Rewterz Threat Alert – GuLoader Malspam Campaign – IoCs
February 4, 2021Rewterz Threat Advisory – New SolarWinds Orion-based and Serv-U FTP Vulnerabilities
February 4, 2021Rewterz Threat Alert – GuLoader Malspam Campaign – IoCs
February 4, 2021Rewterz Threat Advisory – New SolarWinds Orion-based and Serv-U FTP Vulnerabilities
February 4, 2021Severity
High
Analysis Summary
SystemBC malware is found being distributed via malicious email spam campaigns. Attached in the emails are Excel spreadsheets with a malicious macro, using an updated GlobalSign template. This Excel spreadsheet pushed what appears to be SystemBC RAT malware. Cobalt Strike was also detected as a follow-up activity from this infection.
The malspam delivers excel spreadsheets that require the victim to enable content, as shown below.
Enabling macros on a vulnerable Windows host caused HTTPS traffic to grab a Windows executable (EXE) file for SystemBC malware. The first post-infection traffic caused by SystemBC was TCP traffic to 109.234.39[.]169 over port 4001. Moreover, Cobalt Strike doesn’t appear unless the infected host is running in an AD environment.
Impact
- Code Execution
- System Compromise
- Unauthorized Access
Indicators of Compromise
Domain Name
- alnujaifi-portal[.]com
- clinica-cristal[.]com
- eyeqoptical[.]ca
- fastonent[.]com
- gbhtrade[.]com[.]br
- newstimeurdu[.]com
- remacon[.]net
- skconstruction[.]info
MD5
- 0c9e9f498c35f2cdc72543f485342951
- 6c0861b1b1834784378cdc5af44bd70d
- d9fd5cc581d92b0ac154e3160ac609aa
- 0c8b813b210468b76a6f674729d44cab
- cf489853a42fb7520f19242a8921775d
- 8863f3a14654f2ae82dc951a2767ae10
- 48415bbcf8fcffd506d09e71af909f78
- 9f5e7b7e401d5f82df434982a6ef593a
- 37a9bfb34c15724ce1a603471c382470
- 965e615c422fe7889b456f163b786de1
- 67376bd98f7f9a87d0d4afedfd2e8937
- c8b5ace77d5ef587aab38631d72f1bcb
- f80ce56069959bc77a65015cc92c534b
- 9de54512cf2bd8c02047e9923fb3b4b7
- 7ad66a2408455c7098ff9d87ed8853db
- 108b92af9d205027b5316e2748a3fc56
- 9d0f44841d49c404013a9731d0d5ab35
- 20a791b8ef5a3b01343dc98e36253eac
- 8e7ee081f8d1fa49f8f91d8f7bd8cbb4
- 0e1a850b56ad3da5358046fdb70d8297
- bd51118c0d50f8dd537b917843c37a1a
- 2ccfd48495e6cd058c5483c928e5e77c
- 32dcc5d18fbbd0dd01b45a26e2c4018c
- 4c218538f2d4790b8fc5ceb98f10fbb4
- 00e2b25df052858740b5b8b6c2217907
- fb5297fd808dbb204a8702e7958fd40f
- e393be86659b8873c0e01ed0c6ad781a
- 398313b6728c1d9b172bcd545e15bd1f
- 3ba6e7055d2aa702c92699209a949715
- f6e06478ce567801ecdd62a2dab93c92
- 7d99d0b98691c8fd32bc86b4adee1469
