guloader | bb80103ac259b0a260fe3fabea6c6ceedf4286f43b24665a9ec30bc1b19bd267

Analysis

max time kernel
39s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe
Size

988KB
MD5

f88d5cdc31b3c12a7229e96282dfeab2
SHA1

dd00a7281c5398b8db7a7a1f2f5168cb9eed4201
SHA256

0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a
SHA512

7969dcb95cb1f0e5ed15ebee31cc396186f874b80edb3a91b77b89a42f04080627d74db7455a2ba9d9732b1343b9729ee7f34e05282782fbdd6098748f5c19ce
SSDEEP

24576:rkhXHlJvh3QVsBNxJdN5dN+PMjyFOO8n/ebLPNB0AP:rq7phNJld0PMjyIx/ebLb02

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:2404

196.251.80.28:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4U257D
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe
2928	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-4U257D = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-4U257D = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	drive.google.com
44	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1456	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2928	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe
1456	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\bouts.ini	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Sharer.cam	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2928	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1456	2928	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe	95
PID 2928 wrote to memory of 1456	2928	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe	95
PID 2928 wrote to memory of 1456	2928	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe	95
PID 2928 wrote to memory of 1456	2928	0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe	95

C:\Users\Admin\AppData\Local\Temp\Files\0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe
"C:\Users\Admin\AppData\Local\Temp\Files\0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\Files\0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1456
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:4996
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:4320
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\bouts.ini

Filesize
34B

MD5
c5b6ed57c78f93e1200a2b7f05af4d89

SHA1
299326b64ab38fc50affed801b2959427e3b3853

SHA256
70e7c4f9534d3ef250f0e2ad5cd2b68fba8eccba9e7d311e0c2ed08e6f340d5f

SHA512
1895a78aa7c10c0642bbad00f82a5f869a1afa0581ff7d0e3fcd9070789c09d8bee216319ae3f5da5283bd9eb5c82fd8d1076f488f4ecd6b2b63e217f91b6a7e

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
988KB

MD5
f88d5cdc31b3c12a7229e96282dfeab2

SHA1
dd00a7281c5398b8db7a7a1f2f5168cb9eed4201

SHA256
0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a

SHA512
7969dcb95cb1f0e5ed15ebee31cc396186f874b80edb3a91b77b89a42f04080627d74db7455a2ba9d9732b1343b9729ee7f34e05282782fbdd6098748f5c19ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD1B9.tmp\System.dll

Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
C:\Users\Admin\skattekistes.lnk

Filesize
978B

MD5
550c2c709c1f2bef9060addc9adc14fe

SHA1
416c5ce37d90abdc73e128189d5165aee661fc74

SHA256
dbadb2fa73e7bd75b75093bfdbc65f3ce54b06404f78e8b520f4370975b44f35

SHA512
f1bad70fd725c6e98a5974bcd4325e47d89ebf3e927da7d3e31b390115e11db80d953d0508c7defcae5dd5e2ed0284414829fb6ffa6689d1572e51e747877998

Download Submit
C:\Users\Admin\subgroups\removers\Cretics.Bru

Filesize
55KB

MD5
71d1f169b53bcd89b707db09f3644e10

SHA1
ba0f2acdbed16976b9eed73ecef6550a3c757140

SHA256
678bacc92f186ac64984a8b30977dc20d7f93860f9971548e2ff40343c19e2b5

SHA512
eadc6e96640625c004f78053d0d531634aa548cf06247a8632bc1986294cbfcd87bd218c296a6ae31c77c888825db263382c48bc287a92dfc06901fe37759696

Download Submit
C:\Users\Admin\subgroups\removers\Gformet.Sve

Filesize
365KB

MD5
79595450b13b674797651c41d2cbd277

SHA1
dc051e07060137bb7946999d7e84e59540200a6e

SHA256
5cd76f417cee47e718cd68818e79927c08b73a5856f99d626b961a19d2bd3c3f

SHA512
ca192c9e66df05afd96dc44954e1cdbd7b78e43351ccfcdf10604bf680e61b48a7222e90676bc5908c719bf7b4929c94338a03e71df101ecfb04abe8e4beecc4

Download Submit
C:\Users\Admin\subgroups\removers\Gravmles56.jpg

Filesize
41KB

MD5
453d781111e7b91b658ac790c04110c8

SHA1
8a3f0ae328bde4710bff830248069ab55dd33cff

SHA256
e42c92700f1675b86fdb7b11647c618cd643b06cccec6f0f69370d015b368c53

SHA512
6f9664cd51033bea080f53d72032587574e97e3039759c40ecd3069f5f544d0a2b24e5d5acadefdb57cff9d43d91a5472b2650b423ebd865cdf39306b8dd6fde

