malware_traffic

2020-08-17 (Monday) - TA551 (shathak) Word docs with macros for IcedID

Aug 17th, 2020 (edited)
2,547
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-08-17 (MONDAY) - TA551 (SHATHAK) WORD DOCUMENTS WITH MACROS PUSHING ICEDID MALWARE:
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1295425897575723009
  6.  
  7. CHAIN OF EVENTS:
  8.  
  9. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  10.  
  11. NOTES:
  12.  
  13. - All files listed below have been submitted bazaar.abuse.ch
  14. - All URLs listed below for the IcedID installer DLL have been posted to urlhaus.abuse.ch
  15.  
  16. 12 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:
  17.  
  18. - ab939596948fea35572dd8da920c0364ef8aecd37d7216907dcbeb59d42cef74 bid-08.20.doc
  19. - 31603718e051d569641e9699004f8282d3281619b8443951dec74a63e1a14488 certificate-08.20.doc
  20. - 04a906f8956e273b9a9e197a509795e282ab81dc52adf88f8239aba6ab75e0ba charge.08.17.2020.doc
  21. - 0678fa08f9456d3892a7b771927ac93d08f55c884a539693328190a933b5f7ab details 08.20.doc
  22. - f5fe3a1f3f1e7cfe7c66a63a19eba996575a9235835185ab720df14564b95c16 docs.08.20.doc
  23. - d37078952a13ecd8ebb1c7f11cef969f1b1f7ed64ef90787c4439371779d8c4f documents-08.20.doc
  24. - b67ce8de28584d3b10a0aa01a4fa3235c4fce89a8d9e39848e7e0c43e2c58212 enjoin.08.17.20.doc
  25. - 4c5cfd802d59799af86df0e8fc6b7bc1fc1ea5555bf44879125c8541733e6b86 input 08.17.2020.doc
  26. - f1deced0518ce8ee4b605ae5059fa266dc0aec51ac95ebf4384e880dfc0d3f88 instrument indenture-08.20.doc
  27. - 8278dd38fcdc3282fd1d71d51179b70fa3ea83e174544cfb2e4ad52146a10c30 instrument indenture.08.20.doc
  28. - 6d99e3416c4997109d61988308b24565f6627ecd9f0700f4a29a9b41b55ba7d1 legal agreement,08.20.doc
  29. - 0932e6e3f36d8c070b72bb143a39ec724b6224581acabf879912911344c6a3dd specifics.08.20.doc
  30.  
  31. AT LEAST 10 DOMAINS HOSTING INSTALLER DLL:
  32.  
  33. - a136h2u[.]com - 193.187.174[.]211
  34. - a5he9s[.]com - 185.62.103[.]100
  35. - b97pm6[.]com - 185.82.202[.]68
  36. - g7hu923[.]com - 45.12.4[.]12
  37. - hsrykxc[.]com - 45.10.89[.]190
  38. - lbov709[.]com - 91.210.169[.]95
  39. - m5cqjhp[.]com - 185.102.136[.]96
  40. - u30x3ch[.]com - 37.46.131[.]99
  41. - z70g6n[.]com - 95.213.139[.]71
  42. - zncx4ha[.]com - 188.120.225[.]90
  43.  
  44. URLS FOR INSTALLER DLL:
  45.  
  46. - GET /cugul/lisi.php?l=vese1.cab
  47. - GET /cugul/lisi.php?l=vese2.cab
  48. - GET /cugul/lisi.php?l=vese3.cab
  49. - GET /cugul/lisi.php?l=vese4.cab
  50. - GET /cugul/lisi.php?l=vese5.cab
  51. - GET /cugul/lisi.php?l=vese6.cab
  52. - GET /cugul/lisi.php?l=vese7.cab
  53. - GET /cugul/lisi.php?l=vese8.cab
  54. - GET /cugul/lisi.php?l=vese9.cab
  55. - GET /cugul/lisi.php?l=vese10.cab
  56. - GET /cugul/lisi.php?l=vese11.cab
  57. - GET /cugul/lisi.php?l=vese12.cab
  58. - GET /cugul/lisi.php?l=vese13.cab
  59. - GET /cugul/lisi.php?l=vese14.cab
  60. - GET /cugul/lisi.php?l=vese15.cab
  61. - GET /cugul/lisi.php?l=vese16.cab
  62. - GET /cugul/lisi.php?l=vese17.cab
  63. - GET /cugul/lisi.php?l=vese18.cab
  64.  
  65. 12 EXAMPLES OF ICEDID INSTALLER DLL FILES:
  66.  
  67. - 0b41a454c1d34aa97596c93b0edf85dd8a8eca3dfff9d326950e7d0723cb1608
  68. - 27a5b15d9746ae517f7aa494deea50b0d6c7b3cb28e793ff1fff1c0286966443
  69. - 4441869631f184e292844790ca4d365cb4e81cfe36b2933b452fedc80a71a1bd
  70. - 4c6373e0c79655f2129ddb264d7540ccd7c1cd3e1a021821fade9644effb5ef0
  71. - 5251393cd54a8a1b7e73a61c60c861187fbbd6d708025bcb99bbe7103fd303d4
  72. - 5dd46ffb36515bb87100f21b3da62c74a3734782af7dc32f83d51b73d5cdcc51
  73. - 7cad2aa784582ca07ebbe5167c04c6ff3e65e5696607021fa5136d8888d5365c
  74. - 97fb0f05128aa1ebff695dfee7ac228ee21a3d53a8a4e26bd4f6d58a0991c310
  75. - a45f209badc9cd8d0c7164a3a3593771f14fb52eadfd62a1a0b31a92c31af526
  76. - a7b8e6e02cc803c0d5f9d721855c5162009ed61214994be864104ae11f4281be
  77. - e131978d83f5387d82720ffaa4596e7c0754b8931fd90db14f60dd5d10901798
  78. - fa5b017f29571ed8c732843361bca86035be5d6c3a62ac212478ed098dad2bdc
  79.  
  80. LOCATION OF THE INSTALLER DLL FILES:
  81.  
  82. - C:\[same directory as Word document]\main.jpg
  83. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  84.  
  85. RUN METHOD FOR INSTALLER DLL:
  86.  
  87. - regsvr32.exe [filename]
  88.  
  89. DOMAINS FOR THE PNG USED TO CREATE THE ICEDID EXE:
  90.  
  91. - 104.131.33[.]128 port 443 - loadrome[.]directory
  92. - 128.199.4[.]229 port 443 - loadofficer[.]casa
  93.  
  94. SHA256 HASH OF ICEDID EXE CREATED USING ENCODED DATA FROM PNG AT LOADOFFICER[.]CASA:
  95.  
  96. - e3be616e258172d4596cd61cbb6ec39b6e7aa0cf8138793783e21a4b6ab4c038
  97.  
  98. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY ICEDID EXE:
  99.  
  100. - 165.227.41[.]66 port 443 - mahindranew[.]co
  101. - 165.227.41[.]66 port 443 - hwakiraklir[.]top
  102. - 165.227.41[.]66 port 443 - ghererrafleur[.]co
  103. - 165.227.41[.]66 port 443 - helindraold[.]co
  104. - 165.227.41[.]66 port 443 - staerfraer[.]co
  105.  
  106. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY ICEDID LOADER AND EXE:
  107.  
  108. - port 443 - support.apple.com
  109. - port 443 - support.microsoft.com
  110. - port 443 - help.twitter.com
  111. - port 443 - www.intel.com
  112. - port 443 - support.oracle.com
  113. - port 443 - www.oracle.com
RAW Paste Data