Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-09-08 (TUESDAY) - TA551 (SHATHAK) WORD DOCUMENTS WITH MACROS PUSHING ICEDID MALWARE:
- CHAIN OF EVENTS:
- - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
- NOTE: All doc and DLL samples have been submitted to https://bazaar.abuse.ch/
- 16 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:
- - 51f8f1167b40f867c44898a739ccd0612dfc1709a896ec91470fe94edc7ea7c9 bid-09.20.doc
- - 0be6c27416ed3da2dc17ba74d2a60db780e3ef91cd9958421a43aa3af771a18f charge_09.08.2020.doc
- - a36cefea02d8250a14a7b5a8525b868f1f6c035c8fafbfddab5f9d39cf8acd8c command-09.20.doc
- - 0d85c4734527a209eb5c2478481ea36b9aa2db0606af11f78f9b9708dc56e3c2 details 09.08.2020.doc
- - 7ac102d074423438acb79c9e4262c29e00b31109bd8d2b5e3b5f6fd307897d99 direct.09.08.2020.doc
- - be237b8e1ac44e456f9a5d0ae53a393fe7836f1f2220b36c2346fcc1160845bc docs 09.20.doc
- - 1dc9d1e827c6eba438454a31c497224289ccc6a2ff3158acd36388af65bc8b3d document_09.20.doc
- - bf2a4e47439fa2cb8ab4ea9e90226b78bd90e72427d818ac72512bcbbbe87223 figures_09.08.2020.doc
- - ae4421dc9e044ebe144f074041c413c0be116606511cbc749ed84f2a971132c7 inquiry.09.08.2020.doc
- - bae9f2deb123d81eb97d5ff4f327acde75f780cb4049516c0d685555c692faa7 instruct 09.20.doc
- - 7df8fe12814e5916e46478cc2d833262055a29a601fad78528316acbdb8ac1d0 intelligence.09.20.doc
- - c12f4522d7d258e1fc98b178bf75ee78265db3cea8b14fe47851610e2f5b6da4 legal agreement.09.20.doc
- - a3cb1c98976df6c768638d42f365f89fb1e2eeacb4390e0d1a797d4bb025218d official paper_09.20.doc
- - f234a7d86e3c05261c8e15472ff52b7815765ac5b1e6256428c2d0fdfa2e3a18 question-09.20.doc
- - d90dae062092bbb4fc9e0c6e9e65cf6d8b286c01a1428c71ea0845d7f20619db require,09.20.doc
- - b7c1781076ebfe90e2a7eb60456dcd1f7d8503973866816fc997e7371da8d9e6 statistics-09.20.doc
- AT LEAST 9 DOMAINS HOSTING THE INSTALLER DLL:
- - ctq41z[.]com - 45.10.88[.]99
- - dr8hiw8[.]com - 194.40.243[.]73
- - jrvg0ao[.]com - 185.66.13[.]110
- - kr50pf[.]com - 5.253.62[.]109
- - lhxlihz[.]com - 185.117.75[.]53
- - rflf84[.]com - 77.222.52[.]130
- - s0vufk[.]com - 45.89.66[.]72
- - spcang[.]com - 185.228.233[.]131
- - z30of5[.]com - 193.187.173[.]213
- GET REQUESTS FOR THE INSTALLER DLL:
- - GET /fucy/jubiw.php?l=gava1.cab
- - GET /fucy/jubiw.php?l=gava2.cab
- - GET /fucy/jubiw.php?l=gava3.cab
- - GET /fucy/jubiw.php?l=gava4.cab
- - GET /fucy/jubiw.php?l=gava5.cab
- - GET /fucy/jubiw.php?l=gava6.cab
- - GET /fucy/jubiw.php?l=gava7.cab
- - GET /fucy/jubiw.php?l=gava8.cab
- - GET /fucy/jubiw.php?l=gava9.cab
- - GET /fucy/jubiw.php?l=gava10.cab
- - GET /fucy/jubiw.php?l=gava11.cab
- - GET /fucy/jubiw.php?l=gava12.cab
- - GET /fucy/jubiw.php?l=gava13.cab
- - GET /fucy/jubiw.php?l=gava14.cab
- 24 EXAMPLES OF SHA256 HASHES FOR DLL FILES USED TO INSTALL ICEDID:
- - 03423958a6175e9162bd53c6f6323cc7c701af1be2b24c5ef60c31c8d2be302f
- - 0af2fcba1acc5852bbfc9836e3e7b134278a79a836b81b6b283dd7b4c1bbee8b
- - 1a5aebf1694792dde2b8c06e38c5258bbc3c9a5c249fda4575c42dc1619d95f5
- - 21e62f3e0612ab1a54251d046bba834605f291c20c9fe817a53aa44d08a8e237
- - 232f64509cb2aa61070228eee7bf808e64b98cd4dd0ef618bcbfd5a8a600e78b
- - 304c2b3e1fd8437dc8cd2c9e36d497410d7162a975a0c1f896c41bd1d5bf5e31
- - 36a913e36792320d3bd3aaf93b31d23d81c7e7ee86625bbcebd34f6c66831ee0
- - 3cc4d74a3f42cb8bac9a854a3ac8550aacd4a4660a9867da7abcfe1b900cbf82
- - 44bcbbfd3a706c0840fabb6a9b3f29b84684ecf71f7cf38fcf8dcbe81d9eacfc
- - 46447ef4fb40d94372e65dccd5704144f27046667723f546b947b8e55511f7af
- - 4d1e7ce0ed18606c7865aedaaa0a7721b589a49d728ecb1a5fc9748f37741bb7
- - 53ce707d338c0e2b41d5206f32333112c7ca512c29dd0a86bf52dfdbd679abb3
- - 5f44a62a928691259f4cc6ac14395adfaa70d5ea0b8a6ee3089176abd659e92e
- - 7033b1fc79288dbd66a78ef9b5744548c34bddc75c2715dcac74c0f14fbfdaf6
- - 7192f04d43d073a4fb9a2299884760850ea40853f52188675ae2e16af58dadde
- - 9d8c14be9d95cec94ff98f9c524399ade8524496787dd0f6cfe55044c3dae233
- - a316f685773d9729affe12ed5cb26cd7c5e4f0272f211c0befbee7ea8d6fc7ad
- - adf4775535b8a79df81a847a8eddcc7569ca973306112a8bc0f46610614650d2
- - b85e6caf4a068f3f8a284868cfdc318438770a1997c52f2ce55c4c5220cfcfba
- - cb9c404f67d9f2d0047378277658b38289fdc410b9953140b62829070af7053d
- - d12ebf9a567a56cdca41a52562502bb4aaa438b076e0820a98e11038f305a8aa
- - de9a0d32abf6471d264f745af2ca92e57923b4df238dbe50542e284bc3e221ad
- - e30001c350daa6f046df51266ecd951e1e438f0d79b09d045cbe86f9b8506877
- - ee1e5a594eabe32c219f38b174c673ead99d4961ce1a09909cdd9afacfbc3c81
- LOCATION OF THE INSTALLER DLL FILES:
- - C:\Users\[username]\AppData\Local\Temp\temp.tmp
- - C:\ProgramData\a5649.111
- - C:\ProgramData\acf75.111
- - C:\ProgramData\b0626.111
- - C:\ProgramData\beb6d.111
- - C:\ProgramData\c28be.111
- - C:\ProgramData\caed8.111
- - C:\ProgramData\e9aae.111
- - C:\ProgramData\ffb49.111
- RUN METHOD FOR INSTALLER DLL:
- - regsvr32.exe [filename]
- AT LEAST 3 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
- - 194.113.34[.]92 port 443 - ldfolkland[.]casa - GET /background.png
- - 159.65.137[.]90 port 443 - loudnavycomp[.]casa - GET /background.png
- - 159.65.137[.]90 port 443 - landbiofill[.]casa - GET /background.png
- HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
- - port 443 - www.intel.com
- - port 443 - support.oracle.com
- - port 443 - www.oracle.com
- - port 443 - support.apple.com
- - port 443 - support.microsoft.com
- - port 443 - help.twitter.com
- NOTE:
- - I did not get the IcedID EXE today.
Add Comment
Please, Sign In to add comment