2026-02-03 (TUESDAY): GULOADER FOR AGENTTESLA STYLE MALWARE WITH FTP DATA EXFILTRATION

NOTES:

ASSOCIATED FILES:

 

2026-02-03 (TUESDAY): GULOADER FOR AGENTTESLA STYLE MALWARE WITH FTP DATA EXFILTRATION

EMAIL INFO:

- Return-Path: 
- Received: from [160.250.132[.]142] (unknown [160.250.132[.]142]) [info removed]; Tue, 03 Feb 2026 12:04:55 +0000 (UTC)
- From: shipping@paramee[.]com
- Subject: SHIPPING DOC || INVOICE NO. USF/23-26/072 IGR23110
- Date: 3 Feb 2026 19:04:54 +0700
- Message-ID: <20260203190454.E6D5FC5422826916@paramee[.]com>
- Attachment file name: inv. 5234353.rar

ASSOCIATED MALWARE:

- SHA256 hash: 9fc244b6ba5c24fe50134870932f6dea852b8fa419ec7cdcf3d84eed70e0e331
- File size: 339,014 bytes
- File name: inv. 5234353.rar
- File type: RAR archive data, v5
- File description: Email attachment

- SHA256 hash: b7d239db797326e43a96fb228e93bbbfa1e12d610c8a79ba3148b74b0021ecb4
- File size: 457,952 bytes
- File name: inv. 5234353.bat
- File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- File description: Extracted file, GuLoader for AgentTesla style malware

DATE/TIME OF THE INFECTION IN MY LAB:

- 2026-02-03 at 16:13 UTC

GULOADER TRAFFIC:

- hxxps[:]//drive.google[.]com/uc?export=download&id=1WsTpqstK9Luuk41e8fNVM9xO-QZwN1Ho
- hxxps[:]//drive.usercontent.google[.]com/download?id=1WsTpqstK9Luuk41e8fNVM9xO-QZwN1Ho&export=download

AGENTTESLA STYLE TRAFFIC:

- hxxp[:]//ip-api[.]com/line/?fields=hosting
- Unencrypted FTP traffic to ftp.corwineagles[.]com (AgentTelsa style data exfiltration)

 

IMAGES


Shown above: Screenshot of the email with an attached RAR archive.

 


Shown above: The malware, extracted from the attached RAR archive.

 


Shown above: Traffic from the infection filtered in Wirewhark.

 

Click here to return to the main page.