- 34dcfddf392e49a497c8e3cfb360440b
- 2be675a0e0c6e8490523cdf24fc28fcc
- f79e4f2d702c173aaf881a3d9f01a8d6
- 4506d15d2b790734ca655cfc5b79f778
- df774f853546816bdee1261622fc3d1e
- 45173818539d6f7f4c23b7aecfcd5a68
- 0e97906e7bff9077965f5a22ea3d28e2
- 8f99aa658f7f3e625724ff5067d985b6
- 7b6eb0883b4d494973cc8f58261ce55c
- 18d57e8949027460433be244a99807e0
- 8b0297e2e85894dd640c305f97911bc7
- 7ab6462d7eaa53fc8846c659a50531c2
- 9b66ac04810ed66d409b478262e178b4
- b6292a4b069f51a36c558bf6d667681a
- 551df76ca0a0c9127a513f8d36492c68
- eb74ab5679c3efb2683f8a73c60dcef9
- 1423a0ec3a510699a291f9de95ec1709
- da8cef9e1c9f30f3eb5fc140f0dc5781
- c9a840d8b360010a8812ca17cbe76bd4
- 53a121c64a66da560644745a47593af8
- cbb9239d2cc3f92b9bf13425046bd6fd
- 656e2c80516797060d76ba5288878d93
- 67a3cc5f4ce0f10da0cdf4159ff952fb
- 0159977d4573e31c6b2090449e4f2848
- be7c6ea68f6287df79e931269ecb5129
- 3a9b495ac6f370e8637b6fa248386780
- db3ad7c3b4315b40311d20a2ce87590b
- ea6398e9b8505011947919379daaed8f
- 7e3a7a587dbce08534f63401a680fe1c
- 7d157a031135e725635b21f8a948537a
- eeb2737196ca4b869959b266523fe4f8
- 223da81dbb0a268176f6e360636e61fa
- 3f1e9fc127e9c1436ff1e07fbfafb7f7
- 7a2cd7861bd348d9574e900222efd544
- 0f06c07fb57523c0df4a823f484a8040
- 11306811d547d46a7296ab1089dc8573
- bb453c66ea4e6e022a214642b7e2e2ac
- 8ddcab26c3fe9e1232a7102dade4d69b
- 9d6227398ff6d97ada139c9fb1001ef6
- 449ed530b6eda880c7e5006cf2d178b4
- 3f511b132d6bb49facecc21870b42f1c
SHA-256
- 044494acb6d781e6cc3b9a837b7ebca1e933080fe384a874f5eb9cca1ea76a55
- 056911f208c9b475020627b83c8bf3a0151e30ec7f71113cf75abb950a431efc
- 071809d68b777cae171284c2cc289b455a778b1f054cd0f244cf0fb6053dae2d
- 0cf4fff7f96cf695d3476e7dc66794d067acafbd2980f69526b874fc5b4c08be
- 0e094197fca1947eb189006ddeb7d6ad9e5d1f58229e929bc0359887ed8a667d
- 0fb4d8ac3cdef038bf53c8f4269eef5845704a9e962b7609fd93a9f08cc2fab1
- 134a5bfe06f87ace41e0e2fb6f503dca0d521cb188a0c06c1c4bc734ad01e894
- 13ef189260cd344e61a0ad5907c5e695372b00fe1f5d5b2b3e389ad2b99b85e4
- 17ed4dc4369a90d2e24f1ab0fa1eeb6fca61f77b183499c47e5cfb9ce12130fb
- 17fb4271ab9113a155c091c7d7bd590610da87e986ccf5962aa7fc4b82060574
- 19065d8aa76ba67d100d5cb429a8b147c61060cc49905529d982042a55caceef
- 1b63ff13d507f9d88d03e96c3ef86c7531da58348f336bc00bf2d2a2e378fd90
- 1d8fd79934dc9e71562e50c042f9fa78a93fa2991d98c33e0b6ab20c0b522d5a
- 1e295b33d36dee63930728349be8d4c7b8e5b52f98e6a8d9ca50929c8a3c9fb1
- 2156a9f3d87d3df1cee3f815f609c2a3dc2757717ff60954683c34794e52b104
- 21db2f562b9182a3fcdb0fce8c745b477be02b4a423a627cddf6a1c244b6c415
