guloader | 1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53

General

Target

Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
Size

759KB
MD5

e1dc71be5b3466d47a4934013be9b604
SHA1

4c6627a901ade3b1f0cd6a233085deb7e044ef97
SHA256

1352efe35374bcc94f0b4e189761610a8620ff63aad350060a806773c969fd53
SHA512

a44f75ea0eac848dd2b724b9a50fb5b0259382f61a047563689381e3a60fc07547c209b2acdddcb1dae371cdf51f0065e2a89ff0276299c0d72928af87c9aafc
SSDEEP

12288:GtomEHbPQsIbw8Z9TzDBWzowh0Nxj5gUZVroN64V23i3Qo+eSp5:TN7PXIdZlDBWUrx5gAVroNFHzU

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

162.251.122.87:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UOMZ21
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Loads dropped DLL 2 IoCs

pid	Process
2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1912	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
1912	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 1912	2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1912	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1912	2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe	30
PID 2308 wrote to memory of 1912	2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe	30
PID 2308 wrote to memory of 1912	2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe	30
PID 2308 wrote to memory of 1912	2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe	30
PID 2308 wrote to memory of 1912	2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe	30
PID 2308 wrote to memory of 1912	2308	Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe	30

C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
"C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe
  "C:\Users\Admin\AppData\Local\Temp\Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a3d9985e6f575d0d69a891f9c2830623

SHA1
1ac35562a33f3844048d33a707c8b7d87836fb4c

SHA256
477d7f35e97e945a5f6b43c2f6597668603cf4380b971886d8b7bc42591f9dbb

SHA512
4302c016736d76399da7435e72bc3c28feac527797ea280049df57f6da9ccdbf9712512f733ca930ab402a4f336f80ce06e10201cd2777115522c8fa74ef3aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseCFB0.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCFF0.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD030.tmp

Filesize
60B

MD5
33714fd37d9159cf4911fe47896b9e69

SHA1
77c9ddfb1cd8e4a9a0a9131d0d21ebac0ef57611

SHA256
8eda392d2cd028b1a3385ff7673cade57e402248db7fe7eb192e8d6b0d8f78a2

SHA512
e4abaa9b5e706647dfe0174daa5164d0464f7ee971c5ee2983e28a4d2062eda2d0d9468340ebdbe6110b33958a9b3256757c3e5557b3ef617fe76ce576b8ba0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD11C.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
\Users\Admin\AppData\Local\Temp\nstCFC0.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
memory/1912-598-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-607-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-616-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-613-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-582-0x0000000076F60000-0x0000000077109000-memory.dmp

Filesize
1.7MB

Download
memory/1912-583-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-588-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-592-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-595-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-610-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-604-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1912-601-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2308-577-0x0000000004380000-0x0000000005209000-memory.dmp

Filesize
14.5MB

Download
memory/2308-579-0x0000000076F60000-0x0000000077109000-memory.dmp

Filesize
1.7MB

Download
memory/2308-578-0x0000000076F61000-0x0000000077062000-memory.dmp

Filesize
1.0MB

Download
memory/2308-581-0x0000000004380000-0x0000000005209000-memory.dmp

Filesize
14.5MB

Download
memory/2308-580-0x0000000004380000-0x0000000005209000-memory.dmp

Filesize
14.5MB

Download

Analysis

Sharing