# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services # Reference: https://otx.alienvault.com/pulse/5e615414b0254429fcb302f0 droptop.com droptop1.com droptop2.com droptop3.com droptop4.com droptop5.com droptop6.com droptop7.com droptop8.com droptop9.com droptop10.com # Reference: https://twitter.com/MBThreatIntel/status/1240790622199406593 # Reference: https://www.virustotal.com/gui/ip-address/63.250.44.99/relations popeorigin.pw popeorigin1.pw popeorigin2.pw popeorigin3.pw popeorigin4.pw popeorigin5.pw popeorigin6.pw popeorigin7.pw popeorigin8.pw popeorigin9.pw popeorigin10.pw # Reference: https://www.virustotal.com/gui/file/42cda72eccc1564c97e004f2c01449e07bcad084ce767cc102bb99c8921f899e/detection phamchilong.com # Reference: https://twitter.com/malwrhunterteam/status/1235220750635806720 # Note: such trails can be met with /hjf sign in address 107.189.162.190:9090 # Reference: https://www.virustotal.com/gui/file/2f2d784e1e0d9d5a9ede345eef47d2228e82570a8bdaa632defdbc6c7f69f494/detection 141.105.66.243:9090 # Reference: https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ # Reference: https://otx.alienvault.com/pulse/5e879a7305b78c1346f82424 artizaa.com matpincscr.com murthydigitals.com myamystills.com novmintservices.com ptgteft.com rossogato.com saidialxo.com # Reference: https://blog.morphisec.com/guloader-the-rat-downloader # Reference: https://otx.alienvault.com/pulse/5e87a721a6072454dfc0ca87 arabianbrother.com/a/ ntaryan.com/a/ # Reference: https://twitter.com/pancak3lullz/status/1247622793908363265 # Reference: https://app.any.run/tasks/797e143d-19d8-42cc-b7c1-6bf9e40f5331/ portalconnectme.com portalconnectme.com/56778786598.doc portalconnectme.com/king.exe # Reference: https://twitter.com/James_inthe_box/status/1248669623848853504 digishops.xyz modalap.com # Reference: https://twitter.com/James_inthe_box/status/1250077975803916288 ucto-id.cz # Reference: https://www.virustotal.com/gui/domain/bangbor.go.th/relations # Reference: https://www.virustotal.com/gui/file/69bed89de61a4aeefc406a19821c1a90f9c40bebfb8349f2dce6016d1a9d05e7/detection bangbor.go.th # Reference: https://twitter.com/joe4security/status/1253330027921305602 dokument-9827323724423823.ru # Reference: https://app.any.run/tasks/d76dc612-4352-4cb6-978f-58717e734516/ sroomf70nasiru.duckdns.org /hehe.bin # Reference: https://twitter.com/notajungman/status/1263114566130696195 # Reference: https://bazaar.abuse.ch/sample/9ebbeaf380d12e97972f57de2e052f1e043370d0be0bcd0deb3ebc5334cc68a2/ mailserverservices.info # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1263420627970592768 creditbalancingservices.co.za # Reference: https://www.virustotal.com/gui/file/32922de2503537acaf01c6ea91ecbbf5af81282f1847110792464144f34451c2/detection /ht.php/rBo37eoxFiPU9 # Reference: https://www.virustotal.com/gui/file/0cf5cda3657648c661cd0cb58e06e6ccb488d66e27cda1102121eb2572053bdd/detection /ht.php/SczbkxCQZQyVr # Reference: https://www.virustotal.com/gui/file/ced2fbc54eca4055292b2049b430ba7a59b4f38138e47233a1f0b93a519d8174/detection /ht.php/53i9zXCT3LNPn # Reference: https://www.virustotal.com/gui/file/cc6ab8a4a219752780abcdf9c3d725538eb1f4ecf073d78ddc9948011174bfb8/detection /ht.php/pXqVbj1ory8MD # Reference: https://www.virustotal.com/gui/file/4c3cc26ef555d8597c5edd7bc5f9f23b1d4ca4ac49e53a2deeed66bb94fc7bb7/detection /ht.php/6We0YzNidcg3L # Reference: https://www.virustotal.com/gui/file/1dcafc97629d9854ee77bb2fe409f7d037d57cac7399f8fd8da93f9744ba3495/detection /ht.php/VOCKEAuuFQghy # Reference: https://www.virustotal.com/gui/file/6382688fc1e4832952350db1a057ab62ff59d028f72aa403253f8a36df5b5d55/detection /ht.php/T7QXt7PgZdCj5 # Reference: https://www.virustotal.com/gui/file/1349525aa37f3fad34412c28f0ca11ef8a85eac0d55c0df30488215df85fe2a4/detection /ht.php/53i9zXCT3LNPn # Reference: https://www.virustotal.com/gui/file/9d3acb53bfc554c4bd8e976a29bfb8f66355a4df6ec6924d347ebf8b745345d8/detection /ht.php/aIwDRu93mIe8q # Reference: https://www.virustotal.com/gui/file/b5739267fc69043ec576bf85f6fc62e28f42ebe07a67753ad4639ffbf79f8035/detection /ht.php/7RQfynN2JiRWw # Reference: https://www.virustotal.com/gui/file/3dc229337efe949ac3f88b2fe3532f0774525fbcd862b845ce8131b1c28dc41e/detection /ht.php/0TFU8wwfRQKRW # Reference: https://www.virustotal.com/gui/file/3e72b3fdce5e3bdbb60550734249ebb530934d7db64dc5cae2892d110089b171/detection /ht.php/ET2IX5PlOMbJu # Reference: https://www.virustotal.com/gui/file/44325c7a27c3f6ba2c01f61a872c991ace45b6285836ff68addabbf875bcbea6/detection /ht.php/JtFNEt0Si9NOE # Reference: https://www.virustotal.com/gui/file/37fd6717144b967e9e6c9d2c647e02a68611fed583b4423947e94eb55287c0d5/detection /ht.php/8HaYlSzAWJVrC # Reference: https://www.virustotal.com/gui/file/ad1922d859c3503dbd1a971cc42b5e949c9c7f2d85b7dcc3b2e4317cb776c9ce/detection /ht.php/XFCRVAmzHV1Dt # Reference: https://www.virustotal.com/gui/file/dd2f7ab604f0a74cecf60bd5349d075dc981b25a675821c29462dcb78d0384ec/detection /ht.php/LH8SVxLMJKBbU # Reference: https://blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caught-using-guloader-after-service-relaunch/ # Reference: https://otx.alienvault.com/pulse/5f234525b9ee140374d10153 fbdoskitryupanel.webredirect.org # Reference: https://twitter.com/James_inthe_box/status/1292855690109755392 # Reference: https://www.virustotal.com/gui/domain/baritaco.com/detection baritaco.com # Reference: https://www.virustotal.com/gui/file/0ee5076bb7128dc9d887d42889802c844e305fe0d5651ef42674a27cf6c9169c/detection http://77.73.70.170 # Reference: https://twitter.com/James_inthe_box/status/1299361958039179264 # Reference: https://app.any.run/tasks/a7028dfa-13db-4138-9ac4-ae7009df2714/ hotelavlokan.com/fungg/32/index.php # Reference: https://twitter.com/SiberTurkce/status/1301136574948823041 # Reference: https://app.any.run/tasks/ec86cda1-faad-4aa9-9570-aaac5a794ced/ light-boy.top # Reference: https://twitter.com/James_inthe_box/status/1303685944420098048 oficnna.sytes.net # Generic /hjf