28 lines
1.8 KiB
Plaintext
28 lines
1.8 KiB
Plaintext
Sha-265 hashes:
|
|
|
|
29c766c8910fa35b76bdea7738e32f51fc063bc01e8f557c1f309a4b07c47733 | RFQ No 41 26_06_2023.pdf (initial Mail attachment)
|
|
1d030984aa406ff1a05c1d42e67455b79665d50ea98f49713b1fd21887b7b2eb | RFQ No 41 26_06_2023.zip; Password: ZERNOFF
|
|
748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5 | RFQ No 41 26_06_2023.pdf.lnk ; Malicious shortcut file used to download decoy and Reilon.vbs
|
|
ab6c5af91d0e384cc011f3e3be12b13290bfc802ce5dd8a3788100f583d4b800 | Reilon.vbs; Malicious first stage downloader for GuLoader shellcode
|
|
afbfc145affa16280139a70e92364d8cc9d71b951d3258df9a9855c0c1f1f567 | RFQ-INFO.pdf; Decoy PDF file (not malicious)
|
|
f3b62d90f02bbecd522049f9186c67d939b77e98449d63e73de4893060f1dd48 | Persuasive.inf/opbrugende.Dal; base64 encoded stage 3 plus both GuLoader Shellcodes
|
|
d7b17df67410b8d408bb768c11757162a49cfb8602e50ac98283bfd49c54a9c5 | Obfuscated RemcosRAT payload
|
|
02bfbe1f039520812cf9626c7377f12539a881142493026ea9b3d064c1be47dc | Industri3; GuLoader Shellcode 1 - Decryptor
|
|
7b9f1a7a40f14ba0e5b80608498dafb54ee3d24e9c62ede376162da26704d9e3 | veristfil; GuLoader Shellcode 2 - Main GuLoader shellcode
|
|
|
|
|
|
Network IoC:
|
|
|
|
ar@gbwhotel[.]com[.]my | Email from header
|
|
hxxps://acrobat.adobe[.]com/id/urn:aaid:sc:VA6C2:57c88930-644f-4131-94c6-bee1152af5ab | password protected .zip file containing RFQ No 41 26_06_2023.pdf.lnk
|
|
hxxps://shorturl[.]at/guDHW redirect to:
|
|
hxxps://img.softmedal[.]com/uploads/2023-06-23/298186187297.jpg | Reilon.vbs
|
|
hxxps://shorturl[.]at/iwAK9 redirects to:
|
|
hxxps://img.softmedal[.]com/uploads/2023-06-23/773918053744.jpg | Decoy pdf
|
|
hxxp://194.55.224[.]183/kng/Persuasive.inf | Persuasive.inf/opbrugende.Dal
|
|
hxxp://194.55.224[.]183/kng/DtEIjJvibmBIjb254.bin | encrypted RemcodsRAT payload
|
|
194.187.251[.]91:12603 | RemcosRAT C2
|
|
top1.banifabused1[.]xyz | RemcosRAT C2
|
|
sub1.banifabused2[.]xyz |
|
|
randomlybackup.duckdns[.]org |
|