API tools faq
paste
VRad

#cloudeye_191223

VRad
Dec 19th, 2023 (edited)
335
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.87 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #GuLoader #CloudEyE #VBA #17_0199 #17_18882
  2.  
  3. https://pastebin.com/amcrKhew
  4.  
  5. previous_contact:
  6. 25/07/23 https://pastebin.com/qyP694eD
  7.  
  8. FAQ:
  9. https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
  10. https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
  11.  
  12. attack_vector
  13. --------------
  14. email attach .xls > VBA > GET .doc(RTF) > EQNEDT32 (17-11882) > GET .exe (GuLoader) > powershell > wab.exe > 65_60_36_22:443 ...
  15.  
  16.  
  17. # # # # # # # #
  18. email_headers
  19. # # # # # # # #
  20. Date: 19 Dec 2023 03:14:24 -0500
  21. From: Finance <finance@snpprofessional.com>
  22. Subject: Over Due Payment - Urgent Reminder! | Final Warning!
  23. Received: from unknown (HELO ns-349.awsdns-43.com) ([23.92.179.183])
  24. Received: from [38.103.244.29] (port=51829) by ns-349.awsdns-43.com with esmtpsa (Exim 4.96.2)
  25. Message-ID: <20231219031424.AF4CBCDD8D948A85@snpprofessional.com>
  26.  
  27.  
  28. # # # # # # # #
  29. files
  30. # # # # # # # #
  31. SHA-256 0c676c2e5e20df05118d77d43abdf26828b2780b06886831a705483432b86e78
  32. File name Invoices.xls [ MS Excel Spreadsheet ]
  33. File size 373.00 KB (381952 bytes)
  34.  
  35. SHA-256 2f19c4dce04070a4dc3f3593b0769c5146aefac5ba3b428792e8b39608d66272
  36. File name ....customer.Doc [ Rich Text Format ]
  37. File size 61.11 KB (62579 bytes)
  38.  
  39. SHA-256 7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d
  40. File name wlanext.exe [PE32 executable , Nullsoft Installer ]
  41. File size 996.26 KB (1020168 bytes)
  42.  
  43.  
  44. # # # # # # # #
  45. activity
  46. # # # # # # # #
  47.  
  48. PL_SCR 172_245_208_4 /wg/Microsoftdigitalwallettechnologydevelopedrecentlyforsecuritypurposetoprotectcustomer.Doc
  49. 172_245_208_4 /2546/wlanext.exe
  50.  
  51. C2 n/a
  52.  
  53.  
  54. netwrk
  55. --------------
  56. 172_245_208_4 80 HTTP GET /wg/ Microsoftdigitalwallettechnologydevelopedrecentlyforsecuritypurposetoprotectcustomer.Doc HTTP/1.1 Mozilla/4.0
  57. 172_245_208_4 80 HTTP GET /2546/wlanext.exe HTTP/1.1 Mozilla/4.0
  58. 65_60_36_22 443 TLSv1.2 synergyinnovationgroup .com
  59.  
  60. comp
  61. --------------
  62. EXCEL.EXE 172_245_208_4 80 ESTABLISHED
  63. WINWORD.EXE 172_245_208_4 80 ESTABLISHED
  64. wab.exe 65_60_36_22 443 ESTABLISHED
  65.  
  66. proc
  67. --------------
  68. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  69.  
  70. [another context]
  71.  
  72. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" -Embedding
  73. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  74. C:\Users\operator\AppData\Roaming\wlanext.exe
  75. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle minimized ...
  76. Get-Content '%temp%\daemonisk\prvelsens\noneclectically\\Scolecida\noninhabitant\Variabelnavns.Udd' ...
  77. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  78. C:\Program Files (x86)\windows mail\wab.exe "<#Hokerer Ydedygtihedens Fredel ...
  79. . . .
  80.  
  81. persist
  82. --------------
  83. n/a
  84.  
  85.  
  86. drop
  87. --------------
  88. %username%\AppData\Roaming\wlanext.exe
  89. %temp%\daemonisk\prvelsens\noneclectically\*
  90.  
  91. # # # # # # # #
  92. additional info
  93. # # # # # # # #
  94. xls_metadata
  95. --------------
  96. File Name : Invoices.xls
  97. File Size : 382 kB
  98. File Type : XLS
  99. File Type Extension : xls
  100. MIME Type : application/vnd.ms-excel
  101. Software : Microsoft Excel
  102. Create Date : 2006:09:16 00:00:00
  103. Modify Date : 2023:12:19 01:02:34
  104. Security : Password protected
  105. Code Page : Windows Latin 1 (Western European)
  106. App Version : 12.0000
  107. Title Of Parts : Sheet1, Sheet2, Sheet3
  108. Heading Pairs : Worksheets, 3
  109. Comp Obj User Type Len : 38
  110. Comp Obj User Type : Microsoft Office Excel 2003 Worksheet
  111.  
  112.  
  113. doc(rtf)_metadata
  114. --------------
  115. File Name : Microsoftdigitalwallettechnologydevelopedrecentlyforsecuritypurposetoprotectcustomer.Doc
  116. File Type : TXT
  117. File Type Extension : txt
  118. MIME Type : text/plain
  119. MIME Encoding : iso-8859-1
  120. Newlines : Macintosh CR
  121. Line Count : 4112
  122. Word Count : 4058
  123.  
  124.  
  125. # # # # # # # #
  126. VT & Intezer
  127. # # # # # # # #
  128. https://www.virustotal.com/gui/file/0c676c2e5e20df05118d77d43abdf26828b2780b06886831a705483432b86e78/details
  129. https://analyze.intezer.com/analyses/b111164b-9eb0-42a0-a8a6-965f95bcba2c
  130. https://www.virustotal.com/gui/file/2f19c4dce04070a4dc3f3593b0769c5146aefac5ba3b428792e8b39608d66272/details
  131. https://analyze.intezer.com/analyses/4d409dc2-fb7e-4365-9815-b3da80622a7d
  132. https://www.virustotal.com/gui/file/7b69d0fb7c60cf96272495a946d4311420aa406c477d6c85a002f487bd67531d/details
  133. https://analyze.intezer.com/analyses/3d41b4f4-d509-48ad-8699-cb645555627e
  134.  
  135. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!