API tools faq
paste
Advertisement
malware_traffic

2020-07-20 (Monday) Word docs with macros for IcedID

malware_traffic
Jul 20th, 2020
12,242
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.66 KB | None | 0 0
raw download clone embed print report
  1. 2020-07-20 (MONDAY) WORD DOCS WITH MACROS FOR ICEDID (BOKBOT)
  2.  
  3. REFERENCE:
  4.  
  5. - https://www.malware-traffic-analysis.net/2020/07/20/index.html
  6.  
  7. 12 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 19e84fa825b31a4344d2d992facd69866001efd9d7ab9de2bba2f8bad54efa90 charge_07.20.doc
  10. - 2446e5fa5a412550fa02b22076d8bac917d219d027fa867fc60a053133288602 decree.07.20.2020.doc
  11. - cc17289f5af8320473f104037b4e0f431a061fe0d7ba62d6fce35009cd808017 details 07.20.doc
  12. - 5f5453bd65e861a7b879ad5c020157cf2473aa35bb90c12a998cd41cd23a8ff2 docs 07.20.20.doc
  13. - 1fe806ac6b37d4425a40a9fe9e582ab05c9676c8331a2b1f38bc458e966aeac0 documents-07.20.doc
  14. - 67f04eff930119f5a70814d008dd971e8a868e3bca17756fa07af254a802d0ba enjoin.07.20.2020.doc
  15. - 329064dd4d1880b657600909c4048c97dc4b282a5e9b4cff06dd117070d708f5 input.07.20.2020.doc
  16. - c971c696a37abe3f8628c3888048096d42873c1e91d778b7dfba886820058a41 inquiry,07.20.doc
  17. - ff9f377f5d6ac1bfcdb7a7b185549ca3761a714ca787456ba656871208ec1b48 legal paper.07.20.doc
  18. - d6e51057214555ee71468575f08afe5128bda94e6539bbab8b89fb36121de10a official paper-07.20.doc
  19. - 0250519e459164a9de842bd9e6bee64c48c4e8ad6d85e71aed8810d836646332 prescribe -07.20.2020.doc
  20. - bfd58b7d1017d89586f7582891db297b5f75fa867ae282b6ed7329b168895bfa question,07.20.2020.doc
  21.  
  22. DOMAINS HOSTING ICEDID INSTALLER:
  23.  
  24. - b5js78uz[.]com
  25. - brult5bw[.]com
  26. - g0zh8lb3[.]com
  27. - kip2moht[.]com
  28. - pqfhjp0j[.]com
  29. - yamrii4g[.]com
  30. - z977oq4e[.]com
  31. - zp8kbgfs[.]com
  32.  
  33. HTTP GET REQUESTS FOR THE ICEDID INSTALLER DLL:
  34.  
  35. - GET /4adr/lotv.php?l=iadi1.cab
  36. - GET /4adr/lotv.php?l=iadi2.cab
  37. - GET /4adr/lotv.php?l=iadi3.cab
  38. - GET /4adr/lotv.php?l=iadi4.cab
  39. - GET /4adr/lotv.php?l=iadi5.cab
  40. - GET /4adr/lotv.php?l=iadi6.cab
  41. - GET /4adr/lotv.php?l=iadi7.cab
  42. - GET /4adr/lotv.php?l=iadi8.cab
  43. - GET /4adr/lotv.php?l=iadi9.cab
  44. - GET /4adr/lotv.php?l=iadi10.cab
  45. - GET /4adr/lotv.php?l=iadi11.cab
  46. - GET /4adr/lotv.php?l=iadi12.cab
  47.  
  48. 20 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
  49.  
