API tools faq
paste
malware_traffic

2020-12-09 (Wednesday) - TA551 (Shathak) Word docs with English template push IcedID

malware_traffic
Dec 9th, 2020 (edited)
10,240
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.48 KB | None | 0 0
raw download clone embed print report
  1. 2020-12-09 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH TEMPLATES PUSH ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 14 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 55d904b83f04acb4118df9b2bd3ebbd44b9553b0aabcfff7b68d674ddb6052cc charge-12.20.doc
  10. - 40a2ad9eb3f20c7d4378fe86fca0a18f89230aa06d73a99ae2f08a32eccebede charge.12.20.doc
  11. - 79d039cacf9d5c4011b56709c53de1a8be20010484a69d118ac91fcce6f2c253 commerce ,12.09.2020.doc
  12. - c2862d0a5b6df4769c3d1e99f32e785a6744d824ec59324c8927ee3b8f1bddfb file.12.09.2020.doc
  13. - e27ec64bfb5e248f294855366e6cfe5884874a77a9ec5429843c3da37bd0428e input-12.20.doc
  14. - c8a23fdac88331fe7aaf6c8bf7002a20dd37371c3a1662fc7c8c30a265b33cde legal paper_12.09.2020.doc
  15. - 549cb76628b35238ae936cf8802162b8b6514b633be15fce41c086410f5292fe material 12.20.doc
  16. - 34ff76103583c35bebe706f721e1e692a7c34b226eb32fa96de9dcd4c8db7ddc official paper.12.20.doc
  17. - fb78f78b3a35febc164afbacc6eb2c1a9579555940a8427ffc44706aee4bfd5e ordain,12.20.doc
  18. - c4275b08193c896015c7bcda2a4e0d940331b0806c6b32a68e32acbf78988075 particulars 12.20.doc
  19. - 70366cc7897ffce122d00bfc52803e9baf22f06e728c9839c0a3d187e77d1229 require_12.20.doc
  20. - 827fb38b70c105c9b5c7855942a787e057a26b51ba63b20410eba23f3ed59545 rule_12.09.2020.doc
  21. - e841bfa72acf31d51d4bd4fbc5397851d36b5e5f778ed3d1c335cfe7d69c8645 specifics 12.20.doc
  22. - a262ce0eeea4532b07b75a0755d0717cdbfb034753a991695368fde3eaf671a3 tell.12.20.doc
  23.  
  24. AT LEAST 6 DOMAINS HOSTING THE INSTALLER DLL:
  25.  
  26. - kmp481car[.]com - 45.144.29[.]128
  27. - kwi296dream[.]com - 45.142.215[.]153
  28. - rdi162skull[.]com - 178.250.157[.]157
  29. - tmzr158drip[.]com - 212.109.199[.]151
  30. - vqvm656stem[.]com - 45.140.146[.]31
  31. - xiptk734that[.]com - 45.140.146[.]37
  32.  
  33. EXAMPLES OF URLS FOR INSTALLER DLL:
  34.  
  35. - GET /analytics/sKPz8YnKlz/DHBHTYfvwwxMTRbdLKlvAFlXSDcUiIrf5kmWjGNMKM/kazu1?GXw=UvUuVyGyborCdAkT&Cj=BKpLQE&CBD=QXIXppXbbugR&MRS_=MSKUYgnNSn
  36. - GET /analytics/mGNSLVqe3H4GI7BPlSEmZMHjrm5ZREJAtjAej80JA93tC40gK/kazu2?tyDYE=TExZlR&xT=nFnfOSKSN&dcAi=DRYlOiMUmPJj&dnx=LXWjXZRWwvXp
  37. - GET /analytics/FN5EtodrghfabTmTkPXZDLDQxo73t629TuxgHS_b7HRig_/kazu4?QvQ=lKAZjnjMd&jc=OglqZRj&ChRjL=WvOmUAUzbegcbdST&MFBt=TZwXwDUPfx
  38. - GET /analyticsB2u7Klst5luqlKrqdt8qS9cHl7XnsZiPxvITWGMGw0d8C/kazu4?DaT=hflDKnIGnZ&g_=qwAWYdvZIGnZ_W&Oj=xuRABoNifgpeHhgc&qKB=nwrqEdkvOfXkhUWv&Utg=RGIRkwGOnCxA
  39. - GET /analytics/6dKU1M5rx_zpz2g6gSRoAt0Kklp34gmjp4dRz8ZDtcLPraW8bxENZipCk8mICyzys/kazu11?vF=SpCHqscAaXqY&EQwJv=lYfZwaAr&hI=kCVyZkJhkIIbA&QiEv=_RFCNaHXIq&VBTRI=NeWMnlT_bVRVWHhh&Mi=TXPqKPESAMLoTv&hdP=AlNyghfUGX
  40. - GET /6fYAnkKOpKV6C10bEZY8mHpd6D7IP39CDhgc7kf6Pqb8SivcvCleEQvhgkKJmrqdX/kazu12?EPP=fYTvkxpYZlU&ANvwB=hOUbUvtakESGOYvun&rL=OHvSZf&PpTGQ=YtBefhZufWNI_YU&Ci=wGtLRJY
  41. - GET /analytics/5gjVMMDlTZF8xvg8VU61DO1zMGM5580yHiwoca/GjQsjJswKWlZUlO6cW48t/kazu13?n_GR=hktPStlOf&OUOa=IfHtqSIbqjU&U_=ZJnkUy&XFZJl=ECfFkjHft&cEB=gaZoYFKAgyjoL
  42. - GET /analytics/vsE7DlYFhZT2T/cbEZ52NvE2Uuhi916vM03kEBrc5Kf/kazu14?XogU=RDDH_VGE&dvAk=suQEMBIATBtdhlU&mFctP=YVELv_&wHn=LYOUkXwrLlD&ZR=qCMYuC&phj=QumHCDvlGQ
  43. - GET /analytics/1MdBZLml/dbSCC5jT_/KKeXJPJk9Xez7tKNOkXx21BU4ctt7vCV/kazu14?QOK=_fqQbEv&TuN=rPg_ZZEK_&lPNf=QRwNQFEdv_kr&UeNBD=WNUHcg
  44. - GET /analytics/Utlg8DY4rEfNV8BJqpgS1VQzbZbwxNxmAR85LmO/kazu15?xkMCU=BBOlUx&SFV=jkvIjdDgzeXeIUAHR&nAS=fTQUwDggdF&dnO=HpcFBoO&AeJsn=jQNprDYPEaFS
  45.  
