API tools faq
paste
malware_traffic

2020-11-25 (Wednesday) TA551 (Shathak) Word docs with English template push IcedID

malware_traffic
Nov 25th, 2020 (edited)
7,906
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.63 KB | None | 0 0
raw download clone embed print report
  1. 2020-11-25 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH TEMPLATE PUSH ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 2b2f69d3f7982ba2ed8c94d347e57b15a74ab9da478d3d844362d58bca589f20 adjure-11.20.doc
  10. - 57dfbeb55f4fa21b9baf181319ca1ac216873e76523b7e36e8d09e24ff5748cb adjure.11.25.2020.doc
  11. - 6afc6970b9a08385186691cd497dea7cc0df9f8c83f0717e9b351fb0137c9983 command,11.20.doc
  12. - d3dbc00de3420b346e72aac8ecacd497f4a6db06f6e78ac449757321ad44153a command-11.25.2020.doc
  13. - 55411d37ffb2359e9d82c2a297b7896730c0e9dae912a119876b6d18504ad72d docs 11.20.doc
  14. - 3e084e7140127ffcf57b268871c4b72d9bfadf64f0656d23410625df7188ce4e document,11.25.2020.doc
  15. - a7375bd96cd1e7ce6cd80503feba8d282dca4989c6e37f9f42a7fc783f2f2ced document_11.20.doc
  16. - fb1bf4f8d2de600fb5d0c7d5e9045e9065dad711577c2153b68c0c01295a4e4b documents 11.20.doc
  17. - 73282541446d08c33b0a1f83fde1d886f4bd7c30ab318f6d60536eb5eadb4976 enjoin.11.20.doc
  18. - 69104880e6f6fe4d65326ccbd65319f8915534def1cc7d4ca47d68b70e204142 files_11.20.doc
  19. - 97dfe5a7c4bbb3f05997cf7487c45f72d1531fd97f7911123bae1401504b4045 input.11.20.doc
  20. - c0ad76bccaf20a959211687c79bc433bdaeef6d5fd9d8c67b6945550e5fe4ec0 input_11.20.doc
  21. - d7290d4393a2cb8412eb87a86362fc275f7eb80012f045ff2c0455cd97a3dcd2 legal agreement-11.25.2020.doc
  22. - f993ab7d80187b5597eb3e50924115ae867f99ac31840145ebe695b213b3bf0d official paper_11.20.doc
  23. - 11dfbcf11ee56bd99f0a05d7fd82c533b5ae1850a4db07dc4befa705d0fbc29f order 11.20.doc
  24. - aec118f42966db26c6e25470595b09d58f75b67e9abf7b637c210d817884c076 order_11.20.doc
  25. - 85cd8153f019df3e8d01964d206781d948459d2f462a188195fa07e34f5f5750 particulars,11.25.2020.doc
  26. - 49a79b716600b2aace8706a3ab4169a9a53bb13f34c816888a291776b9dd7c10 prescribe ,11.25.2020.doc
  27. - 72d600e7482b11ac7b99ce9ba2716f83a9f7e328a97fb9a28ff4dd9033dd2776 question 11.20.doc
  28. - e3156ce951337bdbb5458561726bc989b906c4c6ad1bdbfb034e3227ab687226 report_11.20.doc
  29.  
  30. AT LEAST 10 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - dx-approve9690[.]com - 104.27.144[.]245 or 104.27.145[.]245 or 172.67.159[.]139
  33. - gwz-mass5938[.]com - 104.31.88[.]160 or 104.31.89[.]160 or 172.67.184[.]93
  34. - fi-orphan1895[.]com - 104.27.152[.]71 or 104.27.153[.]71 or 172.67.208[.]141
  35. - lzw-steak3686[.]com - 92.242.40[.]104
  36. - mh-library9619[.]com - 104.24.122[.]45 or 104.24.123[.]45 or 172[.]67.212.203
  37. - nl-sick9850[.]com - 37.46.134[.]163
  38. - ty-orange2331[.]com - 104.27.140[.]32 or 104.27.141[.]32 or 172.67.138[.]191
  39. - uj-mercy8209[.]com - 104.27.144[.]158 or 172.67.186[.]157
  40. - xp-follow1711[.]com - 104.31.70[.]177 or 172.67.150[.]44
  41. - zwl-scrap3426[.]com - 104.27.151[.]33 or 104.27.150[.]33 or 172.67.138[.]228
  42.  
