?gamaredon_150923

1. #IOC #OptiData #VR #template_injection #generated_maldoc #possilbe_gamaredon #pirated_msoffice
2.  
3. https://pastebin.com/AeXB3n7j
4.  
5. previous_contact:
6. 2x/08/20 https://pastebin.com/HUKPF31d
7. 18/11/19 https://pastebin.com/Vhb4KF5L
8.  
9. FAQ:
10. https://attack.mitre.org/techniques/T1221/
11. https://malpedia.caad.fkie.fraunhofer.de/actor/gamaredon_group
12. https://intezer.com/blog/malware-analysis/analyze-malicious-microsoft-office-files/
13.  
14. attack_vector
15. --------------
16. email attach .doc (template_inject.) > GET 185.247.184.} 152 > n/a
17.  
18. # # # # # # # #
19. email_headers
20. # # # # # # # #
21. Date: Fri, 15 Sep 2023 09:25:34 +0300
22. Received: from frv190.fwdcdn.com ([212.42.77.190])
23. Received: from [10.10.80.23] (helo=frv50.fwdcdn.com) by frv190.fwdcdn.com with smtp ID 1qh2Gm-00094e-Ll
24. From: Центр Державних Замовлень <cdz25@ukr.net>
25. Received: from cdz25@ukr.net by frv50.fwdcdn.com;
26. Subject: Для УПОВНОВАЖЕНИХ ОСІБ: 19 - 21 вересня онлайн семінар (зі змінами від 01.09.2023 № 952) Платформа ZOOM;
27. Message-Id: <1694759099.0854066000.aidykooe@frv50.fwdcdn.com>
28. Return-Path: cdz25@ukr.net
29.  
30. # # # # # # # #
31. files
32. # # # # # # # #
33. SHA-256 01d27b175fcc3c7917223abe51e55adbb69d052bfccc189d30df2b4cb2c35480
34. File name Пропозиція для участі у семінарі 2023 рік(Онлайн).doc [ MS Word Document ]
35. File size 273.00 KB (279552 bytes)
36.  
37. SHA-256 f557b22f065af690fe89a2e3d27539e2f8fb27dc6c9446ac3637e7f3a082537f
38. File name Анкета-заявка онлайн.doc [ MS Word Document ] - clean
39. File size 47.00 KB (48128 bytes)
40.  
41. # # # # # # # #
42. activity
43. # # # # # # # #
44.  
45. PL_SCR http://encyclopedia83{ .samiseto{ .ru/HOME-PC/registry/sorry/amiable/amiable/amiable.83glf
46.  
47. C2 n/a
48.  
49. netwrk
50. --------------
51. 185.247.184.} 152 encyclopedia83.{ samiseto.{ ru 80 HTTP OPTIONS /HOME-PC/registry/sorry/amiable/amiable/ Microsoft Office Protocol Discovery
52.  
53. 185.247.184.} 152 encyclopedia83.{ samiseto.{ ru 80 HTTP OPTIONS /HOME-PC/registry/sorry/amiable Microsoft-WebDAV-MiniRedir/6.1.7601
54.  
55. 185.247.184.} 152 encyclopedia83.{ samiseto.{ ru 80 HTTP GET /HOME-PC/registry/sorry/amiable/amiable/amiable.83glf Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64)
56.  
57. comp
58. --------------
59. WINWORD.EXE 2492 TCP 185.247.184.} 152 80 ESTABLISHED
60.  
61. proc
62. --------------
63. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
64.  
65. persist
66. --------------
67. n/a
68.  
69. drop
70. --------------
71. n/a
72.  
73. # # # # # # # #
74. additional info - maldoc_metadata
75. # # # # # # # #
76.  
77. File Name : Пропозиція для участі у семінарі 2023 рік(Онлайн).doc
78. File Size : 280 kB
79. File Modification Date/Time : 2023:09:15 12:07:00+03:00
80. File Access Date/Time : 2023:09:15 12:08:10+03:00
81. File Inode Change Date/Time : 2023:09:15 12:07:43+03:00
82. File Type : DOC
83. MIME Type : application/msword
84. Identification : Word 8.0
85. Language Code : Russian
86. Author : User
87. Template : amiable.83glf
88. Last Modified By : User
89. Software : Microsoft Office Word
90. Create Date : 2023:09:12 07:34:00
91. Modify Date : 2023:09:12 07:34:00
92. Company : Reanimator Extreme Edition
93. Char Count With Spaces : 3504
94. App Version : 12.0000
95. Hyperlinks : tel:+380987902839, tel:+380638790210
96. Last Printed : 2018:08:03 11:32:00
97. Revision Number : 3
98. Total Edit Time : 1 minute
99. Words : 524
100. Characters : 2987
101. Pages : 1
102. Paragraphs : 7
103. Lines : 24
104.  
105. # # # # # # # #
106. VT & Intezer
107. # # # # # # # #
108. https://www.virustotal.com/gui/file/01d27b175fcc3c7917223abe51e55adbb69d052bfccc189d30df2b4cb2c35480/details
109. https://analyze.intezer.com/analyses/73d64402-0da6-4504-964d-3858765041e5
110. https://www.virustotal.com/gui/url/5558092a781ac40c676aff5d9efab4ea6e9f0f976c9cc1733484f9530f546ce2/details
111. https://www.virustotal.com/gui/file/f557b22f065af690fe89a2e3d27539e2f8fb27dc6c9446ac3637e7f3a082537f/details
112.  
113. VR