guloader | 9afdb7400c9c3d7dfe2fa696ac8d95e2049f1a3367cc3345848ce91f40928bb1

Analysis

max time kernel
39s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Employee Performance Report_pdf.exe
Size

905KB
MD5

4d936712b148d8e083aa300c2cb722da
SHA1

4b6f6d71140b8df5cdb952ef24ca8caac8b58b9b
SHA256

9afdb7400c9c3d7dfe2fa696ac8d95e2049f1a3367cc3345848ce91f40928bb1
SHA512

17cf1f6d30b7d86e3dda497d9f75a954b63d369a2bd6fdbd7d5efe2a94b43184186e312fc96e748f96ea50caab65efe5765f9e16b4de57942f4af82adab2a6e2
SSDEEP

24576:xYi54ltxFsaopF0YL1uPkQWNRIyE2mPcd:OJDFsaopFt1OkTD

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:2404

196.251.93.4:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LQXWP4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Employee Performance Report_pdf.exe

Executes dropped EXE 3 IoCs

pid	Process
2040	remcos.exe
4400	remcos.exe
4384	remcos.exe

Loads dropped DLL 4 IoCs

pid	Process
1352	Employee Performance Report_pdf.exe
1352	Employee Performance Report_pdf.exe
2040	remcos.exe
2040	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-LQXWP4 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	Employee Performance Report_pdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-LQXWP4 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	Employee Performance Report_pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	drive.google.com
26	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2996	Employee Performance Report_pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1352	Employee Performance Report_pdf.exe
2996	Employee Performance Report_pdf.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\remediers\acrogamous.ini	Employee Performance Report_pdf.exe
File opened for modification	C:\Windows\resources\remediers\acrogamous.ini	remcos.exe
File opened for modification	C:\Windows\resources\remediers\acrogamous.ini	remcos.exe
File opened for modification	C:\Windows\resources\remediers\acrogamous.ini	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4812	2040	WerFault.exe	104
380	2040	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Employee Performance Report_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Employee Performance Report_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1352	Employee Performance Report_pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2996	1352	Employee Performance Report_pdf.exe	97
PID 1352 wrote to memory of 2996	1352	Employee Performance Report_pdf.exe	97
PID 1352 wrote to memory of 2996	1352	Employee Performance Report_pdf.exe	97
PID 1352 wrote to memory of 2996	1352	Employee Performance Report_pdf.exe	97
PID 2996 wrote to memory of 2040	2996	Employee Performance Report_pdf.exe	104
PID 2996 wrote to memory of 2040	2996	Employee Performance Report_pdf.exe	104
PID 2996 wrote to memory of 2040	2996	Employee Performance Report_pdf.exe	104
PID 2404 wrote to memory of 4400	2404	cmd.exe	105
PID 2404 wrote to memory of 4400	2404	cmd.exe	105
PID 2404 wrote to memory of 4400	2404	cmd.exe	105
PID 1612 wrote to memory of 4384	1612	cmd.exe	106
PID 1612 wrote to memory of 4384	1612	cmd.exe	106
PID 1612 wrote to memory of 4384	1612	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Employee Performance Report_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Employee Performance Report_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\Employee Performance Report_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Employee Performance Report_pdf.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1080
      4⤵
      Program crash
      PID:4812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1080
      4⤵
      Program crash
      PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2040 -ip 2040
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2040 -ip 2040
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
905KB

MD5
4d936712b148d8e083aa300c2cb722da

SHA1
4b6f6d71140b8df5cdb952ef24ca8caac8b58b9b

SHA256
9afdb7400c9c3d7dfe2fa696ac8d95e2049f1a3367cc3345848ce91f40928bb1

SHA512
17cf1f6d30b7d86e3dda497d9f75a954b63d369a2bd6fdbd7d5efe2a94b43184186e312fc96e748f96ea50caab65efe5765f9e16b4de57942f4af82adab2a6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx73F9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\backened\sortbrsernes\Borides.gyp

Filesize
1.8MB

MD5
280c940547895f82278ba8b491e0ca3b

SHA1
de09b3999636cca42be716952d97547e72bd5890

SHA256
1d7a813a18eec9478655b63429c790814f78cd64cce71752aea3362f0a55a531

SHA512
d28c4de5d7c7a90973f23aa2e1e828a329909f8eb06172b5a71360716f4175344ee0af9c544ec1813290eff0cf1e8e298aaf29b91121edd667b49090b02451af

