Sha-265 hashes: 29c766c8910fa35b76bdea7738e32f51fc063bc01e8f557c1f309a4b07c47733 | RFQ No 41 26_06_2023.pdf (initial Mail attachment) 1d030984aa406ff1a05c1d42e67455b79665d50ea98f49713b1fd21887b7b2eb | RFQ No 41 26_06_2023.zip; Password: ZERNOFF 748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5 | RFQ No 41 26_06_2023.pdf.lnk ; Malicious shortcut file used to download decoy and Reilon.vbs ab6c5af91d0e384cc011f3e3be12b13290bfc802ce5dd8a3788100f583d4b800 | Reilon.vbs; Malicious first stage downloader for GuLoader shellcode afbfc145affa16280139a70e92364d8cc9d71b951d3258df9a9855c0c1f1f567 | RFQ-INFO.pdf; Decoy PDF file (not malicious) f3b62d90f02bbecd522049f9186c67d939b77e98449d63e73de4893060f1dd48 | Persuasive.inf/opbrugende.Dal; base64 encoded stage 3 plus both GuLoader Shellcodes d7b17df67410b8d408bb768c11757162a49cfb8602e50ac98283bfd49c54a9c5 | Obfuscated RemcosRAT payload 02bfbe1f039520812cf9626c7377f12539a881142493026ea9b3d064c1be47dc | Industri3; GuLoader Shellcode 1 - Decryptor 7b9f1a7a40f14ba0e5b80608498dafb54ee3d24e9c62ede376162da26704d9e3 | veristfil; GuLoader Shellcode 2 - Main GuLoader shellcode Network IoC: ar@gbwhotel[.]com[.]my | Email from header hxxps://acrobat.adobe[.]com/id/urn:aaid:sc:VA6C2:57c88930-644f-4131-94c6-bee1152af5ab | password protected .zip file containing RFQ No 41 26_06_2023.pdf.lnk hxxps://shorturl[.]at/guDHW redirect to: hxxps://img.softmedal[.]com/uploads/2023-06-23/298186187297.jpg | Reilon.vbs hxxps://shorturl[.]at/iwAK9 redirects to: hxxps://img.softmedal[.]com/uploads/2023-06-23/773918053744.jpg | Decoy pdf hxxp://194.55.224[.]183/kng/Persuasive.inf | Persuasive.inf/opbrugende.Dal hxxp://194.55.224[.]183/kng/DtEIjJvibmBIjb254.bin | encrypted RemcodsRAT payload 194.187.251[.]91:12603 | RemcosRAT C2 top1.banifabused1[.]xyz | RemcosRAT C2 sub1.banifabused2[.]xyz | randomlybackup.duckdns[.]org |