944-313-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1932-310-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1932-325-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Loads dropped DLL 2 IoCs

pid	Process
4908	orders_PI 008-01.exe
4908	orders_PI 008-01.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	orders_PI 008-01.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3280	orders_PI 008-01.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4908	orders_PI 008-01.exe
3280	orders_PI 008-01.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 3280	4908	orders_PI 008-01.exe	92
PID 3280 set thread context of 1932	3280	orders_PI 008-01.exe	95
PID 3280 set thread context of 1944	3280	orders_PI 008-01.exe	96
PID 3280 set thread context of 2388	3280	orders_PI 008-01.exe	97

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\kvindagtigt.ini	orders_PI 008-01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orders_PI 008-01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orders_PI 008-01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orders_PI 008-01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orders_PI 008-01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orders_PI 008-01.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1932	orders_PI 008-01.exe
1932	orders_PI 008-01.exe
2388	orders_PI 008-01.exe
2388	orders_PI 008-01.exe
1932	orders_PI 008-01.exe
1932	orders_PI 008-01.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4908	orders_PI 008-01.exe
3280	orders_PI 008-01.exe
3280	orders_PI 008-01.exe
3280	orders_PI 008-01.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	orders_PI 008-01.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3280	orders_PI 008-01.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3280	4908	orders_PI 008-01.exe	92
PID 4908 wrote to memory of 3280	4908	orders_PI 008-01.exe	92
PID 4908 wrote to memory of 3280	4908	orders_PI 008-01.exe	92
PID 4908 wrote to memory of 3280	4908	orders_PI 008-01.exe	92
PID 4908 wrote to memory of 3280	4908	orders_PI 008-01.exe	92
PID 3280 wrote to memory of 1932	3280	orders_PI 008-01.exe	95
PID 3280 wrote to memory of 1932	3280	orders_PI 008-01.exe	95
PID 3280 wrote to memory of 1932	3280	orders_PI 008-01.exe	95
PID 3280 wrote to memory of 1944	3280	orders_PI 008-01.exe	96
PID 3280 wrote to memory of 1944	3280	orders_PI 008-01.exe	96
PID 3280 wrote to memory of 1944	3280	orders_PI 008-01.exe	96
PID 3280 wrote to memory of 2388	3280	orders_PI 008-01.exe	97
PID 3280 wrote to memory of 2388	3280	orders_PI 008-01.exe	97
PID 3280 wrote to memory of 2388	3280	orders_PI 008-01.exe	97

C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe
"C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe
  "C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe
    "C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tayttutgxortjqer"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe
    "C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eudllmehlwjglwsdryiw"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe
    "C:\Users\Admin\AppData\Local\Temp\orders_PI 008-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\opiwmfobzeblwkghajcqosf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\kvindagtigt.ini

Filesize
52B

MD5
f298228d2d42ced0a00b0c5320000835

SHA1
fb06f02ddcda4c9ec752a688ee617064db3a49eb

SHA256
e399afe89f97eae7bcdae626913da1618f4f42ba11887217cdbf524720532ab2

SHA512
464da89f9e1d5935810443b20c3d19f77585d964df89f5cb427482a03c8ef6274d06cbc01533d92c691ffd55e1725ba5f427d023a45a5128bced0eee11e083fe

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c4664eb1e7016482cdd83c4aa6d07df3

SHA1
5ee107220b9f476209d6d4c918def5f05e3bde3d

SHA256
511161ca16a7c027ff48ae5f111c230ac932577805462195e0b65fae04281baf

SHA512
12601a6bad609eea970d2607ef3e3c9ee2326c519bc3cd715235ca5ceb25f2aec2317c78e1a15a813e6805cb6cf848f16f4db1ad24076ce84926aaf8cea55512

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tayttutgxortjqer

Filesize
4KB

MD5
75379d3dcbcea6a69bc75b884816dd40

SHA1
7e073a03c3bdbbc60375ddbe56bba211c3d412a6

SHA256
cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

SHA512
710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

Download Submit
memory/1932-306-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1932-325-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1932-307-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1932-310-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1944-313-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1944-311-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1944-309-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1944-308-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1944-312-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2388-316-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2388-322-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2388-315-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2388-314-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3280-328-0x0000000034490000-0x00000000344A9000-memory.dmp

Filesize
100KB

Download
memory/3280-338-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-304-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-298-0x0000000001AA0000-0x00000000034FF000-memory.dmp

Filesize
26.4MB

Download
memory/3280-371-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-368-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-305-0x0000000001AA0000-0x00000000034FF000-memory.dmp

Filesize
26.4MB

Download
memory/3280-332-0x0000000034490000-0x00000000344A9000-memory.dmp

Filesize
100KB

Download
memory/3280-331-0x0000000034490000-0x00000000344A9000-memory.dmp

Filesize
100KB

Download
memory/3280-362-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-335-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-299-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-359-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-341-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-344-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-347-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-350-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-353-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/3280-356-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/4908-294-0x00000000045B0000-0x000000000600F000-memory.dmp

Filesize
26.4MB

Download
memory/4908-295-0x0000000077751000-0x0000000077871000-memory.dmp

Filesize
1.1MB

Download
memory/4908-296-0x00000000743A5000-0x00000000743A6000-memory.dmp

Filesize
4KB

Download
memory/4908-297-0x00000000045B0000-0x000000000600F000-memory.dmp

Filesize
26.4MB

Download

Analysis

Sharing