  50. - 0158a3b44b5fc73018585d050cd915b35ae7cb8579cd42cc240f5e0015607937
  51. - 03afc8c1250b8bf37102da9158250f0fd07a95a44c77e0216a0623f0aaadf392
  52. - 049b60f024aa1255461c4420aef64fc17ee26e8bab77c706c9d7e9a8d5b1ea2f
  53. - 0981406f5c10387acecc79272b1a8eeac56ce6f13ff4bde6290a8352cc413e7d
  54. - 2ce6cc6883a333e0b1f0626e51db0dc36e50cf43a53015665f3a530469d1e94c
  55. - 3033c1e6465cce3c1c83c1526c4e94ef23fb8d8b5952c1fd59f0c5688ecc0140
  56. - 3dd735178216b3c00bb30a87556a4faca7e030d2b721bc30874f269b4eb79ff0
  57. - 3f2f7f57ac8888a557e0620a399cfb3e9e073d1465dac31b6161484cc5f70028
  58. - 4b4bf13fe2914ed76e38ae1b982bd0ea12866bc1ff77d1c90259357ff5abc32e
  59. - 5b00d2552ddf2a28c761d197b9479a60175cb7627c5d297239ad2dac844e7e3b
  60. - 66b748a75a12ce37a3f3d38b45c725bc8b9bcd4cefa92b40578c9b729af0f2ae
  61. - 9573bb7a90860f3302e3f298b2555dfd7680aecd24997b5aa3990f98d57e3a11
  62. - a67156403bdd5d3c52334e9dcb8fb8dd8bd7e51548fbffee5ceea7e11b953cf2
  63. - ba233c19ca3a69d11f386f4b23499be5516acbe6c96764931c470529d4c29aa5
  64. - bbee5d1620372d0ef2f195f3f629c3cec392384f8a7a0409b255e73d06761cb2
  65. - d32bcfc257678aa6983dba4eb574312060436d5efbb5f9dcbeecccacd50cd62e
  66. - d5936fb27fb7d59a3c670157f5e31679c38a9b92c026349dc816631ee7619fb1
  67. - e6ca8c5341cfe074db4dab1efd9363ff1eb5aa5121a790bdea6af79469bff748
  68. - f2b9110bb7da63ee536eb1e29c34dbc1b9fad84d286395434c41304d3028c668
  69. - f785ed5227ef3772947c15ba47992a8f36cce03cf7a6f31e3334af2050c59e18
  70.  
  71. - NOTE: Run method for the above DLL files: Regsvr32.exe [filename]
  72.  
  73. EXAMPLES OF LOCATIONS FOR ICEDID INSTALLER DLL FILE:
  74.  
  75. - Most of these were in the directory as the Word document, file name: c2.pdf
  76. - C:\ProgramData\7779.jpg
  77. - C:\ProgramData\8930.jpg
  78. - C:\ProgramData\56236.jpg
  79.  
  80. TRAFFIC FROM AN INFECTED WINDOWS HOST:
  81.  
  82. - 194.36.189[.]170 port 80 - g0zh8lb3[.]com - GET /4adr/lotv.php?l=iadi7.cab
  83. - port 443 - support.oracle[.]com - HTTPS traffic (not inherently malicious)
  84. - port 443 - www.oracle[.]com - HTTPS traffic (not inherently malicious)
  85. - port 443 - www.intel[.]com - HTTPS traffic (not inherently malicious)
  86. - port 443 - support.microsoft[.]com - HTTPS traffic (not inherently malicious)
  87. - port 443 - support.apple[.]com - HTTPS traffic (not inherently malicious)
  88. - 161.35.148[.]20 port 443 - ldrplutos[.]casa - HTTPS traffic generated by IcedID installer
  89. - port 443 - help.twitter[.]com - HTTPS traffic (not inherently malicious)
  90. - 161.35.146[.]115 port 443 - cutterfighter[.]club - HTTPS traffic generated by IcedID
  91. - 161.35.146[.]115 port 443 - 3boardeux[.]top - HTTPS traffic generated by IcedID
  92.  
  93. MALWARE FROM AN INFECTED WINDOWS HOST:
  94.  
  95. - SHA256 hash: 4f619d009937aa25f7e62ceefc2c2137b008d8e8bf093eee20d044c69c0247bf
  96. - File size: 396,615 bytes
  97. - File location: C:\Users\[username]\AppData\Local\Temp\~480046.tmp
  98. - File type: PNG image data, 601 x 280, 8-bit/color RGB, non-interlaced
  99. - File description: PNG image retrieved from ldrplutos.casa with encoded data used to create IcedID EXE below.
  100.  
  101. - SHA256 hash: 15d9f31296311240d9f969b6e850edd3002a0e0ee52c2847ef0f777cff73652a
  102. - File size: 392,192 bytes
  103. - File location: C:\Users\[username]\AppData\Local\Temp\~579765.exe
  104. - File description: IcedID EXE created using encoded data from the above PNG image
  105.  
  106. - SHA256 hash: 0d4404a9cb36278b3d02db77d84da55e9066c16ea1a6ad590ae348223e0f1614
  107. - File size: 392,192 bytes
  108. - File location: C:\Users\[username]\AppData\Roaming\[username]\{EBA2B605-D496-E685-237D-EFB01DE63FAF}\ifseiu64.exe
  109. - File description: IcedID EXE persistent on the infected Windows host
  110.  
  111. - SHA256 hash: e6e0adcc94c3c4979ea1659c7125a11aa7cdabe24a36f63bfe1f2aeee2c5d3a1
  112. - File size: 669,381 bytes
  113. - File location: {D80C7907-C255-0B68-0512-C7E6964E6799}
  114. - File type: PNG image data, 614 x 514, 8-bit/color RGB, non-interlaced
  115. - File description: PNG image with encoded data related to the IcedID infection
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!