malware_traffic

2020-11-24 (Tuesday) - TA551 (Shathak) Word docs with English template push IcedID

Nov 24th, 2020 (edited)
2,158
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-11-24 (TUESDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH LANGUAGE TEMPLATE PUSH ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 4 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 37db367c01e40ee2f05a5966d6670e07fd3292c01f4da8ffd77c0e3c96a79464 deed contract.11.20.doc
  10. - 81a9a90300cb711fe2ee8ef3cd168f41a4dcb9947a36d7bcda30867360d99ea4 details-11.20.doc
  11. - 3175b6ee197e76e17fe22e8176f66ecfcd2f4de7320fe51430680bfd646bab9c enjoin_11.24.2020.doc
  12. - 4de0cdd480990aad05acf6c178e4711cd05bf0bc83b4c65fe0e0c0003832f5d6 material.11.20.doc
  13.  
  14. AT LEAST 2 DOMAINS HOSTING THE INSTALLER DLL:
  15.  
  16. - fu-vapor8895[.]com - 188.120.255[.]68
  17. - l-laptop6658.com - 45.12.4[.]233
  18.  
  19. EXAMPLES OF URLS FOR INSTALLER DLL:
  20.  
  21. - GET /share/92Lm_79ASH7srFlVPcgJDwPjNam8WuGkr0Ta/lxnt10
  22. - GET /share/kvNqzh1tF4Y8zyxtL/HQpK6K42Wr8SP9PLJSqxc5h/ROwPcKsG/dbULREqlb1Kj0_RRT/Dfnj/lxnt10
  23. - GET /share/ftmGhE2v0ebFH4Ov6R3xRPcAwdPuJrrdgxEsNuRFL4MorzVrs6dRDXqY/lxnt11
  24. - GET /share/bFcvKlFJrlxvKewsj5d4pQxQlUhXmWO0qOzilaW5CrJ4C0N/UdTfvkJ1QNftf2_PVj_wV98/lxnt11
  25.  
  26. 4 EXAMPLES OF INSTALLER DLLS:
  27.  
  28. - 1b145cd12882ab58ddb7bdb833e11f9e11b3eb9ce721d75cc6197f87ba4fd341
  29. - 8d142bd62fdc3de06cda080afcac67b600fa29ef527a11640c928199a8610f3e
  30. - cdce92800d0038fb078462a722230636754ffca7bf31b85ce7b494ed33d2eee3
  31. - d47cf4ec1a51c17befc01722d5ff603cfbd338ccff442669e765bf8dc20c6b54
  32.  
  33. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  34.  
  35. - C:\Users\[username]\AppData\Local\Temp\CMLWU.pdf
  36. - C:\Users\[username]\AppData\Local\Temp\FpVjp.pdf
  37. - C:\Users\[username]\AppData\Local\Temp\Fxrri.pdf
  38. - C:\Users\[username]\AppData\Local\Temp\mGhdt.pdf
  39.  
  40. DLL RUN METHOD:
  41.  
  42. - rundll32.exe [filename],ShowDialogA -r
  43.  
  44. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  45.  
  46. - port 443 - facebook.com
  47. - port 443 - www.facebook.com
  48. - port 443 - instagram.com
  49. - port 443 - www.instagram.com
  50. - port 443 - www.tumblr.com
  51. - port 443 - twitter.com
  52.  
  53. AT LEAST 2 DIFFERENT DOMAINS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  54.  
  55. - 143.110.185[.]84 port 443 - futuduramatios[.]best
  56. - 143.110.185[.]84 port 443 - suitecasecourt[.]cyou
  57.  
  58. 3 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  59.  
  60. - 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a (initial both runs)
  61. - f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b (persistent 1st run)
  62. - 1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d (persistent 2nd run)
  63.  
  64. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
  65.  
  66. - 68.183.54[.]143 port 443 - afromadness[.]club
  67. - 68.183.54[.]143 port 443 - 9seeallcars[.]best
  68. - 167.71.224[.]39 port 443 - pareomedeo[.]club
  69. - 167.71.224[.]39 port 443 - servepeolor[.]top
  70. - 167.71.224[.]39 port 443 - wasserwoman[.]top
  71. - 68.183.54[.]143 port 443 - initiativeuntimed[.]cyou
  72.  
  73. DNS QUERIES FOR ADDITIONAL DOMAINS CAUSED BY ICEDID DURING THE SECOND RUN:
  74.  
  75. - astroglippers[.]club - No such name
  76. - muslerafootball[.]best - No such name
  77. - regardlessnotice[.]top - No such name
  78.  
  79. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST FROM THE FIRST RUN:
  80.  
  81. - SHA256 hash: cdce92800d0038fb078462a722230636754ffca7bf31b85ce7b494ed33d2eee3
  82. - File size: 228,864 bytes
  83. - File location: hxxp://fu-vapor8895[.]com/share/92Lm_79ASH7srFlVPcgJDwPjNam8WuGkr0Ta/lxnt10
  84. - File location: C:\Users\[username]\AppData\Local\Temp\Fxrri.pdf
  85. - File description: Installer DLL retrieved by Word macro
  86.  
  87. - SHA256 hash: d4df9780c1d93538eb34c9db64aa87dd5a5ee718b3392dbe7f6719de053ef3ca
  88. - File size: 112,511 bytes
  89. - File location: C:\Users\[username]\AppData\Local\Temp\00070a5e.png
  90. - File type: PNG image data, 482 x 561, 8-bit/color RGB, non-interlaced
  91. - File description: PNG file with encoded data used to create initial IcedID DLL
  92.  
  93. - SHA256 hash: 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
  94. - File size: 108,032 bytes
  95. - File location: C:\Users\[username]\AppData\Local\Accesshover.dat
  96. - File description: Initial IcedID DLL created from the above PNG file
  97.  
  98. - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
  99. - File size: 677,968 bytes
  100. - File location: C:\Users\[username]\AppData\Roaming\yaaksaac3\[username]\iyxoac.png
  101. - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
  102. - File description: Another encoded PNG file created after above DLL is run
  103.  
  104. - SHA256 hash: f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b
  105. - File size: 108,032 bytes
  106. - File location: C:\Users\[username]\AppData\Local\{261F864B-8892-4100-2EDE-BDC115A72551}\nivude1.dll
  107. - File description: IcedID DLL persistent on the infected Windows host
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×