guloader | b982dd57c7b4a6e5f568582d8819ca11d5cc8b97ce05f9d8ddc0e144784d4112

General

Target

26032025_1554_HOLIDAY ADVISORY_pdf.bat.zip
Size

614KB
Sample

250326-tchtzszm17
MD5

ae3cea77b242eb4a12f6b7d79bcae040
SHA1

8dab051514d0b001406ed8ac7f40c3bcc9201c62
SHA256

b982dd57c7b4a6e5f568582d8819ca11d5cc8b97ce05f9d8ddc0e144784d4112
SHA512

f5df8292968e8de05ba0d0d724a1f3c9500b9a5c1aacdeb077ad1880bfe3e5346b65db9261aac319860969e4a5736687ab1e0049d5f1b4917f8f95ad1c6c04df
SSDEEP

12288:K4RC1IdreeqmyMWHrMWBHtX7QlK8inlT+/lgXDWI+cojGx9ts5:KNXrmCNtX7QlK8inZWiqBjGxLs5

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:2404

196.251.93.4:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LQXWP4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  HOLIDAY ADVISORY_pdf.bat
- Size
  
  692KB
- MD5
  
  eab28b38de8b8a0f6aa4e2950208651f
- SHA1
  
  ba3002c433bf92c8ab98b452f30bfa9cd1159cb6
- SHA256
  
  eb39f5737c6947b6e0ef5e60be7e0ccc652d5872b4d60597f394fa24fa308bbb
- SHA512
  
  b0b2f53737671b8d61140b5bb3202228345a3105725d17917e7b9f0bc3fc0c20c7315129bd9fb0bd02f6bd66f16608bc76732f40091158ccc64517dfa126053b
- SSDEEP
  
  12288:2tqNqNVIdl0eqmgMWH7MeB9tx7APK8inDh+/l+X9WI+cojGxB6sd:6rrmuftx7APK8in9wEQBjGxIsd
Score

10^/10

guloader remcos remotehost collection discovery downloader persistence rat
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  6f5257c0b8c0ef4d440f4f4fce85fb1b
- SHA1
  
  b6ac111dfb0d1fc75ad09c56bde7830232395785
- SHA256
  
  b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
- SHA512
  
  a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
- SSDEEP
  
  96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u
Score

3^/10

discovery
behavioral3 behavioral4