← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Fake CrowdStrike repair manual containing malicious macros | Fake Crowdstrike Domains
WHITE CyberMike 2024-07-23 Modified: 2024-08-22
76
IOCs
HIGH VOLUME
In recent events regarding the Crowdstrike outage, this pulse has been created to list the IoCs of fake domains pretending to be Crowdstrike support as well as recent phishing attempts that indicate actors are using fake help guides that contain malicous macros
crowdstrikewindowsdaolpuchromeedgefirefoxfalcon updatefridayrecovery toolcc ccnexthijackloaderremcoslinuxpolicyinternet sitethe internetsiteorganizationinternetpersonal datacookie policysocradarcookie usagedateunderstand infojulysha256 hashword documentfalcon logscaleiocsdaolpu sha256falcon sensoranalysis luredocumentmozilla
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Remcos Linux Daolpu Understand Info
Indicators of Compromise (9 / 76 total)
All FileHash-MD5 FileHash-SHA256 URL domain email hostname FileHash-SHA1 YARA
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 1bbb795ce19f4dcc4ac9f8e8c12f3452f1f07c68a53ef631c76e392e1d06ea43 2024-07-23
FileHash-SHA256 4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3 2024-07-23
FileHash-SHA256 70865e5a49b8c270eb8175c36cd2a2032c05445c0daf59dc67e78dad545ff9e4 2024-07-23
FileHash-SHA256 96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8 2024-07-23
FileHash-SHA256 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61 This is a file that has been observed containing malicous macros that execute DLLs from the URL http[:]//172.104.160[.]126:8099/payload2.txt. This file is typically 2024-07-23
FileHash-SHA256 5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721 2024-07-23
FileHash-SHA256 00199b4784533a124da96be5d5e472195b0e27be15007dcbd573c0fb29941d99 2024-07-23
FileHash-SHA256 3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8 2024-07-23
FileHash-SHA256 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a 2024-07-23
References (3)
↗ https://www.bleepingcomputer.com/news/security/fake-crowdstrike-repair-manual-pushes-new-daolpu-infostealer-malware/ ↗ https://socradar.io/suspicious-domains-exploiting-the-recent-crowdstrike-outage/ ↗ https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/