2020-04-14 - TWO INFECTIONS FOR GULOADER WITH NETWIRE RAT
- 2020-04-14-GuLoader-for-NetWire-RAT-IOCs.txt.zip 1.2 kB (1,151 bytes)
- 2020-04-14-GuLoader-for-NetWire-RAT-IOCs.txt (2,506 bytes)
- 2020-04-14-GuLoader-for-NetWire-RAT-two-pcaps.zip 644 kB (644,257 bytes)
- 2020-04-14-GuLoader-for-NetWire-RAT-1st-run.pcap (393,992 bytes)
- 2020-04-14-GuLoader-for-NetWire-RAT-2nd-run.pcap (403,266 bytes)
- 2020-04-14-GuLoader-for-NetWire-RAT-malware-and-artifacts.zip 406 kB (405,830 bytes)
- 2020-04-14-1st-run-downloaded-Word-doc-with-macro-for-GuLoader.bin (150,895 bytes)
- 2020-04-14-1st-run-GuLoader-EXE-from-hunchasko.com.bin (53,248 bytes)
- 2020-04-14-1st-run-registry-update-for-GuLoader.txt (610 bytes)
- 2020-04-14-2nd-run-downloaded-Word-doc-with-macro-for-GuLoader.bin (150,848 bytes)
- 2020-04-14-2nd-run-GuLoader-EXE-from-crowe.llc.bin (53,248 bytes)
- 2020-04-14-2nd-run-registry-update-for-GuLoader.txt (584 bytes)
- 2020-04-14-both-runs-Tax_file.bin-from-sharefile2020.com.bin (151,616 bytes)
- This looks very similar to traffic from last month that I wrote about in a blog for Palo Alto Networks (link).
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
Shown above: Flow chart for this chain of events (slightly modified from my Palo Alto Networks blog post).
Shown above: Traffic from the 1st run filtered in Wireshark.
Shown above: Traffic from the 2nd run filtered in Wireshark.
Click here to return to the main page.