GULOADER FOR REMCOS RAT

    Tuesday, August 27, 2024 In: Threat Research Print

    Date: 08/27/2024

    Severity: High

    Summary

    A .vbs file distributed via email over the weekend was tested. The results showed it deployed GuLoader to install Remcos RAT. The Remcos C2 traffic included a Windows EXE file labeled "Web Browser Password Viewer" in its metadata. After receiving this file, the infected host sent login credentials back through the Remcos RAT C2 channel, while the malware continually updated the C2 server about activities on the host.

    Indicators of Compromise (IOC) List

    Domains\Urls

    janbours92harbu03.duckdns.org

    geoplugin.net

    http://geoplugin.net/json.gp

    json.gp

    https://softiq.ro/event/update/

    https://softiq.ro/event/update/eyeable49.xtp

    https://softiq.ro/event/update/mcnqzhdqbopbw61.bin

    IP Address

    206.123.148.197

    94.141.120.39

    164.92.211.192

    Hash 

    68689a95e22cb95176aadd65b6daffab8ad8714c581c06cf6cab415eeb573da1

ea7215b91d46c44be60345e19d5e4765c118244fbf373db269b023496e1a7253

f1c480f30c73c638cc23c896de021dafa5568ae0d0169c8573f910cf2c1718f4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls

    userdomainname like "janbours92harbu03.duckdns.org" or url like "janbours92harbu03.duckdns.org" or userdomainname like "geoplugin.net" or url like "geoplugin.net" or userdomainname like "http://geoplugin.net/json.gp" or url like "http://geoplugin.net/json.gp" or userdomainname like "json.gp" or url like "json.gp" or userdomainname like "https://softiq.ro/event/update/" or url like "https://softiq.ro/event/update/" or userdomainname like "https://softiq.ro/event/update/eyeable49.xtp" or url like "https://softiq.ro/event/update/eyeable49.xtp" or userdomainname like "https://softiq.ro/event/update/mcnqzhdqbopbw61.bin" or url like "https://softiq.ro/event/update/mcnqzhdqbopbw61.bin"

    IP Address

    dstipaddress IN ("206.123.148.197","94.141.120.39","164.92.211.192") or ipaddress IN ("206.123.148.197","94.141.120.39","164.92.211.192") or publicipaddress IN ("206.123.148.197","94.141.120.39","164.92.211.192") or srcipaddress IN ("206.123.148.197","94.141.120.39","164.92.211.192")

    Hash

    sha256hash IN ("68689a95e22cb95176aadd65b6daffab8ad8714c581c06cf6cab415eeb573da1","ea7215b91d46c44be60345e19d5e4765c118244fbf373db269b023496e1a7253","f1c480f30c73c638cc23c896de021dafa5568ae0d0169c8573f910cf2c1718f4")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-26-GuLoader-for-Remcos-RAT-IOCs.txt  

     

     


    Tags

    MalwareRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.