Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-09-17 (THURSDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
- CHAIN OF EVENTS:
- - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
- 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
- - 2c9638c033bce20c40f600de6d7c2462dd1cde8964416609bcb5b737846f9e27 adjure.09.17.2020.doc
- - 454b4158285e38304a09aa563ae64d63a555fa288bcca9abbb33a8da4b62e67a adjure_09.20.doc
- - b338bf704cbdcf2cd949974e5c1b76e16df69c975c9736571a6f30753a6f02d2 bid 09.17.2020.doc
- - 51798d1dc563782372d76ea34750802554f0eb3f519f321926ee73566e39dca1 command 09.20.doc
- - 503bd08da5457f6b520479ec0611b93ae9064ef69a9b160ae94f9c46fd42dbb1 details 09.17.2020.doc
- - 8dd8c88ad6966fa3a72904c7df0ff42867c06fd07670947b92a9908b6c53219b docs.09.20.doc
- - c46868add39e4ebca74f73c8d3d54abe4cdb11cacac92065227bf82fdaff190e enjoin 09.17.2020.doc
- - 044b69875fa520c2c005c4a80131116cc0eb46395717d4b997a363a5809d41fe figures 09.17.2020.doc
- - 3a09f9c3af7ead734054a93ee27139efa6fa6bb2e92ad9e08e08266024159cec files 09.17.2020.doc
- - 3f3ee7b06c0e20bda4e2654ccdd3288e7f2669d675eb7d316c0880704986c28b files 09.20.doc
- - 6d66748213eccb7dad819da9dd2e88ceb2c426ed668805bde513f5e1a9d5f71e instrument indenture,09.20.doc
- - 77b1a1bde83e2f3a6b282529074e22669c967b34a08ac09d43d78ed70234ef5c intelligence-09.17.20.doc
- - 46edf64e6a58d67ecdc25e2084e0aa320583367f543439f2f3620c0e5566c536 legal agreement_09.17.2020.doc
- - 467b9d3e4c3e1b25cd6e6de004331511197cfecd16aad46f3252b10f554571dc legal agreement_09.20.doc
- - b8b928c892d2023679fae63870ff4a18e9158ab1c7def1a4070c833b0edc9aa5 legislate,09.17.2020.doc
- - ff40d50e1e5ede99e3193d26253816be4d4e3931f8ae429a0628265c7d5233ec ordain.09.20.doc
- - c2b2c36520c9516d6a780deeee5e4559e698dff96674b8c240f22024d7a5872c report 09.20.doc
- - 22aa60b43cf539d0bbd584d2db4fca99ed9f87b76dd9704085557b0cfea16a47 report.09.17.2020.doc
- - 0d952dd0a8c3cf20d96269842e82fe263f40074c936df5b8380ef94d2904aa86 report.09.20.doc
- - b174ad2027ba5b61237d4e1b7bc2f7320b610fe0835be34f4a961016a687a831 specifics_09.20.doc
- AT LEAST 8 DOMAINS HOSTING THE ICEDID DLL:
- - c6ut9we[.]com - 87.251.64[.]4
- - g94ju4[.]com - 89.235.184[.]190
- - gjb3sd1[.]com - 185.118.165[.]230
- - m6vtrk[.]com - 77.222.52[.]177
- - p3gcak[.]com - 185.117.73[.]59
- - pvi24bu[.]com - 185.219.41[.]156
- - ue4j6g[.]com - 194.40.243[.]128
- - xgsxdae[.]com - 62.109.2[.]150
- URLS FOR ICEDID DLL:
- - GET /myzyn/mevap.php?l=fuzo1.cab
- - GET /myzyn/mevap.php?l=fuzo2.cab
- - GET /myzyn/mevap.php?l=fuzo3.cab
- - GET /myzyn/mevap.php?l=fuzo4.cab
- - GET /myzyn/mevap.php?l=fuzo5.cab
- - GET /myzyn/mevap.php?l=fuzo6.cab
- - GET /myzyn/mevap.php?l=fuzo7.cab
- - GET /myzyn/mevap.php?l=fuzo8.cab
- - GET /myzyn/mevap.php?l=fuzo9.cab
- - GET /myzyn/mevap.php?l=fuzo10.cab
- - GET /myzyn/mevap.php?l=fuzo11.cab
- - GET /myzyn/mevap.php?l=fuzo12.cab
- 14 EXAMPLES OF ICEDID INSTALLER DLLS:
- - 23be804db20cb450cf53fc82143ac34b9e741035c511af3e5c9880e7b3a70b3a
- - 3626c5c04745f7318a313d26345c7c16450ff57b1a22fba0e57f8e03de0b8946
- - 4df39fd80257e14192e2d2edc4500883edd7921e0be92d664ec4b995d8f82f24
- - 530001e38045813d7276694c428b64b4dc5a15b77f2b3cc757f64b8d34bcf815
- - 55bc7ae7ab1017eb75387291424a67b9655d52e9357005caacbbb997dada592c
- - 6571b88739b154807adbbe7b8d3ff75543887405f066489fb773a2186b862132
- - 74c2d430eb964fbf5b3a1e37bb6f8770e571ef8998f71d945a479bba4a42d2cc
- - 9c2b9591aa625e3dd4d8eae345b24e331bf731c9d5fa6455ac8e79bd6ec5d0d0
- - 9f8ff8da154960d17a3225675a85372e7a70aca93df8bdfb887eb22c16b4dfe3
- - a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295
- - ab08d113bb0f4fb6aa96997d03853aac162f93d8e6926de224186ab35255f310
- - b5399025d73dfb850df68017dfa81ce5f83bd9eeb7db056fffeca55ad3bcea65
- - c91847b9b00dddebd4f694412f2cc4c7346c15aa3cda2da856d9b0860a17ec50
- - d67e1fd5d40e841c1aedbbf65d5f72a69da5ac54e48ae92da1f428c9f18d8363
- EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
- - C:\Users\[username]\Documents\b163d.pdf
- - C:\Users\[username]\Documents\ea799.pdf
- - C:\Users\[username]\Documents\f34b1.pdf
- - C:\[same directory as the Word doc]\a8635.pdf
- - C:\[same directory as the Word doc]\b163d.pdf
- - C:\[same directory as the Word doc]\d9a97.pdf
- - C:\[same directory as the Word doc]\dd009.pdf
- - C:\[same directory as the Word doc]\e6503.pdf
- - C:\[same directory as the Word doc]\ea799.pdf
- - C:\[same directory as the Word doc]\edcf3.pdf
- DLL RUN METHOD:
- - regsvr32.exe [filename]
- AT LEAST 2 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
- - 142.93.218[.]110 - port 443 - ldrmercury[.]casa - GET /background.png
- - 134.122.55[.]164 port 443 - ldrstar[.]casa - GET /background.png
- 1 EXAMPLE OF SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER:
- - eb413325acbb2ea289969e834c5237fc6376073f24674b7760d45b94dfaf8755
- HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID EXE FILE:
- - 79.141.171[.]183 port 443 - gaagachelo[.]cyou
- - 79.141.171[.]183 port 443 - odnovoennbundes[.]cyou
- HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
- - port 443 - www.intel.com
- - port 443 - support.oracle.com
- - port 443 - www.oracle.com
- - port 443 - support.apple.com
- - port 443 - support.microsoft.com
- - port 443 - help.twitter.com
Add Comment
Please, Sign In to add comment