malware_traffic

2020-07-20 (Monday) Word docs with macros for IcedID

Jul 20th, 2020
4,685
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-20 (MONDAY) WORD DOCS WITH MACROS FOR ICEDID (BOKBOT)
  2.  
  3. REFERENCE:
  4.  
  5. - https://www.malware-traffic-analysis.net/2020/07/20/index.html
  6.  
  7. 12 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 19e84fa825b31a4344d2d992facd69866001efd9d7ab9de2bba2f8bad54efa90 charge_07.20.doc
  10. - 2446e5fa5a412550fa02b22076d8bac917d219d027fa867fc60a053133288602 decree.07.20.2020.doc
  11. - cc17289f5af8320473f104037b4e0f431a061fe0d7ba62d6fce35009cd808017 details 07.20.doc
  12. - 5f5453bd65e861a7b879ad5c020157cf2473aa35bb90c12a998cd41cd23a8ff2 docs 07.20.20.doc
  13. - 1fe806ac6b37d4425a40a9fe9e582ab05c9676c8331a2b1f38bc458e966aeac0 documents-07.20.doc
  14. - 67f04eff930119f5a70814d008dd971e8a868e3bca17756fa07af254a802d0ba enjoin.07.20.2020.doc
  15. - 329064dd4d1880b657600909c4048c97dc4b282a5e9b4cff06dd117070d708f5 input.07.20.2020.doc
  16. - c971c696a37abe3f8628c3888048096d42873c1e91d778b7dfba886820058a41 inquiry,07.20.doc
  17. - ff9f377f5d6ac1bfcdb7a7b185549ca3761a714ca787456ba656871208ec1b48 legal paper.07.20.doc
  18. - d6e51057214555ee71468575f08afe5128bda94e6539bbab8b89fb36121de10a official paper-07.20.doc
  19. - 0250519e459164a9de842bd9e6bee64c48c4e8ad6d85e71aed8810d836646332 prescribe -07.20.2020.doc
  20. - bfd58b7d1017d89586f7582891db297b5f75fa867ae282b6ed7329b168895bfa question,07.20.2020.doc
  21.  
  22. DOMAINS HOSTING ICEDID INSTALLER:
  23.  
  24. - b5js78uz[.]com
  25. - brult5bw[.]com
  26. - g0zh8lb3[.]com
  27. - kip2moht[.]com
  28. - pqfhjp0j[.]com
  29. - yamrii4g[.]com
  30. - z977oq4e[.]com
  31. - zp8kbgfs[.]com
  32.  
  33. HTTP GET REQUESTS FOR THE ICEDID INSTALLER DLL:
  34.  
  35. - GET /4adr/lotv.php?l=iadi1.cab
  36. - GET /4adr/lotv.php?l=iadi2.cab
  37. - GET /4adr/lotv.php?l=iadi3.cab
  38. - GET /4adr/lotv.php?l=iadi4.cab
  39. - GET /4adr/lotv.php?l=iadi5.cab
  40. - GET /4adr/lotv.php?l=iadi6.cab
  41. - GET /4adr/lotv.php?l=iadi7.cab
  42. - GET /4adr/lotv.php?l=iadi8.cab
  43. - GET /4adr/lotv.php?l=iadi9.cab
  44. - GET /4adr/lotv.php?l=iadi10.cab
  45. - GET /4adr/lotv.php?l=iadi11.cab
  46. - GET /4adr/lotv.php?l=iadi12.cab
  47.  
  48. 20 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
  49.  
