API tools faq
paste
Advertisement
malware_traffic

2020-11-11 (Wednesday) - IcedID from myResume.xlsb

malware_traffic
Nov 11th, 2020
9,728
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.17 KB | None | 0 0
raw download clone embed print report
  1. 2020-11-11 (WEDNESDAY) - ICEDID FROM MYRESUME.XLSB
  2.  
  3. NOTES:
  4.  
  5. - For the past several months, I've only seen ZLoader (SilentNight) from this campaign.
  6. - This time, the spreadsheet template has changed, and I'm seeing IcedID instead of ZLoader
  7.  
  8. ASSOCIATED MALWARE:
  9.  
  10. - SHA256 hash: fa4593b9b833602d9e309c40ec8becb6159a94d2acff372bc75a4b0a91fe2fb3
  11. - File size: 202,630 bytes
  12. - File name: myResume.xlsb
  13. - File description: Excel spreadsheet (XLSX) with macro for IcedID
  14.  
  15. - SHA256 hash: 4d00dd3d606e59496069e836b1c4466d5a11a1a03c2207947f64e4442099657a
  16. - File size: 134,656 bytes
  17. - File location: http://205.185.113.20/files/3.dll
  18. - File location: C:\syuHKYt\vFPKnDV\VSMecyU.dll
  19. - File description: Installer DLL for IcedID
  20. - Run method: rundll32.exe [filename],DllRegisterServer
  21.  
  22. - SHA256 hash: d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce
  23. - File size: 125,952 bytes
  24. - File location: C:\Users\[username]\AppData\Local\Temp\~19228000.dll
  25. - File description: IcedID DLL created by the installer DLL
  26. - Run method: regsvr32.exe /s [filename]
  27.  
  28. - SHA256 hash: 818076cbf3b8323b674d476b2862b3495cddcc13ef957f5bd9ec7f18bd436791
  29. - File size: 125,952 bytes
  30. - File location: C:\Users\[username]\AppData\Roaming\[username]\goibjitt1.dll
  31. - File description: IcedID persistent on the infected Windows host
  32. - Run method: regsvr32.exe /s [filename]
  33.  
  34. TRAFFIC GENERATED BY MACRO TO RETRIEVE INSTALLER DLL:
  35.  
  36. - 205.185.113[.]20 port 80 - 205.185.113[.]20 - GET /BVd1qKwd
  37. - 205.185.113[.]20 port 80 - 205.185.113[.]20 - GET /3.dll
  38.  
  39. TRAFFIC TO LEGITMATE DOMAINS GENERATED BY INSTALLER DLL:
  40.  
  41. - port 443 - help.twitter.com
  42. - port 443 - support.apple.com
  43. - port 443 - support.oracle.com
  44. - port 443 - www.oracle.com
  45. - port 443 - support.microsoft.com
  46. - port 443 - www.intel.com
  47.  
  48. URL GENERATED BY INSTALLER DLL:
  49.  
  50. - 143.110.191[.]95 port 443 - lezasopedrill[.]cyou - GET /background.png
  51.  
  52. C2 DOMAINS USED BY ICEDID DLL:
  53.  
  54. - 198.211.99[.]24 - port 443 - timerdisclaimer[.]pw
  55. - 198.211.99[.]24 - port 443 - experrementummo[.]pw
  56. - 198.211.99[.]24 - port 443 - nomoregigration[.]cyou
  57. - 198.211.99[.]24 - port 443 - compactmuslimsdeport[.]pw
  58. - 198.211.99[.]24 - port 443 - 12demuslims[.]top
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!