guloader | 7d467f539d901aff827ae34f26fcadb232318cde5a1e76fb2283664e968fbb18

Analysis

max time kernel
31s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SalaryIncrement_pdf.exe
Size

873KB
MD5

82661a36b40f6141d10a5561fe037475
SHA1

8e87b0db80746d9accd610448df36211c0623ff4
SHA256

7d467f539d901aff827ae34f26fcadb232318cde5a1e76fb2283664e968fbb18
SHA512

90a173f4749ac4a00d49641629801830d5e60d33aff5404315407885777c703e2b690a0b83f776e9e546ed447b7829ed27e3c3e79dd9ca43e70b79af3b0ffb2c
SSDEEP

24576:9NJ+8FbCssFhmUUo551pLVlu3nbKYWJfScJ81uO:7pZCPFco551pLy3b0J81p

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

196.251.86.105:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MJDICZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SalaryIncrement_pdf.exe

Executes dropped EXE 3 IoCs

pid	Process
5376	remcos.exe
5796	remcos.exe
2104	remcos.exe

Loads dropped DLL 4 IoCs

pid	Process
1884	SalaryIncrement_pdf.exe
1884	SalaryIncrement_pdf.exe
5796	remcos.exe
5796	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	SalaryIncrement_pdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	SalaryIncrement_pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	drive.google.com
29	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gouramis\Avischikane.ini	SalaryIncrement_pdf.exe
File opened for modification	C:\Windows\SysWOW64\Gouramis\Avischikane.ini	remcos.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4768	SalaryIncrement_pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1884	SalaryIncrement_pdf.exe
4768	SalaryIncrement_pdf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\poiser.gif	remcos.exe
File opened for modification	C:\Program Files (x86)\Common Files\poiser.gif	SalaryIncrement_pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SalaryIncrement_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SalaryIncrement_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1884	SalaryIncrement_pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 4768	1884	SalaryIncrement_pdf.exe	96
PID 1884 wrote to memory of 4768	1884	SalaryIncrement_pdf.exe	96
PID 1884 wrote to memory of 4768	1884	SalaryIncrement_pdf.exe	96
PID 1884 wrote to memory of 4768	1884	SalaryIncrement_pdf.exe	96
PID 3696 wrote to memory of 5376	3696	cmd.exe	102
PID 3696 wrote to memory of 5376	3696	cmd.exe	102
PID 3696 wrote to memory of 5376	3696	cmd.exe	102
PID 4768 wrote to memory of 5796	4768	SalaryIncrement_pdf.exe	103
PID 4768 wrote to memory of 5796	4768	SalaryIncrement_pdf.exe	103
PID 4768 wrote to memory of 5796	4768	SalaryIncrement_pdf.exe	103
PID 3976 wrote to memory of 2104	3976	cmd.exe	104
PID 3976 wrote to memory of 2104	3976	cmd.exe	104
PID 3976 wrote to memory of 2104	3976	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\SalaryIncrement_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SalaryIncrement_pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\SalaryIncrement_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\SalaryIncrement_pdf.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:5796
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3696
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
873KB

MD5
82661a36b40f6141d10a5561fe037475

SHA1
8e87b0db80746d9accd610448df36211c0623ff4

SHA256
7d467f539d901aff827ae34f26fcadb232318cde5a1e76fb2283664e968fbb18

SHA512
90a173f4749ac4a00d49641629801830d5e60d33aff5404315407885777c703e2b690a0b83f776e9e546ed447b7829ed27e3c3e79dd9ca43e70b79af3b0ffb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Answer.Duk

Filesize
320KB

MD5
a308bba90d04ab5e09665d258fb0842d

SHA1
d407c2c981e1209b6fda8a4dde52c5cfd038f933

SHA256
74c4d88822cddd6ed7b5e44d8fc1109245526d0d68bf28b1812217197cc2f2ff

SHA512
4314f8d101c08c63eeb543358eae8297dfbff8379f2decc049fa1975ffc969c958d4cbd8156f770b9760ba356c6a397e7fa1f882efa38ff0e2f2a274a56983ad

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\Erklringerne53\kapverdisk.jpg

Filesize
16KB

MD5
d7f21c78cb22ab07631b2e94e05075ca

SHA1
1998dd45a4c3e3a07666fc0919c12b438d410841

SHA256
09412b0e1ede1de932f738a172d095795f25a8b84d5c5fab16d10026a099133c

SHA512
c1de5500d123a1fbd8cce8f4e592e28444a711f8ba2474f3bf36e46e10927884463437fd114cd09c0b38ee75bc7f7917d7bb87deb907d82e66b623368cdbddcb

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\Erklringerne53\loveliest.eks

Filesize
256KB

MD5
c7653b5fa1787c1c91fbf8dc049445ce

SHA1
3bfe841d2eae36ab681d7b352c4074c9962d8f6b

SHA256
2b3c83ebb0e9aedbefe97979aa09750fe9505c85827c1167890c402f9e33edbf

SHA512
0344de1eee2ae4b2e79261003b6e9b681094a7fb9d86f84d0ea570f562e1599b62fed8a383cc78e1ab32d8ed03ebd718e21d67496714f0c7862973576336fa17

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\Erklringerne53\metodelre.jpg

Filesize
31KB

MD5
538595b17124823fbb48f6e527dc4497

SHA1
ce30029d7e72d841c4648f2e4db039b80cd9ce0d

SHA256
6990f44988cfa65b65f474a2c4926e8ad13801a8261cad3bb847599358db2a6d

SHA512
15432dee6cd5e3b8070a554f3ecd8e2051b3e7543c761ff18a623003c540e0715d817aba88bf96e39a5d588e73bb6b81575213b291ad86ae2bec73bc88047bc1

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\Erklringerne53\puttying.lew

Filesize
3.4MB

MD5
c61ec410e3c009da9aaa3674909aabf8

SHA1
fea2d5f964c8ba801306553f0115d670b1bfa47f

SHA256
fd6ffccda7089c8c7beb563e11acbe2d9d52934dbdeccadcc616a36bc0ad2b49

SHA512
a54482bec2b979e2bfc1d97b4422b7f7c1b2349a835299a117dc2827b56f2dde1c7b842970e89e58e5a26f58338350ff79ea3853630e1e3c6c0ff83313b36920

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\Erklringerne53\quintuples.cof

Filesize
5.6MB

MD5
461a71fc1acffa01db981ff40f7f4b31

SHA1
18bb78bc1efafd0b9e1314330ca7e18da1025da4

SHA256
5b98f76cac953b3f660f8ef9d8cec1b6e7134bacbff9d941e8b493600c203ecc

SHA512
f3cec0bf800c0f9bf2903f7cab3cabea8e9d511a2fd098e07ee9905aaec102e2c765f29be432452bf189f90979f7ffcb3beede92ec79c952ef46cec9a01b781c

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\Samfundshensyn.ini

Filesize
368B

MD5
d1865736000f53f0426efbf40d5edd8f

SHA1
992cf5f55a56291bd89cc75edfa7559f2e23324f

SHA256
17a84aa454d65aa7bcac8545c172603675e685467511ecb827f3149ad61ed833

SHA512
65d98038da69605a816fcf5904aa8be3393716865cc83876ded5183aeb5b83dff198fbc8ddd808d180e5c463386ec40d7968f5a1cc91c6eb78a80ea9dac3aa45

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\Sodapastillers.txt

Filesize
411B

MD5
9ca57304c1f02cd7ffd951810a74c06f

SHA1
088a3488b1a47b2578b794d2fc319bbf652f628e

SHA256
6ff658868a61c2e19d8ed975229e9e11d7838d591796d19ae94c79d896fa98c0

SHA512
f849231c9675f419a86fcee1832b67c0a35b4ffdd420c22c75dfd6c7bc7e97dcfedf6cbb5da8f1c2628cf0343e192efe3ab57045ebf6bb876e3e84180da83c6a

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\betak.ini

Filesize
482B

MD5
04a5360dd971cc855a6f24035f7648ec

SHA1
aeeb5390271b12c57637c1227fc24c3f5230965d

SHA256
b0bf66cd048799c566b70c54cc49033ff0890b6785adebbb0f2aa139f64f35f5

SHA512
afcb28bd6b6131a7befb7b6f50878405644741376b9470f028b08b389d5f8655b5b5594f31343b26ae3cf12ca12a53e4e1b9d4dfe56d14eef5cec81236714026

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Carapaces\gtemandsansvar.txt

Filesize
446B

MD5
02efb3a843d4be36c77133300fab400b

SHA1
17883c131e1ae337b035a386c03dccb37e9c3703

SHA256
833ae85c0aeb8fe73e155005059e8787055a0f8a4e150fc20e419de4d2606bf3

SHA512
71ae4b6aba7084ea5a9b72cb13c40f4c910d86b5c0445a0a5f66eec007799eb8afcac1d4bd0a6f4e5d28f5415357730e5fc1af18b849d838f9542d61ca4164cd

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Filantropiske.Afm

Filesize
140KB

MD5
3f6cfcfb512294dfd2242e316b40baca

SHA1
50fd3643533d362dc05a87ede65d1d42cd748047

SHA256
5914a58a48e9d7ca4a08b758ff578a062c0df3490e6592c990067948dba5d962

SHA512
f1cf9fadb8e5d794bc36d7edc1714de38959332a316bf04123aa04fc35b1d0e7c001c672cd69822f40b08fe1e75cd1e04a0028b46c320d41871d88f083fb4a5b

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Oprrstroppernes.sym

Filesize
4.3MB

MD5
45aece085cfd612d758207e70fe85bf3

SHA1
04ea3f4da8b905dea09b2dbce7e1896274356a95

SHA256
66c57f60f6d8b47ff6c2304d27aaf36871e6ec2cd7b9447a68d49f5877209e95

SHA512
6403c60a8e31ea4f2302e5e31fd684a0ced2603bc842435a01668c818359ba7bee8c5d9da50966b573ee26e8d0f1ade66f5fd497cfe83207f4743a4b99a3340d

Download Submit
C:\Users\Admin\biofysikken\normalforbrug\telefonsamtaler\Ordveksling149.ini

Filesize
275B

MD5
236973c3d91fc4168eab111c4c911c64

SHA1
efdd0099b53a1beda2f2a4513c3dde76cbf0ff1d

SHA256
cbbcbb7dcab87cd832157dd558c5fdd62e9e79f3f0eddbef984e58dedb8f9539

SHA512
26c3ec8e6471acc2900be7d58bcef4c4b5c344623fab65075dff023cd26d642c15f6f6b457c3980e2d5decd42034fb89324dc5710188a937c6d0a9c37f18439f

Download Submit
memory/1216-134-0x00000000016D0000-0x0000000007487000-memory.dmp

Filesize
93.7MB

Download
memory/1884-21-0x00000000778F1000-0x0000000077A11000-memory.dmp

Filesize
1.1MB

Download
memory/1884-20-0x00000000778F1000-0x0000000077A11000-memory.dmp

Filesize
1.1MB

Download
memory/1884-22-0x00000000745E5000-0x00000000745E6000-memory.dmp

Filesize
4KB

Download
memory/4768-39-0x00000000778F1000-0x0000000077A11000-memory.dmp

Filesize
1.1MB

Download
memory/4768-23-0x00000000016D0000-0x0000000007487000-memory.dmp

Filesize
93.7MB

Download
memory/4768-24-0x0000000077978000-0x0000000077979000-memory.dmp

Filesize
4KB

Download
memory/4768-25-0x0000000077995000-0x0000000077996000-memory.dmp

Filesize
4KB

Download
memory/4768-35-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/4768-40-0x00000000016D0000-0x0000000007487000-memory.dmp

Filesize
93.7MB

Download
memory/4768-53-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads