guloader | b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6 | Triage

Submit
Reports

Overview

overview

Static

static

1

b30bb2c677...c6.vbs

windows7-x64

8

b30bb2c677...c6.vbs

windows10-2004-x64

Sharing

General

Target

b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6.vbs
Size

187KB
Sample

240626-bxj9fayhpj
MD5

71e6ad71e4958df129a87422066d1be1
SHA1

75e5f0176d44782d874e74411d72ec5dbe86660c
SHA256

b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6
SHA512

c6217bdc6b15046be438f7367c28b4a1dded02181a0e0579ceba297b0e4cdf4b7256b0ed1e8cada6cb3555bd344d739b166b269b68a05f2e6c391d997b1d7832
SSDEEP

3072:fmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZV:f08GxbKja3+DCbKCvBB/WnHXC/sLJFJ4

Score

10^/10

guloader remcos tomato collection downloader persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6.vbs

Resource

win7-20240221-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6.vbs

Resource

win10v2004-20240508-en

guloader remcos tomato collection downloader persistence rat

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

TOMATO

C2

iwarsut775laudrye2.duckdns.org:57484

iwarsut775laudrye2.duckdns.org:57483

iwarsut775laudrye3.duckdns.org:57484

hjnourt38haoust1.duckdns.org:57484

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
sfvnspt.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
shietgtst-DCUF1K
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6.vbs
- Size
  
  187KB
- MD5
  
  71e6ad71e4958df129a87422066d1be1
- SHA1
  
  75e5f0176d44782d874e74411d72ec5dbe86660c
- SHA256
  
  b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6
- SHA512
  
  c6217bdc6b15046be438f7367c28b4a1dded02181a0e0579ceba297b0e4cdf4b7256b0ed1e8cada6cb3555bd344d739b166b269b68a05f2e6c391d997b1d7832
- SSDEEP
  
  3072:fmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZV:f08GxbKja3+DCbKCvBB/WnHXC/sLJFJ4
Score

10^/10

guloader remcos tomato collection downloader persistence rat
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

guloaderremcostomatocollectiondownloaderpersistencerat

© 2018-2024

Terms | Privacy