- 244625f6627cadadb7faf8a6b526e91aee4f5c1cadfa1c0d4fb996f4cc60a5ae
- 2e726c5a27e04633d407e13bd242ae71865eef13ac78bf9068e1200823e5ea81
- 2f66e8d84e87811feaf73e30b08be0ad6381271ddfb5071556bd26cd3db2c3f4
- 31901336fdfae4fdeac46b937a059c618d5ba3e04d06bb8e95108a307e2c6d94
- 31a04fe64502bfe6f73971f9de9736402dd9a21a66d41d3a4ecea5ee18852f1c
- 32452e930a813f41a24dc579a08e8dde1801603797d527ce1385ad414b00e676
- 32a904d301e8a30b7bd70804b905dd7b858b761979f3344bc2ec3bff0cb6d703
- 387bdfedc306e087d8ceceb1f1f8f7a6b3c32110ca3d7273eb01e474349d1974
- 3a181036cdc46e088f1cb98acd06062d32a8a11a8ef65fe7544bb22a2fd5c56e
- 3dcd7897ad927f4b2b860010963e02903bc68a2c0c86abb1a27b8cbaab2fa9b6
- 418460bf69c01e47cbe261d7f7312475cda4305860fbbe3d3e6639b9adb78de5
- 441f076519f0bdc04d110b4fa73dbafa3b667825ceab6d4099e36714bd1d7213
- 49cb79f8547c9c94a7ab6642ba1c40fcd036625f71845f2c6203d76c5f7f46fb
- 4af6e8805273ca9b3dea793bd712ed785ea5c5ed9e387cb8ab5059a4f364a303
- 4dfb0bb69a07f1cd7b46198b5edf8afebd0cdd02f27eb2c687447f692625fb9f
- 584c2aab3fe9e1ec9f9dffecbd32e6af8b6b3fa3141c7ddf845763cbf14a82eb
- 59bbcecd3b1670afc5430e3b31377f24da24f4e755b7c563a842ce4e325aa61a
- 5cecb7e104e73aa9916a7154a3004d1a71c59c8f473d693f3b285b2fd473e454
- 61499704920ee633ffb2baab36eb8eb70d5e0426bca584f9a4a872e4b930c417
- 62f1ef07f7bab2ad9abf7aeb53e3a5632527a1839c3364fbaebadd78d6c18f4e
- 669de92b909247d676daa6bab3b3ae5be4fbec2e77f66915267f032c1d7eb71a
- 6bf9612a2b8288d55b47648f9ad9ee80cca5058ced5fb77254e57f9ff2d701d3
- 6c0ef43c1f8b4425d034a46812903b8a6345ae24e556e61e37c0f14eba8c8d2e
- 6df34ffeffb9cc5def3c424cd8bb0f90ab921be24efd1f8fe52ea6c13e700334
- 795a5d5c57dac1703c6b4bab9507d1c662180716b4afa89c261aa3bb6d164e2f
- 7d1602138a26c0524b32570f3fb292fd5a7efbc5ed53ae260d7b7f3652a78969
- 8072f20dd769519a621255307b03e85dca2fe227f48486b0aacc41903ab3bfdf
- 8eb429c24872a501fafc783e8a0fcc53e0ebb5cc8ec4f2310fc10102b1d23a27
- 8ef917da85afcc5f7bfe9cc2afd29f44a7f0cda5ba0249b50ef448d547007461
- 908cb8f6f39b9c310d8df54bddf667d23b0851bbf90b21ca89ea69d211f2c402
- 9519a0631804d18f95d4c3239df5e5ea56b8e5a890b73c889a58d6469958eb71
- 952ec18a6dc949ebd335f5eabed756d0f562aa3853fe9384dc0eded0de5f843b
- a274a08d84958666b6c94e1a6fc3b676aca387544a4218c8473e1a9a72124532
- a3ce1043a7791b73fe14d7c29377467fd64df3b3b464c48a22a6d3bd2f7786aa
- a54b331832d61ae4e5a2ec32c46830df4aac4b26fe877956d2715bfb46b6cb97
- a7b362864724ccb5cba416ff45b4e137f22f8fed4492b5521e369026107031b2
- ab9b97d0d17b2434d2cfc66106ae07b903271ba603be1314b742338c23cce20c
- b2aa3ee1cc617f90e92664969a0856d98a97c727edd7c81ef83c038a34a432d5
- b4107daacbbfac1b9bc9b3fa4e34a8d87037fa2c958db9d6d7df52380f15a1d1
- c3a38df6f4864d32c10e8ecf063e18cba56c3b1add3404634ea20ea109198620
- c4d745576b47b6dd79a9d92cda7dbe60c2cda7d8960a07e33692e6e71f8e5eb3
- c8fd542a9b500ada7afbff26b6c11dd2ab22aaefd30ef7a999410ee20d2fb043
- cca4a3c8af9b549b445b7e2bcb2d45b95982890b6ed3b62fc882f0478f512b2f
- ce02ed48d9ab12dfe2202c16f1f272f75e5b1c0b64e48e385ca71608cb686fc8
- d0c96aacb07629b9d97641a0022b50827f73d86a34fa4929b126f398cf4cf486
- d3145f4f7b1c62f9a1937aa9e968da8b52ff4fde83c0dba3152567b2b65d809a
- d4e372014a40821f10780fcc12c6b5a1cdf4740738a0769e78f06dd10b6ec53f
- d85eb8e5c39d7681155e39602ce30e0c3793b4513f1038e48334296db945e02d
- dc5a3675455d9486e7aa8aaf2463b69ad03c508375eb99b6fb3039d914677a9f
- dcff925d51e90586eb624f249e56b6abb7026b364fab84dcfcf44025e84ff7d9
- e06ee4e0bbe581edc39aecaab76e3fa12a53cb971ec0c106644703b376f5ed24
- e26ab2d6cff95ba776ec6e7beb8c70f2e4d79467b71153ddb36177cb2b2a1273
- e64d605e857900a07c16e22e288c37355e4ebd6021898268ab5dded5c8c4efca
- f5e2351ff528c574dc23c7ef48ddac42546c86d77c28333b25112a9efbfb9d93
- f682f0756ec96d262ae4c48083d720657685d9b56278bd07b2656f3b33be985e
- ff483bbb98d02d1e071d6f0e8f3a3c1706c246db71221455b29f4e54b0c4ef2f
SHA1
- 726460ba95ae17a95d91e72e1155cd9565d46cc8
- ed1017797d15d60c03945ca9122063795e674172
- 5843f6cdf193b988115eefbfa03d788a8ea34323
- 18115eddf9dc0065f6243c25281350538f167527
- 734e56466b525e822436b61f13a76eda051ea15a
- 4536d2d1c244d799ca81ea02da07ad1e1d711485
- fdcffa80e7440f383fb103702502d715fa27182b
- 809476cb387f07540bff419e57f1ac5f895d23fd
- ee6af505f2e6fd59899a1ab06d16e8688c41ef75
- 08292ae166decf4d42f3a8e2e16ddd75786528e8
- b1b5af8d444dad807b3e942ba82b7f4d4264f5c6
- 0913135ece9d4d431e331a8526cb1aba14f486b0
- 74dda5582b794ae3972cb2e7b5a43e4ecf7d6492
- f5f6fcf2869c9cd120e3ccbb32874351a822c91d
- 215fe6425d07e78729cf6e12adca15ac916ceb9e
- 4fd29f1d94739c3c6f29cf93b25eeee3b788fde2
- 70f5dc2ebee5608f557585b35831aef5044b2d62
- 94d015fc81817c4bc97918b49c11f3af1584c830
- 959fd0d61895ad8b5d548d9cf60a8dce8d352dda
- d298b7ea6a15c1372051baf4471e53726b6f1550
- fc664b21407f159843dbdf6e212f010d97504705
- 8c493d40231965bc377d9ca22abe2732fa25c1f8
- e970dde499a0b36bb7220a931a5641350e10bf98
- a22ba26749bbe367c9061e68c7c3c460c4e97040
- b4b739c681a6320fd86a9de6dbc4d01035770deb
- 333782df24f7f96190f34591fdd7f5fe2306b9fc
- 94f153a904029b00fa6756ebaad79a89db8e0689
- 8b6b9220ba12e2d716408afd4ef405dde5763bec
