Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- IOC
- malicious RTF (DOC00201875891.doc): db5a46b9d8419079ea8431c9d6f6f55e4f7d36f22eee409bd62d72ea79fb8e72
- msxsl.exe (legitimate, dropped): 35ba7624f586086f32a01459fcc0ab755b01b49d571618af456aa49e593734c7
- JS persistence: 710eb7d7d94aa5e0932fab1805d5b74add158999e5d90a7b09e8bd7187bf4957
- XSL JS backdoor: 6a3f5bc5885fea8b63b80cd6ca5a7990a49818eda5de59eeebc0a9b228b5d277
- XML: dbe0081d0c56e0b0d7dbf7318a4e296776bdd76ca7955db93e1a188ab78de66c
- task.bat: 731abba49e150da730d1b94879ce42b7f89f2a16c2b3d6f1e8d4c7d31546d35d
- 2nd.bat: 33c362351554193afd6267c067b8aa78b12b7a8a8c72c4c47f2c62c5073afdce
- decoy document: 1ab201c1e95fc205f5445acfae6016679387bffa79903b07194270e9191837d8
- regsvr32 DLL: 0adc165e274540c69985ea2f8ba41908d9e69c14ba7a795c9f548f90f79b7574
- inteldriverupd1.sct: 002394c515bc0df787f99f565b6c032bef239a5e40a33ac710395bf264520df7
- C2: mail[.]hotmail[.]org[.]kz/owalanding/ajax.php\
- IP (at the time of writing): 185.45.192.167
- https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