  50. - 0158a3b44b5fc73018585d050cd915b35ae7cb8579cd42cc240f5e0015607937
  51. - 03afc8c1250b8bf37102da9158250f0fd07a95a44c77e0216a0623f0aaadf392
  52. - 049b60f024aa1255461c4420aef64fc17ee26e8bab77c706c9d7e9a8d5b1ea2f
  53. - 0981406f5c10387acecc79272b1a8eeac56ce6f13ff4bde6290a8352cc413e7d
  54. - 2ce6cc6883a333e0b1f0626e51db0dc36e50cf43a53015665f3a530469d1e94c
  55. - 3033c1e6465cce3c1c83c1526c4e94ef23fb8d8b5952c1fd59f0c5688ecc0140
  56. - 3dd735178216b3c00bb30a87556a4faca7e030d2b721bc30874f269b4eb79ff0
  57. - 3f2f7f57ac8888a557e0620a399cfb3e9e073d1465dac31b6161484cc5f70028
  58. - 4b4bf13fe2914ed76e38ae1b982bd0ea12866bc1ff77d1c90259357ff5abc32e
  59. - 5b00d2552ddf2a28c761d197b9479a60175cb7627c5d297239ad2dac844e7e3b
  60. - 66b748a75a12ce37a3f3d38b45c725bc8b9bcd4cefa92b40578c9b729af0f2ae
  61. - 9573bb7a90860f3302e3f298b2555dfd7680aecd24997b5aa3990f98d57e3a11
  62. - a67156403bdd5d3c52334e9dcb8fb8dd8bd7e51548fbffee5ceea7e11b953cf2
  63. - ba233c19ca3a69d11f386f4b23499be5516acbe6c96764931c470529d4c29aa5
  64. - bbee5d1620372d0ef2f195f3f629c3cec392384f8a7a0409b255e73d06761cb2
  65. - d32bcfc257678aa6983dba4eb574312060436d5efbb5f9dcbeecccacd50cd62e
  66. - d5936fb27fb7d59a3c670157f5e31679c38a9b92c026349dc816631ee7619fb1
  67. - e6ca8c5341cfe074db4dab1efd9363ff1eb5aa5121a790bdea6af79469bff748
  68. - f2b9110bb7da63ee536eb1e29c34dbc1b9fad84d286395434c41304d3028c668
  69. - f785ed5227ef3772947c15ba47992a8f36cce03cf7a6f31e3334af2050c59e18
  70.  
  71. - NOTE: Run method for the above DLL files: Regsvr32.exe [filename]
  72.  
  73. EXAMPLES OF LOCATIONS FOR ICEDID INSTALLER DLL FILE:
  74.  
  75. - Most of these were in the directory as the Word document, file name: c2.pdf
  76. - C:\ProgramData\7779.jpg
  77. - C:\ProgramData\8930.jpg
  78. - C:\ProgramData\56236.jpg
  79.  
  80. TRAFFIC FROM AN INFECTED WINDOWS HOST:
  81.  
  82. - 194.36.189[.]170 port 80 - g0zh8lb3[.]com - GET /4adr/lotv.php?l=iadi7.cab
  83. - port 443 - support.oracle[.]com - HTTPS traffic (not inherently malicious)
  84. - port 443 - www.oracle[.]com - HTTPS traffic (not inherently malicious)
  85. - port 443 - www.intel[.]com - HTTPS traffic (not inherently malicious)
  86. - port 443 - support.microsoft[.]com - HTTPS traffic (not inherently malicious)
  87. - port 443 - support.apple[.]com - HTTPS traffic (not inherently malicious)
  88. - 161.35.148[.]20 port 443 - ldrplutos[.]casa - HTTPS traffic generated by IcedID installer
  89. - port 443 - help.twitter[.]com - HTTPS traffic (not inherently malicious)
  90. - 161.35.146[.]115 port 443 - cutterfighter[.]club - HTTPS traffic generated by IcedID
  91. - 161.35.146[.]115 port 443 - 3boardeux[.]top - HTTPS traffic generated by IcedID
  92.  
  93. MALWARE FROM AN INFECTED WINDOWS HOST:
  94.  
  95. - SHA256 hash: 4f619d009937aa25f7e62ceefc2c2137b008d8e8bf093eee20d044c69c0247bf
  96. - File size: 396,615 bytes
  97. - File location: C:\Users\[username]\AppData\Local\Temp\~480046.tmp
  98. - File type: PNG image data, 601 x 280, 8-bit/color RGB, non-interlaced
  99. - File description: PNG image retrieved from ldrplutos.casa with encoded data used to create IcedID EXE below.
  100.  
  101. - SHA256 hash: 15d9f31296311240d9f969b6e850edd3002a0e0ee52c2847ef0f777cff73652a
  102. - File size: 392,192 bytes
  103. - File location: C:\Users\[username]\AppData\Local\Temp\~579765.exe
  104. - File description: IcedID EXE created using encoded data from the above PNG image
  105.  
  106. - SHA256 hash: 0d4404a9cb36278b3d02db77d84da55e9066c16ea1a6ad590ae348223e0f1614
  107. - File size: 392,192 bytes
  108. - File location: C:\Users\[username]\AppData\Roaming\[username]\{EBA2B605-D496-E685-237D-EFB01DE63FAF}\ifseiu64.exe
  109. - File description: IcedID EXE persistent on the infected Windows host
  110.  
  111. - SHA256 hash: e6e0adcc94c3c4979ea1659c7125a11aa7cdabe24a36f63bfe1f2aeee2c5d3a1
  112. - File size: 669,381 bytes
  113. - File location: {D80C7907-C255-0B68-0512-C7E6964E6799}
  114. - File type: PNG image data, 614 x 514, 8-bit/color RGB, non-interlaced
  115. - File description: PNG image with encoded data related to the IcedID infection
RAW Paste Data