Download Submit
C:\Users\Admin\backened\sortbrsernes\Presartorial46.uns

Filesize
5.0MB

MD5
413b591e9885e895f1d5e94773ef0867

SHA1
4a848b2a5f59d96b3d41ccadb83331e4c22c85ef

SHA256
c51e2d1237b398a16ec5248ce0ef977ad53d423bd4d077d8f38740cb1f01be81

SHA512
602a5fda2ed4dd97f45c4bf694690a216a01e8e1a3cb640d5f2973f40230a7ec4a842bafcd0578f475cbecc2026af623e58a6fd9ebcadad9367b5cb804487164

Download Submit
C:\Users\Admin\backened\sortbrsernes\Skaalvgtene233.ini

Filesize
723B

MD5
521d3e04c0ada487398e9f6aeb2e6816

SHA1
cecb639806ecda68d61a8a109d271f0477529f9f

SHA256
f09817127dcf211117a78f613a75e45547d4d968dba6fdf0e3c0979d8f71cb56

SHA512
31e389fd52817e24c3eaefec747cf0dcd5520c36faaa7cf8199e7f7134d71674e242632d52899a708adf50b839f01859d45914d17e0e84f69cfb633a5ea5fe91

Download Submit
C:\Users\Admin\backened\sortbrsernes\Skyggelgningens.Reu

Filesize
108KB

MD5
fcba4e408272941c7df6a6cc986e556b

SHA1
107543088906ed8fac0a1afa5c16bc52fb65c320

SHA256
2f5fe423dafd510c768102e5790e61edd08fc82abcf33dfea0eb07025c56e0df

SHA512
061efb288fcbcd17bfac2019360eb7a9545fa2db4c78105c33bf94d8ad1e446a6288bf84d42329e1a6d9b8f5c89e2db2dd49d1ad2ed08b04d337d8ade2a1b67f

Download Submit
C:\Users\Admin\backened\sortbrsernes\Synge.pha

Filesize
332KB

MD5
4ca012f6e0836b3f9bd9b89c7f3563d0

SHA1
33bed803317768f2ddbb3e48eff638fcd9a31c5a

SHA256
621ce10ae5e19d7c9c65af6cb298ccea91f63674315540e49d7da325c95488d0

SHA512
4121885f340ea362f0e74fee1b1925e0a5e1a990d5af86f4bbaaf2a7672db54332395ef5cfd48dbee448b5312b586bb1931ae4c6c38b6ed3f9ddb4c5418200a4

Download Submit
C:\Users\Admin\backened\sortbrsernes\Synge.pha

Filesize
64KB

MD5
206c9ad60f99b7e25befeede1caf1437

SHA1
56bcc5f02945cd4bd284940f40ead1b086766e1b

SHA256
0ec9091b0e178d96769d66b3a535b09320c58056ef987640e6478ac619338347

SHA512
abcd8f09ab9abe05384d1d369cf9005937fa2b8b4f39e3a1c20df09241ae7beb683f6f3175c637a93e350a0150940b60f9a877c6eb0609bd9d1ac5f818fded97

Download Submit
C:\Users\Admin\backened\sortbrsernes\Viraginian60.ini

Filesize
274B

MD5
774b4f6e7a479b6587b32839d401315a

SHA1
d6ff8e3ef70c9e1508a1580141473429accac683

SHA256
c42c517f14225917950dd31e50b41d27964fb253b0df5feb9656b3fb2c74d0bc

SHA512
84a69e795c3db4aa60a85e89876dc028d6133951b1ecd92958501c3655549f6a0e1acd844799dda5f74c0e97aab920cf04a28179f1e9e992c7d8feadaafb058a

Download Submit
C:\Users\Admin\backened\sortbrsernes\beherskelsens.txt

Filesize
570B

MD5
421d918a12dc45d2e7422c01b1bf95d2

SHA1
3404289e70a2d1e8835b907a3d649ee6b017de53

SHA256
47d310e73e8abeb226c323039d2d53a0b461a2e32ca9576b6301a1b5b2692ea5

SHA512
6fdb1fab4e72949d0ab6ef8142daaad1f655206dcd6d3b93d060d269815e5151c5253f1c2352a1c0a8895e120b8f2fafb0d2440cb870165f319c7beb2b41ce26