  43. EXAMPLES OF URLS FOR INSTALLER DLL:
  44.  
  45. - GET /share/feFm7xFvc_6bCGvOjrdQOO%20O3/RMLcZQ6vyGGSA1025Tz0iDABk09SB9Yrww/pupg1
  46. - GET /share/H29Ks082VdjsjWHDVaHz0v4M1Yxz3PRCBK376_ghXtpX4GWNAKeDvx/pupg2
  47. - GET /share/pXGDDJ70OyU5YClbOxr2HBK_YP_JZk21uDcCsJbQpGsCbW4SSgitmOPgbWqpsrsBFkWnrqyLp72tA80dF1u/pupg3
  48. - GET /share/G2TovYrsK0jufIrydSW8Zz_8_VTPXDUhAhHh3MN/pupg4
  49. - GET /share/wiOhVzvGlSw0/DTRRAf34YlZ/aZkve3ZQ7canKWxbn23h0hYVQ1TZHwR1V3HSeQfCkD/nhKjBSYKxAn6/pupg5
  50. - GET /share/VvARSv/0qngksDRcIRZTtQRuU6Y35VgkM_jbC2/eWWSbUgg6NxXndl6x5T0F3Rsfl2TJRoSFdKsA3aPkBUpOt/pupg5
  51. - GET /share/IMhvwK6CzY2LXl0Df3QZhnvwm5sTMYzRVnIUrmx3IP/pupg6
  52. - GET /share/RqMgPxwz9Jk4LskfjkOeQ2Eag8c28xNpsx5WH8U_88xu8m0p3rAmsalOKLpPrpmF/pupg7
  53. - GET /share/DAxNrHhcH9rNl338rZ8VOLcXrsxy_JfPgZAv7WFX9TGWPy1VjHFQfD62/pupg8
  54. - GET /share/bFcvKlFJrlxvKewsj5d4pQxQlUhXmWO0qOzilaW5CrJ4C0N/UdTfvkJ1QNftf2_PVj_wV98/pupg11
  55. - GET /share/Idg6VvZgXLctqxZL5nJn7kB3BafRHJJTzvLaf/pupg12
  56. - GET /share/G/GsGnLFSxbC6khaSGUCUchPcEQoTRcC0/pupg14
  57. - GET /share/BPg7AbfX0xQwGrJ4CFCoqaSZvTNwTK33G3xZCIv4x0ALr7mJPpJALzMJwmJiSeblRTUX36gd/1Me/pupg16
  58. - GET /share/1H_psOvicsnoPL_4lxzJclPWSNGyTg2ENsjKn4Y/wgjchJmdNzhUSxxIg3Sk/pupg17
  59.  
  60. 11 EXAMPLES OF INSTALLER DLLS:
  61.  
  62. - 1a7e0001a5a14026de7bb390d321aa1072d6db3434b5f2abbfbd85387294ef4f
  63. - 2efe1099286e037c0c52d1c15e13b37566368c09dcc49418d41f698297311bfd
  64. - 44ad701a6e46ca32196d40d648e354b5ccedb9949f232e24290e80c3e12ae965
  65. - 66f9f171c071e5d49fce1294db9f2ddb93614f630a7b8014f5f399d7c0fda691
  66. - 6a6ef756d22412037683e490e9067bd1982753bf3daf9793ade22796180c3099
  67. - 6a762bae8f0b112afda951b810a5343c0eef01b92cad2a3704597b19f443104f
  68. - 7de42e2689a601ff189b4b72b03723900ac72f16cdd600f0645f89ff6ed4c7b1
  69. - 873590595e0ee7e2ff18f3f58ed4c3770ae64bbfd3f70e2c2b36b5033b826fee
  70. - a45a7d1331a1cff25506d4ae8e05e919a6f3d967c72e0fbaba28caaffc355f0c
  71. - c99b02e89da66d6e9bd695914df269d009b0452dfb7ee31a7cf914fbb70d18ff
  72. - f20448ebc7106e6ff6abb97b85f05541f83fbfbc445d49ed3bc07e040947941b
  73.  
