guloader | d6c0f9cd71770bdf458ec8102f6d99cc1ace47f50684f95b1b1791f92ee807a2

General

Target

d6c0f9cd71770bdf458ec8102f6d99cc1ace47f50684f95b1b1791f92ee807a2
Size

698KB
Sample

250204-hl8wzszrdm
MD5

17b1efdf3fc26fa55926e2b61bf55445
SHA1

8bf2d80ca45c7ec3565508e576fd3a94143cff7f
SHA256

d6c0f9cd71770bdf458ec8102f6d99cc1ace47f50684f95b1b1791f92ee807a2
SHA512

c1ea0ed7a5b5e2cff25051d6f3c411543607be35f12bbc9b51cb2b4d4ef16fa7e1ea0d4f25a65a5be273f9570056ed544844dd524d3e8f7d8bfa5ae62e702868
SSDEEP

12288:bmpogP7y6Rr6niPY+M0I1HFkJv+uOuiSQVuGiI21WpZL08eEErQpGCOcikx:bm7zJ6iPYK4UmuO20xiZWDL0BE3pdlx

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

173.211.106.67:4860

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BCSS53
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  RFQ_P0 #1037596-pdf.exe
- Size
  
  788KB
- MD5
  
  a1ec9b6309dd3339b21787be71057d1c
- SHA1
  
  852ce81121b9ea9296ab60a4f1b30d76e767ccf8
- SHA256
  
  6059b533977f51313baa0076d64645c95600ae9c03256bafb52b178840a8b4e3
- SHA512
  
  f82fe64f4146c2eda3b812ca4153a3b4a762568dc0ca23c14b2467773fddcb205e8113979cbdf4206698eb459be54170ed92d081162e877903392c8b348e0ef4
- SSDEEP
  
  24576:lK44p6shYK44iGM760xi1WpL07Elp/LIo:EThJMejcBZIo
Score

10^/10

guloader remcos remotehost collection discovery downloader persistence rat spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  e23600029d1b09bdb1d422fb4e46f5a6
- SHA1
  
  5d64a2f6a257a98a689a3db9a087a0fd5f180096
- SHA256
  
  7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38
- SHA512
  
  c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac
- SSDEEP
  
  192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
Score

3^/10

discovery
behavioral3 behavioral4