malware_traffic

2020-07-23 (Thursday) - TA551 word docs with macros for IcedID

Jul 23rd, 2020 (edited)
13,010
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-23 (THURSDAY) TA551 (SHATHAK) WORD DOCS PUSHING ICEDID (BOKBOT)
  2.  
  3. REFERENCE
  4.  
  5. - https://twitter.com/malware_traffic/status/1286371449540935680
  6.  
  7. NOTES:
  8.  
  9. - All the files below have been submitted to bazaar.abuse.ch
  10. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
  11.  
  12. CHAIN OF EVENTS:
  13.  
  14. - Email spoofing legitimate email chain --> password-protected zip attachment --> extracted Word doc --> enable macros --> IcedID installer DLL --> IcedID EXE
  15.  
  16. 20 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
  17.  
  18. - 0efdedf34d958243edc8255d0a35d78e972b6d57ea109462e8b320be78a16623  decree-07.20.doc
  19. - 1ce37ba6b434b711802f3d6049401e1c940031654f7b1cc2fe70201d1b352503  figures.07.23.2020.doc
  20. - 2b1824e5094baf87ef08e0ea1282d9beba28ab9b57b049fb041926ce51c045fa  input_07.23.2020.doc
  21. - 2f2404eaa1762c92ea08665e31ef57d6118f4e7572a0208bb102fa65c645cf95  rule.07.23.2020.doc
  22. - 42b380f5afc8d5a470987e95e2a82378fb902daf8a33250dada4e858adccc305  enjoin-07.23.2020.doc
  23. - 4547c5416d9164c926e43faa66cf6711760be1a8e6e42f46250a994fa7eb6ad9  commerce  07.23.2020.doc
  24. - 515728dd8d7862b30055a8fe01fbd14d30ecf1c9bc8c8ac9ca22358f01903fef  adjure.07.20.doc
  25. - 51dc78f60b5bcd75b630bf1283e84b5bc69c98017824f537850c26eb90c43077  details 07.23.20.doc
  26. - 5352a82584dd199a0c02c76f5a03a1ab30008956fc4f85c030826f93abeb9963  enjoin_07.23.2020.doc
  27. - 58e84bbdabf09fd99841447c2d531f26a9f6ed8084b2905c70079db4d21d5be0  legislate.07.20.doc
  28. - 6829e26b90a88f5b485f2ef7484bf7692a032f0fd179419e491cabb1299b7dd0  decree,07.20.doc
  29. - 84e2969e418f746c0500a3975aad550c9c0e906691720d221ff95faa76e885dc  charge-07.23.20.doc
  30. - 8ab51f907222bf61b973f2be8b10b76a06c9ad3d0aaa85d5185c1ab1520ca59d  documents_07.20.doc
  31. - 9937522f6af28da39d189260f40b7dec9a4ec82dd8c56e5281d125fa9490316f  report,07.20.doc
  32. - 9c646d782b3ded8044d293e84f08aaa07d364fb18d010db6c0189dad7123035c  docs 07.20.doc
  33. - 9d064681e57fe17d0333b4e406feb0e2f90c1c1456871c36d677cc2a736decfd  docs.07.20.doc
  34. - bcffa4203b3fea6aaf94f74c3a50d11bd1789bf75a239758453e068b92f11811  input-07.23.2020.doc
  35. - c127158480e160867e90397a0bdb3209daf448e69873de7ed491c91ea8dc66f0  direct.07.20.doc
  36. - d4848fde6fe4150a88389dbc9ce4faec123595c973210f87a19b496dd211f032  official paper_07.23.2020.doc
  37. - e4aecb7ffc7c53d86191864ee60fe6c9e59d0d8250ce0412e69d29de8a4fab73  material,07.23.20.doc
  38.  
  39. DOMAINS HOSTING THE ICEDID INSTALLER DLL FILES:
  40.  
  41. - 2w17h6a[.]com - 95.181.179[.]136
  42. - 3wuk8wv[.]com - 79.174.12[.]35
  43. - awb6q4j[.]com - 51.75.56[.]30
  44. - efc86dd[.]com - 185.43.4[.]205
  45. - h7llj8w[.]com - 79.174.12[.]36
  46. - imrhln0[.]com - 45.12.4[.]132
  47. - nlx6300[.]com - 95.181.179[.]142
  48. - redfcpi[.]com - 95.181.179[.]123
  49. - w4nuvjy[.]com - 185.43.4[.]241
  50.  
  51. URLS TO RETRIEVE THE ICEDID INSTALLER DLL FILES:
  52.  