  46. 10 EXAMPLES OF INSTALLER DLLS:
  47.  
  48. - 00d40edb59b25bddab24435a5ad31a6c4323af9fa1a9ce0a0c7ebcc12865290d
  49. - 2b6958bf09ad3778fa0dc0d0fb591fa7b5636a72114f370ff043e62be93c0cef
  50. - 50227ae8a524f84e7055fe571ea71f1ce4bef458a95b2c8272078e2faebcd267
  51. - 75e884c728be8a3f8ce9bc1f6fe387cf424196597924b6d631a14774d412066f
  52. - 7dbb3a885e52aba26d917cfc552922fca06ea925e3828bba2e2a986406609d30
  53. - 804835cfe890684802f9d68dde657eead77195c329568a4d1cfa68cc29ce3f2b
  54. - 87b199644ea7ccd1a520ea7c3116f1248002bf2b2e936558382c515595048fae
  55. - 9899bb0aa5a962286889e03066e7697858c2d27b00adb8cc0ac72c73b7d51ae5
  56. - 9a41a675d1cc7821626ae8f217521e2a16d6cd4b4e0ec0f00d383935f61c786c
  57. - bf9f5d5448f9d4a22790916f93ba84b426af864e9f05de9361cdedc566148d03
  58.  
  59. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:+
  60.  
  61. - C:\ProgramData\a68ZHI.pdf
  62. - C:\ProgramData\aBTxr.pdf
  63. - C:\ProgramData\aeigp.pdf
  64. - C:\ProgramData\aFAXy.pdf
  65. - C:\ProgramData\aLtuD.pdf
  66. - C:\ProgramData\amE7F.pdf
  67. - C:\ProgramData\aMIlcj.pdf
  68. - C:\ProgramData\aOhCq.pdf
  69.  
  70. DLL RUN METHOD:
  71.  
  72. - rundll32.exe [filename],ShowDialogA -r
  73.  
  74. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  75.  
  76. - port 443 - facebook.com
  77. - port 443 - www.facebook.com
  78. - port 443 - instagram.com
  79. - port 443 - www.instagram.com
  80. - port 443 - twitter.com
  81. - port 443 - www.tumblr.com
  82.  
  83. AT LEAST 1 DOMAIN FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  84.  
  85. - 188.166.88[.]45 port 443 - berringheavy[.]best
  86.  
  87. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  88.  
  89. - cff21f166032bfc7895266f21d7e4b46d8e299a9012c85db6922f36e1965dc32 (initial)
  90. - 31d8a3551ab27eb493d57b851f406952d7287dee0b2072270427dc5f797dac51 (persistent)
  91.  
  92. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
  93.  
  94. - 139.59.101[.]19 port 443 - phillifighters[.]cyou
  95. - 139.59.101[.]19 port 443 - aviaaero[.]pw
  96. - 139.59.101[.]19 port 443 - orsibataan[.]pw
  97.  
  98. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
  99.  
  100. - SHA256 hash: a021af0a9cf1cb86b0b6c17a72821fd523d78c2a0583e523b534f5adcbbc4db2
  101. - File size: 446,847 bytes
  102. - File location: C:\Users\[username]\AppData\Local\Temp\000610bc.png
  103. - File type: PNG image data, 334 x 310, 8-bit/color RGB, non-interlaced
  104. - File description: PNG file with encoded data used to create initial IcedID DLL
  105.  
  106. - SHA256 hash: cff21f166032bfc7895266f21d7e4b46d8e299a9012c85db6922f36e1965dc32
  107. - File size: 442,368 bytes
  108. - File location: C:\Users\[username]\AppData\Local\Documentaddress.dat
  109. - File description: Initial IcedID DLL created by Installer DLL using encoded data from above PNG file
  110. - Run method: regsvr32.exe /s [filename]
  111.  
  112. - SHA256 hash: f6ea81aaf9a07e24a82b07254a8ed4fcf63d5a8e6ea7b57062f4c5baf9ef8bf2
  113. - File size: 678,288 bytes
  114. - File location: C:\Users\[username]\AppData\[username]\Extaofac1.png
  115. - File type: PNG image data, 605 x 399, 8-bit/color RGB, non-interlaced
  116. - File description: PNG file with encoded data created after initial IcedID DLL appears
  117.  
  118. - SHA256 hash: 31d8a3551ab27eb493d57b851f406952d7287dee0b2072270427dc5f797dac51
  119. - File size: 442,368 bytes
  120. - File location: C:\Users\[username]\AppData\[username]\[username]\Arutxesb3.dll
  121. - File description: IcedID DLL persistent on the infected Windows host
  122. - Run method: regsvr32.exe /s [filename]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!