Download Submit
C:\Users\Admin\backened\sortbrsernes\jomfruklostres.apa

Filesize
1.0MB

MD5
4448acd2075939cc171657c23d4b1e95

SHA1
a6091ea16760786e89c8884555a70b01a4cae71a

SHA256
293603f6df16d20d6f8fc3d2f87151c06c8fd7fcdbc1c412b3ebfc28d59a5362

SHA512
566328d3f5651182ba12c882e00a13f1dc140d0e5a192e216f220befbfaad124721aade41a5db584884b9c61d9f1e3704fd7ea480612d003694677244e0110bb

Download Submit
C:\Users\Admin\backened\sortbrsernes\laboratorieplanlgnings.jpg

Filesize
74B

MD5
1f48026df6e9e4aebc2867cb2a07a07d

SHA1
8098b69100ff43d1df93d7d42fead7a6aebe7638

SHA256
994252c8960cf2a4008c57bb64c39a18937638230293db1ca2cbc7bc63fc8ba5

SHA512
4edb34ee05c85efa311df528adc8954273fdfd6ad563aea480befee9e100e79f9492de3f26fd69ebd4bc510096866092dc24213835281d91bf8a9c536a725149

Download Submit
C:\Users\Admin\backened\sortbrsernes\polycrotic.ini

Filesize
241B

MD5
332557d4882406795332b1828ee1e295

SHA1
560b8b6e96b5f137e1b49c846e2b9f11b1ea7b5b

SHA256
c39f2442c24506ff034b53c4b74987938252f924129c0d81880f440494c53854

SHA512
1925658974f1e56b45901f74776763a424ca4d8427b942624ddc4f429c2967b207762842cfdff796c2f28f65a52c8e4c2b918a972bb837fd4098da42ce4aa945

Download Submit
C:\Users\Admin\backened\sortbrsernes\transceiving.txt

Filesize
824B

MD5
7c2251eaf838790f5f13f5b29562ca21

SHA1
e58fd2aa500c7579d2322264a36c61434dc5df3b

SHA256
72927168d253c69470378cc6a869a9322ce59c43d5e7c08f9998a63c5777f475

SHA512
c5199a866e1b3593e09e5ad69200dd0b74b767596e2edceac16a3e48a047bdaef04fffeb7047e8a4ec1960eff6b4fd16b17bfd13b620bd0158b5a68d21697daf

Download Submit
C:\Users\Admin\backened\sortbrsernes\trenchcoatens.txt

Filesize
481B

MD5
15adb78023108e5304ab366f6de65ed8

SHA1
ba85dbca21212792b28de4e9a66ef54acf637441

SHA256
5170e091aa2ffb8e4304e174c4cd0e9f397d357d5cf0d9c0471eb29965c20ab8

SHA512
a885fe9cb1c5ce284682ff46b9d3ef46db75f977ecc6823826d8b94512f517857d35d847402ca58a9581594f36f907c0a8dd09a3148696b3a6dd58e2c9a176ad

Download Submit
C:\Users\Admin\backened\sortbrsernes\velbegavet.enr

Filesize
4.5MB

MD5
ceb67b6101139270134b8a7d6bebb14b

SHA1
1cbbdcefb20e0247f013b67566931fb15d56550b

SHA256
2d83dc965778ef7f217017e96ab8f6547484efbbad80e1cda0ccc98aa756a3ee

SHA512
396bb6a0b127341537f16d8149057f2f485e0e6ecf6e60ca5535e8b977b65c387e848879c010ca51ca08965a19156dc45afffc43ef108d1dff6b5bf831315c51

Download Submit
memory/1352-24-0x0000000074935000-0x0000000074936000-memory.dmp

Filesize
4KB

Download
memory/1352-23-0x0000000077C41000-0x0000000077D61000-memory.dmp

Filesize
1.1MB

Download
memory/2996-28-0x0000000077CE5000-0x0000000077CE6000-memory.dmp

Filesize
4KB

Download
memory/2996-44-0x0000000001700000-0x000000000720B000-memory.dmp

Filesize
91.0MB

Download
memory/2996-53-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2996-55-0x0000000077C41000-0x0000000077D61000-memory.dmp

Filesize
1.1MB

Download
memory/2996-42-0x0000000077C41000-0x0000000077D61000-memory.dmp

Filesize
1.1MB

Download
memory/2996-38-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2996-27-0x0000000077CC8000-0x0000000077CC9000-memory.dmp

Filesize
4KB

Download
memory/2996-26-0x0000000077C41000-0x0000000077D61000-memory.dmp

Filesize
1.1MB

Download
memory/2996-25-0x0000000001700000-0x000000000720B000-memory.dmp

Filesize
91.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads