# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services # Reference: https://otx.alienvault.com/pulse/5e615414b0254429fcb302f0 droptop.com droptop1.com droptop2.com droptop3.com droptop4.com droptop5.com droptop6.com droptop7.com droptop8.com droptop9.com droptop10.com # Reference: https://twitter.com/MBThreatIntel/status/1240790622199406593 # Reference: https://www.virustotal.com/gui/ip-address/63.250.44.99/relations popeorigin.pw popeorigin1.pw popeorigin2.pw popeorigin3.pw popeorigin4.pw popeorigin5.pw popeorigin6.pw popeorigin7.pw popeorigin8.pw popeorigin9.pw popeorigin10.pw # Reference: https://www.virustotal.com/gui/file/42cda72eccc1564c97e004f2c01449e07bcad084ce767cc102bb99c8921f899e/detection phamchilong.com # Reference: https://twitter.com/malwrhunterteam/status/1235220750635806720 # Note: such trails can be met with /hjf sign in address 107.189.162.190:9090 # Reference: https://www.virustotal.com/gui/file/2f2d784e1e0d9d5a9ede345eef47d2228e82570a8bdaa632defdbc6c7f69f494/detection 141.105.66.243:9090 # Reference: https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ # Reference: https://otx.alienvault.com/pulse/5e879a7305b78c1346f82424 artizaa.com matpincscr.com murthydigitals.com myamystills.com novmintservices.com ptgteft.com rossogato.com saidialxo.com # Reference: https://blog.morphisec.com/guloader-the-rat-downloader # Reference: https://otx.alienvault.com/pulse/5e87a721a6072454dfc0ca87 arabianbrother.com/a/ ntaryan.com/a/ # Reference: https://twitter.com/pancak3lullz/status/1247622793908363265 # Reference: https://app.any.run/tasks/797e143d-19d8-42cc-b7c1-6bf9e40f5331/ portalconnectme.com portalconnectme.com/56778786598.doc portalconnectme.com/king.exe # Reference: https://twitter.com/James_inthe_box/status/1248669623848853504 digishops.xyz modalap.com # Reference: https://twitter.com/James_inthe_box/status/1250077975803916288 ucto-id.cz # Reference: https://www.virustotal.com/gui/domain/bangbor.go.th/relations # Reference: https://www.virustotal.com/gui/file/69bed89de61a4aeefc406a19821c1a90f9c40bebfb8349f2dce6016d1a9d05e7/detection bangbor.go.th # Reference: https://twitter.com/joe4security/status/1253330027921305602 dokument-9827323724423823.ru # Reference: https://app.any.run/tasks/d76dc612-4352-4cb6-978f-58717e734516/ sroomf70nasiru.duckdns.org /hehe.bin # Reference: https://twitter.com/notajungman/status/1263114566130696195 # Reference: https://bazaar.abuse.ch/sample/9ebbeaf380d12e97972f57de2e052f1e043370d0be0bcd0deb3ebc5334cc68a2/ mailserverservices.info # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1263420627970592768 creditbalancingservices.co.za # Reference: https://www.virustotal.com/gui/file/32922de2503537acaf01c6ea91ecbbf5af81282f1847110792464144f34451c2/detection /ht.php/rBo37eoxFiPU9 # Reference: https://www.virustotal.com/gui/file/0cf5cda3657648c661cd0cb58e06e6ccb488d66e27cda1102121eb2572053bdd/detection /ht.php/SczbkxCQZQyVr # Reference: https://www.virustotal.com/gui/file/ced2fbc54eca4055292b2049b430ba7a59b4f38138e47233a1f0b93a519d8174/detection /ht.php/53i9zXCT3LNPn # Reference: https://www.virustotal.com/gui/file/cc6ab8a4a219752780abcdf9c3d725538eb1f4ecf073d78ddc9948011174bfb8/detection /ht.php/pXqVbj1ory8MD # Reference: https://www.virustotal.com/gui/file/4c3cc26ef555d8597c5edd7bc5f9f23b1d4ca4ac49e53a2deeed66bb94fc7bb7/detection /ht.php/6We0YzNidcg3L # Reference: https://www.virustotal.com/gui/file/1dcafc97629d9854ee77bb2fe409f7d037d57cac7399f8fd8da93f9744ba3495/detection /ht.php/VOCKEAuuFQghy # Reference: https://www.virustotal.com/gui/file/6382688fc1e4832952350db1a057ab62ff59d028f72aa403253f8a36df5b5d55/detection /ht.php/T7QXt7PgZdCj5 # Reference: https://www.virustotal.com/gui/file/1349525aa37f3fad34412c28f0ca11ef8a85eac0d55c0df30488215df85fe2a4/detection /ht.php/53i9zXCT3LNPn # Reference: https://www.virustotal.com/gui/file/9d3acb53bfc554c4bd8e976a29bfb8f66355a4df6ec6924d347ebf8b745345d8/detection /ht.php/aIwDRu93mIe8q # Reference: https://www.virustotal.com/gui/file/b5739267fc69043ec576bf85f6fc62e28f42ebe07a67753ad4639ffbf79f8035/detection /ht.php/7RQfynN2JiRWw # Reference: https://www.virustotal.com/gui/file/3dc229337efe949ac3f88b2fe3532f0774525fbcd862b845ce8131b1c28dc41e/detection /ht.php/0TFU8wwfRQKRW # Reference: https://www.virustotal.com/gui/file/3e72b3fdce5e3bdbb60550734249ebb530934d7db64dc5cae2892d110089b171/detection /ht.php/ET2IX5PlOMbJu # Reference: https://www.virustotal.com/gui/file/44325c7a27c3f6ba2c01f61a872c991ace45b6285836ff68addabbf875bcbea6/detection /ht.php/JtFNEt0Si9NOE # Reference: https://www.virustotal.com/gui/file/37fd6717144b967e9e6c9d2c647e02a68611fed583b4423947e94eb55287c0d5/detection /ht.php/8HaYlSzAWJVrC # Reference: https://www.virustotal.com/gui/file/ad1922d859c3503dbd1a971cc42b5e949c9c7f2d85b7dcc3b2e4317cb776c9ce/detection /ht.php/XFCRVAmzHV1Dt # Reference: https://www.virustotal.com/gui/file/dd2f7ab604f0a74cecf60bd5349d075dc981b25a675821c29462dcb78d0384ec/detection /ht.php/LH8SVxLMJKBbU # Reference: https://blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caught-using-guloader-after-service-relaunch/ # Reference: https://otx.alienvault.com/pulse/5f234525b9ee140374d10153 fbdoskitryupanel.webredirect.org # Reference: https://twitter.com/James_inthe_box/status/1292855690109755392 # Reference: https://www.virustotal.com/gui/domain/baritaco.com/detection baritaco.com # Reference: https://www.virustotal.com/gui/file/0ee5076bb7128dc9d887d42889802c844e305fe0d5651ef42674a27cf6c9169c/detection http://77.73.70.170 # Reference: https://twitter.com/James_inthe_box/status/1299361958039179264 # Reference: https://app.any.run/tasks/a7028dfa-13db-4138-9ac4-ae7009df2714/ hotelavlokan.com/fungg/32/index.php # Reference: https://twitter.com/SiberTurkce/status/1301136574948823041 # Reference: https://app.any.run/tasks/ec86cda1-faad-4aa9-9570-aaac5a794ced/ light-boy.top # Reference: https://twitter.com/James_inthe_box/status/1303685944420098048 oficnna.sytes.net # Reference: https://www.virustotal.com/gui/file/938c87848cd4b4709080326416a282689df5b4a06371818574f25379f74c2d32/detection iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com # Reference: https://twitter.com/struppigel/status/1354018166033276928 # Reference: https://app.any.run/tasks/cce072d3-0cb6-493d-83e8-dadd1bb26d91/ adojetson.com # Reference: https://twitter.com/JAMESWT_MHT/status/1377832276906680321 # Reference: https://twitter.com/JAMESWT_MHT/status/1377848719345922048 # Reference: https://twitter.com/reecdeep/status/1376528863430328320 # Reference: https://app.any.run/tasks/987c76df-16cc-46fa-b86b-d5d54b35d169/ mariotessarollo.com/a/ mariotessarollo.com/cp/ mariotessarollo.com/or/ mariotessarollo.com/ot/ sogecoenergy.com/ot/ # Reference: https://www.virustotal.com/gui/file/7ff00f78531ae9bc61da54feb18f40c2c951bce68f12c4272d7d546d410bea31/detection guerillathieves.com # Reference: https://www.virustotal.com/gui/file/5c2766a9b8df935b6144459c3ae5c8f6b7cab54ab844cc78ae770ed1481c4220/detection dataprotectcdn.datarecognitionpath.xyz # Reference: https://twitter.com/_CPResearch_/status/1400467814117478404 avenuesports.pk # Reference: https://tria.ge/210610-as7jvpt8rs getjanky.com/jharno_xUhlmoX91.bin # Reference: https://twitter.com/reecdeep/status/1410871093418659841 andreameixueiro.com # Reference: https://twitter.com/Racco42/status/1422206952571031553 # Reference: https://app.any.run/tasks/f845ad7e-caac-49ee-a8dd-62a6cd57d271/ http://2.56.59.76 # Reference: https://twitter.com/reecdeep/status/1447503618031202304 westchestercountygolf.com/stud06_TAoiqmlj156.bin # Reference: https://www.virustotal.com/gui/ip-address/8.209.77.103/relations # Reference: https://www.virustotal.com/gui/file/e7226f68a7106bcbab71ff9f88bd8e3842e07c8bb0d953efb9c01ce529a453aa/detection # Reference: https://www.virustotal.com/gui/file/15bd912b0e66bf88fc6dbae28754cb085bfa199b7f7e0d4989ab39a747053be6/detection ghbjdfvbxc.ru hgfajdgvbxc.ru # Reference: https://www.virustotal.com/gui/file/1e65a9ffa56a402ef813d4360e2812e2554ab6162d7207770cdc197ac6849316/detection 172.111.164.137:6109 olufem.ddns.net # Reference: https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader # Reference: https://otx.alienvault.com/pulse/628bb32bfe218bdc2178c9b4 zoneofzenith.com # Reference: https://twitter.com/dimitribest/status/1529164849657307136 # Reference: https://www.virustotal.com/gui/file/9c29ddb7d30b33792d7056d381e595d9a5aaec8fb8bed540228c06027ca39fa8/detection http://195.133.18.171 /yendexoriginwithoutfilter_pGvgwhqrt66.bin # Reference: https://twitter.com/reecdeep/status/1531228419794542593 twart.myfirewall.org /bak_gmsbEd21.bin # Reference: https://twitter.com/reecdeep/status/1531578983413858305 # Reference: https://app.any.run/tasks/b181f2fc-bb5e-4f69-a057-e3a190a78a57/ modestytheory.com /kOrg_RDTTTRgnFl80.bin # Reference: https://twitter.com/JAMESWT_MHT/status/1537394567129059328 # Reference: https://www.virustotal.com/gui/file/1051d3690e70e4227a2b0a0aa87367fb09c49c55360c7a1880b2acfba0b77490/detection http://194.34.232.147 # Reference: https://twitter.com/JAMESWT_MHT/status/1539886534039592961 /gumabelt_YLFVSqoJuA131.bin # Reference: https://github.com/0xToxin/Malware-IOCs/blob/main/Guloader/Guloader%20-%2024062022 # Reference: https://tria.ge/220624-mah9eabfap/behavioral1 dumink.strangled.net /DOGGY_faJxcazRId253.bin # Generic /hjf /COrg_RYGGqN229.binb /host_encrypted_60a68c0.bin /jharno_xUhlmoX91.bin /infoo_OKtnunRJ79.bin /karin_FiAFyfucWz16.bin /stud06_TAoiqmlj156.bin /xdark_xljWuS110.bin