2020-04-14 - TWO INFECTIONS FOR GULOADER WITH NETWIRE RAT

ASSOCIATED FILES:

• 2020-04-14-GuLoader-for-NetWire-RAT-IOCs.txt.zip   1.2 kB (1,151 bytes)

• 2020-04-14-GuLoader-for-NetWire-RAT-IOCs.txt   (2,506 bytes)

• 2020-04-14-GuLoader-for-NetWire-RAT-two-pcaps.zip   644 kB (644,257 bytes)

• 2020-04-14-GuLoader-for-NetWire-RAT-1st-run.pcap   (393,992 bytes)
• 2020-04-14-GuLoader-for-NetWire-RAT-2nd-run.pcap   (403,266 bytes)

• 2020-04-14-GuLoader-for-NetWire-RAT-malware-and-artifacts.zip   406 kB (405,830 bytes)

• 2020-04-14-1st-run-downloaded-Word-doc-with-macro-for-GuLoader.bin   (150,895 bytes)
• 2020-04-14-1st-run-GuLoader-EXE-from-hunchasko.com.bin   (53,248 bytes)
• 2020-04-14-1st-run-registry-update-for-GuLoader.txt   (610 bytes)
• 2020-04-14-2nd-run-downloaded-Word-doc-with-macro-for-GuLoader.bin   (150,848 bytes)
• 2020-04-14-2nd-run-GuLoader-EXE-from-crowe.llc.bin   (53,248 bytes)
• 2020-04-14-2nd-run-registry-update-for-GuLoader.txt   (584 bytes)
• 2020-04-14-both-runs-Tax_file.bin-from-sharefile2020.com.bin   (151,616 bytes)

NOTES:

• This looks very similar to traffic from last month that I wrote about in a blog for Palo Alto Networks (link).

• All zip archives on this site are password-protected with the standard password.  If you don't know it, see the "about" page of this website.

 

IMAGES

Shown above:  Flow chart for this chain of events (slightly modified from my Palo Alto Networks blog post).

 

Shown above:  Traffic from the 1st run filtered in Wireshark.

 

Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

Click here to return to the main page.