Download Submit
C:\Users\Admin\subgroups\removers\annicut.jpg

Filesize
63KB

MD5
8375633e69b5c59e8d423e7793d243af

SHA1
6b07aceee1caa95a662448b6187211b0229c77b9

SHA256
855fb2d922426885736d794b8c0562ededc07d539a11f48d38bd854baa9b0ae3

SHA512
3ab354886e431cab67ce28ac05cd660493c389695000e3433c3cf7b0ab061ab2f407db4ffc88972f53a5c642a0f8c8cf87f4571d062fc70f68b052b806300fda

Download Submit
C:\Users\Admin\subgroups\removers\augsburg.ini

Filesize
724B

MD5
3c5b5e6fbd99bd2ea8428f2575c3c6c5

SHA1
de1a70b0940697732049df888c26c8be6400486c

SHA256
8fc19984ebcf318b3c3e4b254fe5d88e49701ad23726ad91077d345547e22616

SHA512
4a56f3bd8589cb027c1aab173f350f656bf761002fcc3699447125ea550780954558929aecfb4fec5a03642df0d61005ca0986982ef26cbf54a59fa3b60bf9a0

Download Submit
C:\Users\Admin\subgroups\removers\batiks.cen

Filesize
64KB

MD5
644317d7a32c3566e78ff19c39f6d3b8

SHA1
a45d151ca28401c0de79a0801e816820b2cb46a9

SHA256
b36a03841b837fbb5d979ffdba5b752e1ca1d43bb5e675e2a5a86616002243c3

SHA512
bff69f3f29a050fdbaf36e3c239650996dfe49123624754feb59b97cb314e4c16031042e11fc377355d837eaf202e0ee0aa0c313622dc7e475bf7a62dea53cfc

Download Submit
C:\Users\Admin\subgroups\removers\batiks.cen

Filesize
6.9MB

MD5
3d566465a43c2dde384b9e9fad8cdcb4

SHA1
7c82cfe2c9502a638ffa4741e7c49c124928a926

SHA256
e747cf908a51328e5c6bbb3ac9bf7fc7dfec2985652a1372b08b512f95d14fb2

SHA512
4649965dfae9c3ac3ba08b455e84bc809c8fc5d54181935f3d484b4307c97c935799ececa5fc15f348846a259b1cf3a2e7fa21283e4b371e7bf4faf533b24028

Download Submit
C:\Users\Admin\subgroups\removers\byvaabnernes.jpg

Filesize
2KB

MD5
d88d96c8733018f33e3834b11e173565

SHA1
efde5014d4096a4274583341b6c28d9377634391

SHA256
23dfd1f42c2e6ca766e7502c8a4e525e82541c0e9d3ec24b8b84cd28af5493d3

SHA512
3f4e62ace3474c530b62477a32ace67a0db49c70fae37621c2beed4fd6a20f30c65c177b7335c16a8118f16727856104f334a7d3b33aa376891bdbbed71ddd17

Download Submit
C:\Users\Admin\subgroups\removers\grazing.ini

Filesize
389B

MD5
a163e287f4737c3d8cd2784bbe7394f8

SHA1
41da261fdd6bbd689e54e3c7ac9ab6d4b50990c2

SHA256
237210000635b097f12ea590cbfb6b6d5eee341f492574cd08e634cc3ddd41c9

SHA512
fd3d62d2110abd0098e5a28d05d78b5d7e06f61773bba0e115fb613bebf558f2f87385551f256859cab220608f42decb1ab92f6155d211bf9ce63331672ebb14

Download Submit
C:\Users\Admin\subgroups\removers\lmarkeds.rot

Filesize
6.6MB

MD5
8f924d04bc60e8128b3641c465be2d93

SHA1
357be92f59b208db8e5e0b242b9953783d13e9a0

SHA256
40c58cd8ac6fa470b51517e09c31c453910bd675548721d98a86e782ae54cab3

SHA512
ee7bc90ad0f6f2cd3a2d3612c0be52d4d9137dcfe3c7fc15c9a59897bf474a6f21d54a22b3e47eda51d4551e66413b396a59fd5650cc7058370cb6a8e94087ac

Download Submit
memory/1456-313-0x00000000016D0000-0x000000000363B000-memory.dmp

Filesize
31.4MB

Download
memory/1456-323-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1456-308-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1456-298-0x00000000016D0000-0x000000000363B000-memory.dmp

Filesize
31.4MB

Download
memory/2928-293-0x0000000077631000-0x0000000077751000-memory.dmp

Filesize
1.1MB

Download
memory/2928-292-0x0000000003270000-0x00000000051DB000-memory.dmp

Filesize
31.4MB

Download
memory/2928-291-0x0000000003270000-0x00000000051DB000-memory.dmp

Filesize
31.4MB

Download
memory/2928-294-0x0000000077631000-0x0000000077751000-memory.dmp

Filesize
1.1MB

Download
memory/2928-295-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2928-297-0x0000000003270000-0x00000000051DB000-memory.dmp

Filesize
31.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads