guloader | 965845db528ea9bc4dbd24b1c6ea5495d771549bb9307955eaab3f021b0b9018 | Triage

Sharing

General

Target

SecuriteInfo.com.Win32.MalwareX-gen.10802.4830.exe
Size

729KB
Sample

250407-laka2avth1
MD5

c8e21020940ba49156c73340ddfa7c86
SHA1

7f84a4dcc45d658a805f042681c62b074e86fca0
SHA256

965845db528ea9bc4dbd24b1c6ea5495d771549bb9307955eaab3f021b0b9018
SHA512

cd7aa269a3d045d5b4488f0196ba1bdf24714af67c6c4c0b3ab78ba15b61f577dbfce4803dff0b155b6b7d728e7898a6eedf5939c7324c22f09c3a864822b759
SSDEEP

12288:b35GUP4TlEjG4BVFTUHO7fKHwqdgeOYUEqF/rApqTpB/37D:b35LPQO7FOcfKwsDUvOpqTpx7D

Score

10^/10

guloader remcos host-2 discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

Host-2

C2

176.65.142.14:6060

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HM3EZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  SecuriteInfo.com.Win32.MalwareX-gen.10802.4830.exe
- Size
  
  729KB
- MD5
  
  c8e21020940ba49156c73340ddfa7c86
- SHA1
  
  7f84a4dcc45d658a805f042681c62b074e86fca0
- SHA256
  
  965845db528ea9bc4dbd24b1c6ea5495d771549bb9307955eaab3f021b0b9018
- SHA512
  
  cd7aa269a3d045d5b4488f0196ba1bdf24714af67c6c4c0b3ab78ba15b61f577dbfce4803dff0b155b6b7d728e7898a6eedf5939c7324c22f09c3a864822b759
- SSDEEP
  
  12288:b35GUP4TlEjG4BVFTUHO7fKHwqdgeOYUEqF/rApqTpB/37D:b35LPQO7FOcfKwsDUvOpqTpx7D
Score

10^/10

guloader remcos host-2 discovery downloader rat
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  e23600029d1b09bdb1d422fb4e46f5a6
- SHA1
  
  5d64a2f6a257a98a689a3db9a087a0fd5f180096
- SHA256
  
  7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38
- SHA512
  
  c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac
- SSDEEP
  
  192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
Score

3^/10

discovery
behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

guloaderremcoshost-2discoverydownloaderrat

behavioral2