- bf95b1ccddd475d00809bd4dc22cfdc40adad98f
- d78dcf15fc7161d5ffbb9cb328bb4a25e546f693
- 6f905852c40a5886d23a6fc7ba9367d26975a55a
- 6405af9ce820434cb22ffdca487960472be2cb02
- 8a1a301bca69c79357c6efdad9d109d2cea0c7e5
- 8f99b0086b75d3126c88cd3e28475e3759adcf5a
- 9e2392716e84b90c2c822b8a73b741af6ba02331
- c63f88c60011ade69cace2e30010e49bc96f872b
- 37920271a0b6b2dfc9aceecb69d22b74396808ed
- 9a85e707a959024d48207093305e15bec2e421d7
- 87f93b1de05b9f97b603befbbef2ff88f829d03b
- f0c78ce6c751574ca8421c31c16f563c6e03275d
- e10e18a7a3f4cb51a852aa38698cd17da547d8e6
- 5eb437ee95b407b9eb19034798d175e05536a24a
- 3608902b2e8280ab3e888414dc8beb80aa10a62c
- 6feb2b38f863835f69dea0179225697e109ef8c5
- 7de8be1b378ce6ad32e20ea6d8bf554df17673ca
- 2cd8fdacb16ea7e0daf5bb3cdb10a35fd9902a6e
- fe56982045c2b08447ea68bc34ac025133bc7b79
- 52effa2a02b558986a661749e8fa777b584a5d5b
- 2ab00715ff44ceefc1ea38b140f72d3c9b709bbc
- 738c7f0e5111ca7922cd5f27cb8da43e91846fa4
- f72e371639a01928882fecdcc0bda83424a6ec5d
- d0a424e5180ffb4e7b769c73dc1f64b95cab73e4
- 00fee3dbdee320c85b800b8a5160adffaea0ae7d
- 90a8c09230727175489b83d00e1f814be14d2841
- d9417f0a06ded10fab0c3b83f8c6890d089f50ac
- 9b93c3239f57ca9fbd459746d815f2477a6b75f2
- 325b4d29d8da1ce9eb383cff97ed23b1a59ae016
- 74405c90d92da970fbe7102388cb53f7767491f0
- bf508cf8b932aa343bbf91b20dfc4ea2a35cfceb
- a12e7ba6bfc7a1e5cd250c677777d91317281ae7
- d0359707c12ab43415a1103d7b1fdb28c7a011d7
- a737a9e1da0a03bb0a6f34162f785e516e20d8fd
- 73b1a17ccc0009066a2bc59faabb56e213128082
- 95d2581898f8eb5ea4acc47645097427b4a9a2d8
- 71e56592319df1c1472f8a1f7bf9210ef7f1a628
- e3352465eceafa08399781f4b65f7e2eac8a28b7
- 3e63a06c63576495527626ea280b2d4c624aac9b
- fb0305cf90b97136645110fb343df677ddf90769
- f6eb05a6920238c885c4177c19e0750f4285e035
- 09d276dcff1d2d5d3a4c14c0e818df85044e2bd5
- 78ee1b12bec9626e7011e4b83fd1a5029ea01b0a
- b7b4774b005d5e00de89dff461d0ab3e64fafa7d
Source IP
- 109[.]234[.]39[.]159
- 109[.]234[.]39[.]169
- 192[.]169[.]6[.]8
URL
- https[:]//alnujaifi-portal[.]com/ds/3101[.]gif
- https[:]//clinica-cristal[.]com/ds/3101[.]gif
- https[:]//eyeqoptical[.]ca/ds/3101[.]gif
- https[:]//gbhtrade[.]com[.]br/ds/3101[.]gif
- https[:]//newstimeurdu[.]com/ds/3101[.]gif
- https[:]//remacon[.]net/ds/3101[.]gif
- https[:]//skconstruction[.]info/ds/3101[.]gif
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not download files from untrusted sources on the internet.
- Do not enable macros for untrusted files, even if they do not look suspicious.