guloader | a92dc285c11951b278e4a6de0facff86e30f27cca77d1049d7a11da6dd37eb03

Analysis

max time kernel
299s
max time network
280s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SWIFT.scr
Size

716KB
MD5

c1a83e61f3e5e28fb499b2c204243549
SHA1

08124d6acc7e9f26e99b10f5e909081c788b477a
SHA256

6d4171c68f4f2d1e2f3da572c62247d92cd98684046516cef1bb5a023a538755
SHA512

a0bad0c833d523bc120a7f855f4dbe55226525963ed5d2ef2a811b54738a2accec957e4f2ea8f68bf760ad4b37cc9e741bb735476cbe42ea91df7c930870e034
SSDEEP

12288:LR3BUIpYzX5bjzN1ueIzsbnVzpuRmWczn46l0xFXc3gIwEg:V3GIOjzNnMwVsRmW0nl0Pg73g

Score

10^/10

guloader remcos host-2 collection credential_access discovery downloader rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

Host-2

176.65.142.14:6060

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HM3EZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2624-65-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/2624-66-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/2840-70-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1924-75-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2840-70-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2624-65-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral1/memory/2624-66-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Uses browser remote debugging 2 TTPs 1 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1728	Chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	SWIFT.scr
2080	SWIFT.scr

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	recover.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2796	SWIFT.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2080	SWIFT.scr
2796	SWIFT.scr

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2624	2796	SWIFT.scr	36
PID 2796 set thread context of 2840	2796	SWIFT.scr	37
PID 2796 set thread context of 1924	2796	SWIFT.scr	38

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\crepe\satanerne.ini	SWIFT.scr
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_debug.log	Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWIFT.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWIFT.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2796	SWIFT.scr
2624	recover.exe
640	Chrome.exe
640	Chrome.exe
640	Chrome.exe
640	Chrome.exe
2624	recover.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2080	SWIFT.scr
2796	SWIFT.scr
2796	SWIFT.scr
2796	SWIFT.scr

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	recover.exe
Token: SeShutdownPrivilege	640	Chrome.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2796	SWIFT.scr

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2796	SWIFT.scr

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2796	2080	SWIFT.scr	30
PID 2080 wrote to memory of 2796	2080	SWIFT.scr	30
PID 2080 wrote to memory of 2796	2080	SWIFT.scr	30
PID 2080 wrote to memory of 2796	2080	SWIFT.scr	30
PID 2080 wrote to memory of 2796	2080	SWIFT.scr	30
PID 1728 wrote to memory of 640	1728	Chrome.exe	35
PID 1728 wrote to memory of 640	1728	Chrome.exe	35
PID 1728 wrote to memory of 640	1728	Chrome.exe	35
PID 2796 wrote to memory of 2624	2796	SWIFT.scr	36
PID 2796 wrote to memory of 2624	2796	SWIFT.scr	36
PID 2796 wrote to memory of 2624	2796	SWIFT.scr	36
PID 2796 wrote to memory of 2624	2796	SWIFT.scr	36
PID 2796 wrote to memory of 2624	2796	SWIFT.scr	36
PID 2796 wrote to memory of 2840	2796	SWIFT.scr	37
PID 2796 wrote to memory of 2840	2796	SWIFT.scr	37
PID 2796 wrote to memory of 2840	2796	SWIFT.scr	37
PID 2796 wrote to memory of 2840	2796	SWIFT.scr	37
PID 2796 wrote to memory of 2840	2796	SWIFT.scr	37
PID 2796 wrote to memory of 1924	2796	SWIFT.scr	38
PID 2796 wrote to memory of 1924	2796	SWIFT.scr	38
PID 2796 wrote to memory of 1924	2796	SWIFT.scr	38
PID 2796 wrote to memory of 1924	2796	SWIFT.scr	38
PID 2796 wrote to memory of 1924	2796	SWIFT.scr	38
PID 1728 wrote to memory of 1908	1728	Chrome.exe	39
PID 1728 wrote to memory of 1908	1728	Chrome.exe	39
PID 1728 wrote to memory of 1908	1728	Chrome.exe	39

C:\Users\Admin\AppData\Local\Temp\SWIFT.scr
"C:\Users\Admin\AppData\Local\Temp\SWIFT.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\SWIFT.scr
  "C:\Users\Admin\AppData\Local\Temp\SWIFT.scr" /S
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6aa9758,0x7fef6aa9768,0x7fef6aa9778
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:640
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1104 --field-trial-handle=920,i,7175492906454018457,17296146600359037895,131072 --disable-features=PaintHolding /prefetch:8
      4⤵
      PID:1908
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\pwcggwzamma"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2624
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ryhzgpjcausdjo"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\SysWOW64\recover.exe
    C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\bsurhhuwoclqtukbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\metadata

Filesize
130B

MD5
318d2526d1ed706ca2336911d114da49

SHA1
fb8721e1d60a94ace5873c1dc295c58ea644bb61

SHA256
9f1582f86882bdae2d8d2ccd8045cb5c9d7bcfacb266ebb71984d316e6b5d2f6

SHA512
4a8b276479b11c0ac87e2cff79d5b0276035be1406966c7dd01cf11a6be2c338587cf3675084ab5aa357d7e9b95f095742ba7889828922e3ff09fc713696f7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\reports\f83d9dde-7ebd-4f21-a63b-f4906d41f0e0.dmp

Filesize
630KB

MD5
bfb53735ded79443490c655195991d3e

SHA1
33a8cfb9a1096bc7f9eb81a08c97b7b14f468573

SHA256
ac3a457f9a80fbcb45f4585a82bcfff01aa393e562838b5f42eaba8928082e58

SHA512
50d8547686a631a47e29695d4e55942735537bd2f2bc2517e6aa36c97b666c03ca8276684fe1ff9be3f86a1bc36060f2df83de30f65328afa1815d980a76b94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
1989943585a1bcb90934d26a232ab4d5

SHA1
3fc0728fb29a9bbe28d690a6b9c6b49c0f32b657

SHA256
24f39acd1980c40e2dcef2be3f5e8e004627623961c09736f357e22814fec5fa

SHA512
29dc212a27ab1c45bc37e6e5aeb40124143338f81688ef3d6a7d340d8b4ed586a05dff12e69eb0dfd243ef9db9acbb11b7e01e54dc28b276730258dc029e2fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
7aae29a591e494d95a87bc4b2c041989

SHA1
911d9325e79c63e03a3355e7a887418bbb47949c

SHA256
515f4281667ba41d107f9ed9d47ab7cef33dc7728b9731b7af7d13dc3dfe3704

SHA512
214d5d049f73eea0f679398900152c11108a84982507abd6f6be72cb3f5d493f880c0610facf948e77b26b0c63eec13360778e84b1498206c7f8d5a1b45c9afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwcggwzamma

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\nse1141.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
memory/1924-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1924-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1924-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2080-18-0x0000000077211000-0x0000000077312000-memory.dmp

Filesize
1.0MB

Download
memory/2080-19-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2624-65-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2624-71-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2624-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-66-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2796-109-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-107-0x0000000035DD0000-0x0000000035DE9000-memory.dmp

Filesize
100KB

Download
memory/2796-133-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-132-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-54-0x0000000035620000-0x0000000035654000-memory.dmp

Filesize
208KB

Download
memory/2796-131-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-130-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-51-0x0000000035620000-0x0000000035654000-memory.dmp

Filesize
208KB

Download
memory/2796-50-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-48-0x00000000014F0000-0x000000000486D000-memory.dmp

Filesize
51.5MB

Download
memory/2796-45-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-28-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-21-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2796-20-0x00000000014F0000-0x000000000486D000-memory.dmp

Filesize
51.5MB

Download
memory/2796-104-0x0000000035DD0000-0x0000000035DE9000-memory.dmp

Filesize
100KB

Download
memory/2796-108-0x0000000035DD0000-0x0000000035DE9000-memory.dmp

Filesize
100KB

Download
memory/2796-111-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-56-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2796-55-0x0000000035620000-0x0000000035654000-memory.dmp

Filesize
208KB

Download
memory/2796-110-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-115-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-113-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-114-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-112-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-116-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-117-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-118-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-119-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-120-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-121-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-122-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-123-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-124-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-128-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2796-129-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2840-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2840-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2840-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download