Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #GuLoader #CloudEyE #VBA #17_0199 #17_18882
- https://pastebin.com/amcrKhew
- previous_contact:
- 25/07/23 https://pastebin.com/qyP694eD
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
- https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
- attack_vector
- --------------
- email attach .xls > VBA > GET .doc(RTF) > EQNEDT32 (17-11882) > GET .exe (GuLoader) > powershell > wab.exe > 65_60_36_22:443 ...
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: 19 Dec 2023 03:14:24 -0500
- From: Finance <finance@snpprofessional.com>
- Subject: Over Due Payment - Urgent Reminder! | Final Warning!
- Received: from unknown (HELO ns-349.awsdns-43.com) ([23.92.179.183])
- Received: from [38.103.244.29] (port=51829) by ns-349.awsdns-43.com with esmtpsa (Exim 4.96.2)
- Message-ID: <20231219031424.AF4CBCDD8D948A85@snpprofessional.com>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 0c676c2e5e20df05118d77d43abdf26828b2780b06886831a705483432b86e78
- File name Invoices.xls [ MS Excel Spreadsheet ]
- File size 373.00 KB (381952 bytes)
- SHA-256 2f19c4dce04070a4dc3f3593b0769c5146aefac5ba3b428792e8b39608d66272
- File name ....customer.Doc [ Rich Text Format ]
- File size 61.11 KB (62579 bytes)
- SHA-256 7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d
- File name wlanext.exe [PE32 executable , Nullsoft Installer ]
- File size 996.26 KB (1020168 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR 172_245_208_4 /wg/Microsoftdigitalwallettechnologydevelopedrecentlyforsecuritypurposetoprotectcustomer.Doc
- 172_245_208_4 /2546/wlanext.exe
- C2 n/a
- netwrk
- --------------
- 172_245_208_4 80 HTTP GET /wg/ Microsoftdigitalwallettechnologydevelopedrecentlyforsecuritypurposetoprotectcustomer.Doc HTTP/1.1 Mozilla/4.0
- 172_245_208_4 80 HTTP GET /2546/wlanext.exe HTTP/1.1 Mozilla/4.0
- 65_60_36_22 443 TLSv1.2 synergyinnovationgroup .com
- comp
- --------------
- EXCEL.EXE 172_245_208_4 80 ESTABLISHED
- WINWORD.EXE 172_245_208_4 80 ESTABLISHED
- wab.exe 65_60_36_22 443 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
- [another context]
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" -Embedding
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- C:\Users\operator\AppData\Roaming\wlanext.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle minimized ...
- Get-Content '%temp%\daemonisk\prvelsens\noneclectically\\Scolecida\noninhabitant\Variabelnavns.Udd' ...
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
- C:\Program Files (x86)\windows mail\wab.exe "<#Hokerer Ydedygtihedens Fredel ...
- . . .
- persist
- --------------
- n/a
- drop
- --------------
- %username%\AppData\Roaming\wlanext.exe
- %temp%\daemonisk\prvelsens\noneclectically\*
- # # # # # # # #
- additional info
- # # # # # # # #
- xls_metadata
- --------------
- File Name : Invoices.xls
- File Size : 382 kB
- File Type : XLS
- File Type Extension : xls
- MIME Type : application/vnd.ms-excel
- Software : Microsoft Excel
- Create Date : 2006:09:16 00:00:00
- Modify Date : 2023:12:19 01:02:34
- Security : Password protected
- Code Page : Windows Latin 1 (Western European)
- App Version : 12.0000
- Title Of Parts : Sheet1, Sheet2, Sheet3
- Heading Pairs : Worksheets, 3
- Comp Obj User Type Len : 38
- Comp Obj User Type : Microsoft Office Excel 2003 Worksheet
- doc(rtf)_metadata
- --------------
- File Name : Microsoftdigitalwallettechnologydevelopedrecentlyforsecuritypurposetoprotectcustomer.Doc
- File Type : TXT
- File Type Extension : txt
- MIME Type : text/plain
- MIME Encoding : iso-8859-1
- Newlines : Macintosh CR
- Line Count : 4112
- Word Count : 4058
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/0c676c2e5e20df05118d77d43abdf26828b2780b06886831a705483432b86e78/details
- https://analyze.intezer.com/analyses/b111164b-9eb0-42a0-a8a6-965f95bcba2c
- https://www.virustotal.com/gui/file/2f19c4dce04070a4dc3f3593b0769c5146aefac5ba3b428792e8b39608d66272/details
- https://analyze.intezer.com/analyses/4d409dc2-fb7e-4365-9815-b3da80622a7d
- https://www.virustotal.com/gui/file/7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d/details
- https://analyze.intezer.com/analyses/3d41b4f4-d509-48ad-8699-cb645555627e
- VR
Add Comment
Please, Sign In to add comment