guloader | 2f423571a318924318504db10008bc4cc48afd550c59caf89b40a04c94a890f7

General

Target

rpayment.scr.exe
Size

701KB
Sample

250328-d2m71atk14
MD5

e7bbeae6c391accd957b6475dd5f0e63
SHA1

9460741f8eaff856a8163ad5a22c68dd24a0595e
SHA256

2f423571a318924318504db10008bc4cc48afd550c59caf89b40a04c94a890f7
SHA512

83feec2439997a2b9f7a2ae67966d7ab831d8eb9d8d8836746223b05c73e45e48cce3fc5d6ba420907e3c279ae2916d734b366829404786936cb93bc567f18d8
SSDEEP

12288:LR3BUIa3RVtFRe5L7lwvIuBUz3D46l0xFXc3gIwEL:V3GIQHY5vlI7Mnl0Pg73L

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Host-2

C2

176.65.142.14:6060

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HM3EZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  rpayment.scr.exe
- Size
  
  701KB
- MD5
  
  e7bbeae6c391accd957b6475dd5f0e63
- SHA1
  
  9460741f8eaff856a8163ad5a22c68dd24a0595e
- SHA256
  
  2f423571a318924318504db10008bc4cc48afd550c59caf89b40a04c94a890f7
- SHA512
  
  83feec2439997a2b9f7a2ae67966d7ab831d8eb9d8d8836746223b05c73e45e48cce3fc5d6ba420907e3c279ae2916d734b366829404786936cb93bc567f18d8
- SSDEEP
  
  12288:LR3BUIa3RVtFRe5L7lwvIuBUz3D46l0xFXc3gIwEL:V3GIQHY5vlI7Mnl0Pg73L
Score

10^/10

guloader remcos host-2 collection credential_access discovery downloader rat spyware stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  a436db0c473a087eb61ff5c53c34ba27
- SHA1
  
  65ea67e424e75f5065132b539c8b2eda88aa0506
- SHA256
  
  75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
- SHA512
  
  908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
- SSDEEP
  
  192:aVL7iZJX76BisO7+UZEw+Rl59pV8ghsVJ39dx8T:d7NsOpZsfLMJ39e
Score

3^/10

discovery
behavioral3 behavioral4