guloader | 7e485dc6c635c50959ccc4b529a1e8b039eca2c9b1a505c782430c48e9ad16c4

General

Target

DHL AWB and INV.scr.exe
Size

712KB
Sample

250330-xtwzqaxlv7
MD5

e3e28e486e93c0b27fe0453b9e038cb9
SHA1

08335cf5d72c462460627f02dc20773605d09e54
SHA256

7e485dc6c635c50959ccc4b529a1e8b039eca2c9b1a505c782430c48e9ad16c4
SHA512

eb9bf2827836a97b7cd439e9ec834e7a53e56655027b94ebaa4e8ad4de639871e65061f01f9626df3cb936f80be2cd1b316706a1aa2b2625ead6c74036efd147
SSDEEP

12288:LR3BUI4nAZlVqi3Zd9WAp7LE5/Bs+jqP4ARxlXzd46l0xFXc3gIwEL:V3GI4kVfZdsAC/Fo11nl0Pg73L

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Host-2

C2

176.65.142.14:6060

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HM3EZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  DHL AWB and INV.scr.exe
- Size
  
  712KB
- MD5
  
  e3e28e486e93c0b27fe0453b9e038cb9
- SHA1
  
  08335cf5d72c462460627f02dc20773605d09e54
- SHA256
  
  7e485dc6c635c50959ccc4b529a1e8b039eca2c9b1a505c782430c48e9ad16c4
- SHA512
  
  eb9bf2827836a97b7cd439e9ec834e7a53e56655027b94ebaa4e8ad4de639871e65061f01f9626df3cb936f80be2cd1b316706a1aa2b2625ead6c74036efd147
- SSDEEP
  
  12288:LR3BUI4nAZlVqi3Zd9WAp7LE5/Bs+jqP4ARxlXzd46l0xFXc3gIwEL:V3GI4kVfZdsAC/Fo11nl0Pg73L
Score

10^/10

guloader remcos host-2 credential_access discovery downloader rat stealer
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  a436db0c473a087eb61ff5c53c34ba27
- SHA1
  
  65ea67e424e75f5065132b539c8b2eda88aa0506
- SHA256
  
  75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
- SHA512
  
  908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
- SSDEEP
  
  192:aVL7iZJX76BisO7+UZEw+Rl59pV8ghsVJ39dx8T:d7NsOpZsfLMJ39e
Score

3^/10

discovery
behavioral3 behavioral4