ioc[.]one - OSINT Cyber Threat Intelligence Database

Rapid7 observes use of Microsoft OneNote to spread Redline Infostealer | Rapid7 Blog

Tags

cmtmf-attack-pattern:	Masquerading Obfuscated Files Or Information Process Injection
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 File And Directory Discovery - T1420 Ip Addresses - T1590.005 System Network Configuration Discovery - T1422 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Python - T1059.006 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Timestomp - T1070.006 Virtualization/Sandbox Evasion - T1497 Tool - T1588.002 Virtualization/Sandbox Evasion - T1633 File And Directory Discovery - T1083 Masquerading - T1036 Mshta - T1170 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 Process Injection - T1055 Query Registry - T1012 Rundll32 - T1085 System Information Discovery - T1082 System Network Configuration Discovery - T1016 Timestomp - T1099 Masquerading

Show in Graph

Common Information

Type	Value
UUID	a268bcda-96af-4972-819e-f6bc4be572c7
Fingerprint	2c010c52a33f8bfc
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 31, 2023, 8:23 p.m.
Added to db	Oct. 24, 2023, 1:30 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer and Qakbot Malware
Title	Rapid7 observes use of Microsoft OneNote to spread Redline Infostealer \| Rapid7 Blog
Detected Hints/Tags/Attributes	76/3/41

Source URLs

	Redirection	Url
Details	Source	https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/

URL Provider

Details	Provider	Source level domain
Details	rapid7.com	www.rapid7.com

Attributes

Details	Type	#Events	Value
Details	Domain	4	starcomputadoras.com
Details	Domain	10	docs.velociraptor.app
Details	Domain	1	adv.one
Details	Domain	1	document.one
Details	Domain	1373	twitter.com
Details	File	1	nudm1.bat
Details	File	55	payload.exe
Details	File	2	payload2.bin
Details	File	1	footstools.exe
Details	File	3	01.gif
Details	File	1	c:\programdata as putty.jpg
Details	File	2	putty.jpg
Details	File	1018	rundll32.exe
Details	File	2	atbroker.exe
Details	File	1	hollows_hunter.py
Details	File	1	comrepl.dll
Details	File	456	mshta.exe
Details	File	93	curl.exe
Details	File	82	taskkill.exe
Details	File	1	tmpfbf7.tmp
Details	sha1	1	61f9dbe256052d6315361119c7b7330880899d4c
Details	sha1	1	adce7ca8c1860e513fb70bcc384237dae4bc9d26
Details	sha1	1	f6f1c1ab9743e267ac5e998336af917632d2f8ed
Details	sha1	1	6c404f19ec17609ad3ab375b613ea429e802f063
Details	sha1	1	1a323f9edcb712415c675c9f60d74fa024a64264
Details	sha1	1	57e22bdcf155b2686d460542e75f5aaa05e94d6c
Details	sha1	1	a004981f2f9de51f8e1605a1ee5e1a17ea8bdf80
Details	IPv4	5	172.245.45.213
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	348	T1036
Details	MITRE ATT&CK Techniques	93	T1070.006
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	298	T1562.001
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	245	T1016
Details	MITRE ATT&CK Techniques	585	T1083
Details	Url	3	https://starcomputadoras.com/lt2elm6/01.gif
Details	Url	1	https://docs.velociraptor.app/exchange/artifacts/pages/onenote
Details	Url	1	https://twitter.com/nop_0x90v1/status/1623001789283926016?s=46&t=c6fc2mdsl8jez0bduhlitq