  53. - GET /xemcl/iba.php?l=unt1.cab
  54. - GET /xemcl/iba.php?l=unt2.cab
  55. - GET /xemcl/iba.php?l=unt3.cab
  56. - GET /xemcl/iba.php?l=unt4.cab
  57. - GET /xemcl/iba.php?l=unt5.cab
  58. - GET /xemcl/iba.php?l=unt6.cab
  59. - GET /xemcl/iba.php?l=unt7.cab
  60. - GET /xemcl/iba.php?l=unt8.cab
  61. - GET /xemcl/iba.php?l=unt9.cab
  62. - GET /xemcl/iba.php?l=unt10.cab
  63. - GET /xemcl/iba.php?l=unt11.cab
  64. - GET /xemcl/iba.php?l=unt12.cab
  65. - GET /xemcl/iba.php?l=unt13.cab
  66. - GET /xemcl/iba.php?l=unt14.cab
  67. - GET /xemcl/iba.php?l=unt15.cab
  68.  
  69. 24 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
  70.  
  71. - 08605832a51e9b9b15ed35538064c26dfee05343bb09c62a83ed4b5fe2bfdb72
  72. - 14af8a42733f87e2eb26240c5dc649351e68b7920477f880fd4a7e614d3cb042
  73. - 2ab9bf80e3dd6d73b43e711b8941e81a2606ac315ffb771fdb9212033e90520d
  74. - 2ca554a264d85b3e0c84bbfe31c8f34a96fedccb37b3398d1f85b0d85a1b2a9c
  75. - 3bdf5d01989e203e6edb9ee61fd310d79bd4c7163ca4b8aeef66f5ec035bee87
  76. - 3f2c7f661e8613d8fde12919afa48c3a2f931926406327409941d31081031b62
  77. - 46dd2eaaefa964086da4a459b539d15d16b965164d4a180cffcb9f975d5084c2
  78. - 4a222b602fba21c1679cdb179bbcc7d1543c7c63d8305cf284f0f57f108c34e1
  79. - 536d688b029e003eae01b29bdebd7b44d939c61da6274aee13241919f77d2090
  80. - 539c339c67f87349e48c9c48faf7d38673f53f8fbf8ee5ba8f67a2f670092ba3
  81. - 5dad316f13bfad0dc5609d4df8fade8cb4ca358b734c13e6ea4970081038375b
  82. - 85f8716f1a34c62372794b8c74cee10444d261db90064ffe19e6da11b3b7fbe6
  83. - 8acca08a2375c6e143aa203ccd4e16f8b13f3cd54254c3eb4c272aeac43f555f
  84. - 8f0325a3648ae0bea65ba84f6157726c6b81b19daa9f6266863e4778823f95a0
  85. - aa19e1e52193fcc1daa61148713cf4567ba8a3925b6d0bda03e6f0a1014984ad
  86. - ab7765cafe9cab11e9e2d5ff1a1fffa3fdc7fb9cb8c1e35874f56ea9d3432042
  87. - ae0be78e4d1f86fc40075ae7cf3d2191933035d8ca788b112a9e3079b395226a
  88. - ba0bec6631ee868697950ea1127324681640d5c64d4fc2ae10dfaaf618b57bfa
  89. - ca7c50311550cf18c758203e677f3e45277f5de65f2c214ee55f2efb77cbce0d
  90. - e01d66acad3bfd485e7248b2f08e000a8d57a23305539d72da1663a08cf141c7
  91. - e51009c72bcb9932ce4a2b6c24410bff3ee4e486a7e1c3ec4c144c572206ae2f
  92. - f8b33e3024d57ca7c338c695c501d8b08c11862239e58c44318bc58171265b63
  93. - feb8effd6d099b72f777c7fb5086fb1a43388ca9c9bc2fabc0a150c5c657d24c
  94. - ffeb14131f5dff40f5b0e82c3b2f246ddb43003fa3282450845d20cb3c36048c
  95.  
  96. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
  97.  
  98. LOCATIONS FOR THE ICEDID INSTALLER DLL FILES:
  99.  
  100. - C:\Users\[username]\AppData\Local\Temp\1.jpg
  101. - Same directory as the Word doc, named Ub.pdf
  102. - C:\Users\[username]\Documents\Ub.pdf
  103.  
  104. ICEDID EXE FILES FROM AN INFECTED HOST:
  105.  
  106. - 58215823021c2da84fcf725bbb9b118aba9b72178577cba1d4c69545b9ae7fa2
  107. - d197285f37378d669afe2da7d3c60dcb93c118acf0d059d14ca67dcd73708ed2
  108.  
  109. IP ADDRESSES/DOMAINS FOR HTTPS TRAFFIC CAUSED BY ICEDID:
  110.  
  111. 138.68.50[.]71 port 443 - loadhnichar[.]co - GET /backgound.png
  112. 194.5.249[.]122 port 443 - passiopersio[.]top
  113. 194.5.249[.]122 port 443 - iskuliokilo[.]pw
  114. 194.5.249[.]122 port 443 - betfrosner[.]best
RAW Paste Data