malware_traffic

2020-04-10 - malpsam pushes GuLodader/NanoCore RAT

Apr 10th, 2020
3,489
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-04-10 - WETRANSFER-THEMED MALSPAM PUSHES GULOADER/NANOCORE RAT
  2.  
  3. NOTES:
  4.  
  5. - The email is not from WeTransfer (sending info is spoofed).
  6. - The link in the malspam for GuLoader is a OneDrive URL.
  7. - The follow-up download caused by GuLoader is from a Google Drive URL.
  8.  
  9. EMAIL HEADERS:
  10.  
  11. Received: from hwsrv-700119.hostwindsdns.com ([23.254.209.123]) by [removed] for [removed];
  12. Fri, 10 Apr 2020 17:30:50 +0000 (UTC)
  13. Received: from wetransfer.com (localhost [127.0.0.1])
  14. by hwsrv-700119.hostwindsdns.com (Postfix) with ESMTP id B6FAA7C549
  15. for [removed]; Fri, 10 Apr 2020 17:00:47 +0000 (UTC)
  16. Date: 10 Apr 2020 10:00:47 -0700
  17. Subject: jenny@mail.djgroup.com.tw sent you files via WeTransfer
  18. From: We Transfer <noreply@wetransfer.com>
  19. To: [removed]
  20. Content-Transfer-Encoding: quoted-printable
  21. Content-Type: text/html
  22.  
  23. FILES:
  24.  
  25. - SHA256 hash: 52abbaf6e1ebf8e3c1b5e2924da7249662870e138c67ae43105bceb6623e67f9
  26. - File size: 24,628 bytes
  27. - File name: Doc0001.tbz2
  28. - File location: hxxps://onedrive.live[.]com/download?cid=55FF3579FF543F52&resid=55FF3579FF543F52%211825&authkey=AOMq_KOJD8j1mcc
  29. - File description: Zip archive from link in WeTransfer-themed malspam
  30. - File analysis: https://app.any.run/tasks/43e5647d-cbce-4ff0-8723-0d1869a45798/
  31.  
  32. - SHA256 hash: f0c5aa7b83560d5919f42af93fc4bd6f59431fe7462b83344bca5ed8ea36b6b3
  33. - File size: 98,304 bytes
  34. - File name: Doc0001.exe
  35. - File description: Windows executable file for GuLoader
  36. - File analysis: https://app.any.run/tasks/d941e322-7494-423c-bd69-85f0768214f0/
  37.  
  38. - SHA256 hash: 38a89b54e9cda85882b47a1e0dd42e9dc250354c2a8d7c1f2fc42f964f6205ef
  39. - File size: 207,936 bytes
  40. - File name: stub_encrypted_DC047FF.bin
  41. - File location: hxxps://drive.google[.]com/uc?export=download&id=1X32M_IHARzUKk1F_zJ3RiwIINMNdw_xR
  42. - File description: Encrypted binary used by GuLoader for NanoCore RAT
  43.  
  44. IP ADDRESSES AND DOMAINS FOR NANOCORE RAT POST-INFECTION TRAFFIC:
  45.  
  46. - 185.140.53[.]29 port 4001 - mbills147.ddns[.]net
  47. - 185.244.30[.]247 port 4001 (no domain name)
RAW Paste Data