2026-02-03: GuLoader for AgentTesla style malware with FTP data exfiltration

2026-02-03: GuLoader for AgentTesla style malware with FTP data exfiltration
嗯，用户让我总结一下这篇文章的内容，控制在100字以内，而且不需要用“文章内容总结”之类的开头。首先，我得仔细看看文章内容。文章主要讲的是GuLoader加载器被用来分发类似于AgentTesla的恶意软件，并且使用了FTP来窃取数据。邮件里有一个RAR附件，里面包含了一个.bat文件，这个文件其实是GuLoader的加载器。一旦运行，就会下载恶意软件，并开始收集数据，通过FTP传输出去。用户可能是一个安全研究人员或者IT专业人士，他们需要快速了解这个事件的关键点。所以总结的时候要包括恶意软件的类型、传播方式、数据窃取方法以及相关的IOC信息。我还需要注意字数限制，确保在100字以内。可能需要简化一些技术细节，但关键点不能漏掉。比如GuLoader的作用、AgentTesla的特征、FTP的数据外泄等。最后，检查一下有没有遗漏的重要信息，比如日期、相关文件名或者哈希值，这些虽然重要但可能不需要全部包含在内，因为用户可能只需要一个高层次的概述。 </think> 这篇文章描述了GuLoader加载器被用于分发类似AgentTesla的恶意软件，并通过FTP进行数据窃取。攻击者通过伪装成 shipping 邮件发送带有恶意RAR附件的邮件，附件中包含GuLoader加载器和恶意软件。感染过程涉及从Google Drive下载恶意文件，并通过未加密的FTP传输窃取的数据。 2026-2-3 18:26:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:6 收藏

2026-02-03 (TUESDAY): GULOADER FOR AGENTTESLA STYLE MALWARE WITH FTP DATA EXFILTRATION

NOTES:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2026-02-03-GuLoader-for-AgentTesla-style-infection-with-FTP-data-exfil-IOCs.txt.zip 1.2 kB (1,210 bytes)
2026-02-03-email-with-malicious-attachment-1204-UTC.eml.zip 354.6 kB (354,565 bytes)
2026-02-03-GuLoader-for-AgentTesla-style-infection-with-FTP-data-exfil.pcap.zip 272.9 kB (272,898 bytes)
2026-02-03-files-from-the-infection.zip 928.1 kB (928,118 bytes)

2026-02-03 (TUESDAY): GULOADER FOR AGENTTESLA STYLE MALWARE WITH FTP DATA EXFILTRATION

EMAIL INFO:

- Return-Path: 
- Received: from [160.250.132[.]142] (unknown [160.250.132[.]142]) [info removed]; Tue, 03 Feb 2026 12:04:55 +0000 (UTC)
- From: shipping@paramee[.]com
- Subject: SHIPPING DOC || INVOICE NO. USF/23-26/072 IGR23110
- Date: 3 Feb 2026 19:04:54 +0700
- Message-ID: <20260203190454.E6D5FC5422826916@paramee[.]com>
- Attachment file name: inv. 5234353.rar

ASSOCIATED MALWARE:

- SHA256 hash: 9fc244b6ba5c24fe50134870932f6dea852b8fa419ec7cdcf3d84eed70e0e331
- File size: 339,014 bytes
- File name: inv. 5234353.rar
- File type: RAR archive data, v5
- File description: Email attachment

- SHA256 hash: b7d239db797326e43a96fb228e93bbbfa1e12d610c8a79ba3148b74b0021ecb4
- File size: 457,952 bytes
- File name: inv. 5234353.bat
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Extracted file, GuLoader for AgentTesla style malware

DATE/TIME OF THE INFECTION IN MY LAB:

- 2026-02-03 at 16:13 UTC

GULOADER TRAFFIC:

- hxxps[:]//drive.google[.]com/uc?export=download&id=1WsTpqstK9Luuk41e8fNVM9xO-QZwN1Ho
- hxxps[:]//drive.usercontent.google[.]com/download?id=1WsTpqstK9Luuk41e8fNVM9xO-QZwN1Ho&export=download

AGENTTESLA STYLE TRAFFIC:

- hxxp[:]//ip-api[.]com/line/?fields=hosting
- Unencrypted FTP traffic to ftp.corwineagles[.]com (AgentTelsa style data exfiltration)

IMAGES

Shown above: Screenshot of the email with an attached RAR archive.

Shown above: The malware, extracted from the attached RAR archive.

Shown above: Traffic from the infection filtered in Wirewhark.

Click here to return to the main page.

文章来源: https://www.malware-traffic-analysis.net/2026/02/03/index.html
如有侵权请联系:admin#unsafe.sh