Ledger Nano X - The secure hardware wallet
SHARE
TWEET

2020-04-10 - malpsam pushes GuLodader/NanoCore RAT

malware_traffic Apr 10th, 2020 (edited) 3,236 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-04-10 - WETRANSFER-THEMED MALSPAM PUSHES GULOADER/NANOCORE RAT
  2.  
  3. NOTES:
  4.  
  5. - The email is not from WeTransfer (sending info is spoofed).
  6. - The link in the malspam for GuLoader is a OneDrive URL.
  7. - The follow-up download caused by GuLoader is from a Google Drive URL.
  8.  
  9. EMAIL HEADERS:
  10.  
  11. Received: from hwsrv-700119.hostwindsdns.com ([23.254.209.123]) by [removed] for [removed];
  12.         Fri, 10 Apr 2020 17:30:50 +0000 (UTC)
  13. Received: from wetransfer.com (localhost [127.0.0.1])
  14.     by hwsrv-700119.hostwindsdns.com (Postfix) with ESMTP id B6FAA7C549
  15.     for [removed]; Fri, 10 Apr 2020 17:00:47 +0000 (UTC)
  16. Date: 10 Apr 2020 10:00:47 -0700
  17. Subject: jenny@mail.djgroup.com.tw sent you files via WeTransfer
  18. From: We Transfer <noreply@wetransfer.com>
  19. To: [removed]
  20. Content-Transfer-Encoding: quoted-printable
  21. Content-Type: text/html
  22.  
  23. FILES:
  24.  
  25. - SHA256 hash: 52abbaf6e1ebf8e3c1b5e2924da7249662870e138c67ae43105bceb6623e67f9
  26. - File size: 24,628 bytes
  27. - File name: Doc0001.tbz2
  28. - File location: hxxps://onedrive.live[.]com/download?cid=55FF3579FF543F52&resid=55FF3579FF543F52%211825&authkey=AOMq_KOJD8j1mcc
  29. - File description: Zip archive from link in WeTransfer-themed malspam
  30. - File analysis: https://app.any.run/tasks/43e5647d-cbce-4ff0-8723-0d1869a45798/
  31.  
  32. - SHA256 hash: f0c5aa7b83560d5919f42af93fc4bd6f59431fe7462b83344bca5ed8ea36b6b3
  33. - File size: 98,304 bytes
  34. - File name: Doc0001.exe
  35. - File description: Windows executable file for GuLoader
  36. - File analysis: https://app.any.run/tasks/d941e322-7494-423c-bd69-85f0768214f0/
  37.  
  38. - SHA256 hash: 38a89b54e9cda85882b47a1e0dd42e9dc250354c2a8d7c1f2fc42f964f6205ef
  39. - File size: 207,936 bytes
  40. - File name: stub_encrypted_DC047FF.bin
  41. - File location: hxxps://drive.google[.]com/uc?export=download&id=1X32M_IHARzUKk1F_zJ3RiwIINMNdw_xR
  42. - File description: Encrypted binary used by GuLoader for NanoCore RAT
  43.  
  44. IP ADDRESSES AND DOMAINS FOR NANOCORE RAT POST-INFECTION TRAFFIC:
  45.  
  46. - 185.140.53[.]29 port 4001 - mbills147.ddns[.]net
  47. - 185.244.30[.]247 port 4001 (no domain name)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top