  74. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  75.  
  76. - C:\ProgramData\blJDS.pdf
  77. - C:\ProgramData\CHoyU.pdf
  78. - C:\ProgramData\ggBNN.pdf
  79. - C:\ProgramData\ggBNN.pdf
  80. - C:\ProgramData\IFPoj.pdf
  81. - C:\ProgramData\IJQud.pdf
  82. - C:\ProgramData\KKjNA.pdf
  83. - C:\ProgramData\kRRCZ.pdf
  84. - C:\ProgramData\MXNYB.pdf
  85. - C:\ProgramData\MXNYB.pdf
  86. - C:\ProgramData\npmiu.pdf
  87. - C:\ProgramData\sCpYf.pdf
  88. - C:\ProgramData\sIdiW.pdf
  89. - C:\ProgramData\UsBzT.pdf
  90. - C:\ProgramData\VFznx.pdf
  91. - C:\ProgramData\Yqsug.pdf
  92.  
  93. DLL RUN METHOD:
  94.  
  95. - rundll32 [filename],ShowDialogA -r
  96.  
  97. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  98.  
  99. - port 443 - facebook.com
  100. - port 443 - www.facebook.com
  101. - port 443 - twitter.com
  102. - port 443 - instagram.com
  103. - port 443 - www.instagram.com
  104. - port 443 - www.tumblr.com
  105.  
  106. AT LEAST 1 DOMAIN FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  107.  
  108. - 161.35.125[.]178 port 443 - shermannlow[.]best
  109.  
  110. 4 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  111.  
  112. - 159ba6f1d941324978ca50e7346957987736fa0e594ac0142aa81a169afaa44f (initial)
  113. - 76afe1cdf374fc900fe0859537a4c17323d932f4e1f1514e5187b09702d88ac5 (persistent, example 1)
  114. - 7ca44cc3821b27376d9a179cad523d5dc4479acc9bc2f3c37f85b384acdde3b4 (persistent, example 2)
  115. - 5fdeda1570ec0bb954576fc84ada2bff2bf0cd1c4e20bfea32752c8ddcd4e45e (persistent, example 3)
  116.  
  117. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID DLL FILES:
  118.  
  119. - 68.183.89[.]248 port 443 - ujkiol45[.]cyou
  120. - 68.183.89[.]248 port 443 - aslopoer45[.]cyou
  121. - 68.183.89[.]248 port 443 - bonvemrt[.]cyou
  122. - 68.183.89[.]248 port 443 - vopilo49[.]best
  123. - 68.183.89[.]248 port 443 - desloporty8[.]top
  124.  
  125. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
  126.  
  127. - SHA256 hash: 71cc6da1a4ed8936a217661531451aa195ea76211b6dac0a10105f7a4d999c90
  128. - File size: 141,183 bytes
  129. - File location: C:\Users\[username]\AppData\Local\Temp\0009fe59.png
  130. - File type: PNG image data, 205 x 339, 8-bit/color RGB, non-interlaced
  131. - File description: PNG file with encoded data used to create initial IcedID DLL
  132.  
  133. - SHA256 hash: 159ba6f1d941324978ca50e7346957987736fa0e594ac0142aa81a169afaa44f
  134. - File size: 136,704 bytes
  135. - File location: C:\Users\[username]\AppData\Local\Elitecousin.dat
  136. - File description: initial IcedID DLL file created using data from the above PNG file
  137. - Run method: regsvr32.exe -s [filename]
  138.  
  139. - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
  140. - File size: 677,968 bytes
  141. - File location: C:\Users\[username]\AppData\Roaming\[username]\[username]\Extaofac1.png
  142. - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
  143. - File description: PNG image with encoded data seen after the above file is run
  144.  
  145. - SHA256 hash: 76afe1cdf374fc900fe0859537a4c17323d932f4e1f1514e5187b09702d88ac5
  146. - File size: 136,704 bytes
  147. - File location: C:\Users\[username]\AppData\Local\{387A6117-72A6-6711-7E53-86B27B008CF7}\[username]\Balucc.dll
  148. - File description: IcedID DLL persistent on the infected Windows host
  149. - Run method: regsvr32.exe -s [filename]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!