malware_traffic

2020-07-23 (Thursday) - TA551 word docs with macros for IcedID

Jul 23rd, 2020 (edited)
14,045
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-23 (THURSDAY) TA551 (SHATHAK) WORD DOCS PUSHING ICEDID (BOKBOT)
  2.  
  3. REFERENCE
  4.  
  5. - https://twitter.com/malware_traffic/status/1286371449540935680
  6.  
  7. NOTES:
  8.  
  9. - All the files below have been submitted to bazaar.abuse.ch
  10. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
  11.  
  12. CHAIN OF EVENTS:
  13.  
  14. - Email spoofing legitimate email chain --> password-protected zip attachment --> extracted Word doc --> enable macros --> IcedID installer DLL --> IcedID EXE
  15.  
  16. 20 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
  17.  
  18. - 0efdedf34d958243edc8255d0a35d78e972b6d57ea109462e8b320be78a16623  decree-07.20.doc
  19. - 1ce37ba6b434b711802f3d6049401e1c940031654f7b1cc2fe70201d1b352503  figures.07.23.2020.doc
  20. - 2b1824e5094baf87ef08e0ea1282d9beba28ab9b57b049fb041926ce51c045fa  input_07.23.2020.doc
  21. - 2f2404eaa1762c92ea08665e31ef57d6118f4e7572a0208bb102fa65c645cf95  rule.07.23.2020.doc
  22. - 42b380f5afc8d5a470987e95e2a82378fb902daf8a33250dada4e858adccc305  enjoin-07.23.2020.doc
  23. - 4547c5416d9164c926e43faa66cf6711760be1a8e6e42f46250a994fa7eb6ad9  commerce  07.23.2020.doc
  24. - 515728dd8d7862b30055a8fe01fbd14d30ecf1c9bc8c8ac9ca22358f01903fef  adjure.07.20.doc
  25. - 51dc78f60b5bcd75b630bf1283e84b5bc69c98017824f537850c26eb90c43077  details 07.23.20.doc
  26. - 5352a82584dd199a0c02c76f5a03a1ab30008956fc4f85c030826f93abeb9963  enjoin_07.23.2020.doc
  27. - 58e84bbdabf09fd99841447c2d531f26a9f6ed8084b2905c70079db4d21d5be0  legislate.07.20.doc
  28. - 6829e26b90a88f5b485f2ef7484bf7692a032f0fd179419e491cabb1299b7dd0  decree,07.20.doc
  29. - 84e2969e418f746c0500a3975aad550c9c0e906691720d221ff95faa76e885dc  charge-07.23.20.doc
  30. - 8ab51f907222bf61b973f2be8b10b76a06c9ad3d0aaa85d5185c1ab1520ca59d  documents_07.20.doc
  31. - 9937522f6af28da39d189260f40b7dec9a4ec82dd8c56e5281d125fa9490316f  report,07.20.doc
  32. - 9c646d782b3ded8044d293e84f08aaa07d364fb18d010db6c0189dad7123035c  docs 07.20.doc
  33. - 9d064681e57fe17d0333b4e406feb0e2f90c1c1456871c36d677cc2a736decfd  docs.07.20.doc
  34. - bcffa4203b3fea6aaf94f74c3a50d11bd1789bf75a239758453e068b92f11811  input-07.23.2020.doc
  35. - c127158480e160867e90397a0bdb3209daf448e69873de7ed491c91ea8dc66f0  direct.07.20.doc
  36. - d4848fde6fe4150a88389dbc9ce4faec123595c973210f87a19b496dd211f032  official paper_07.23.2020.doc
  37. - e4aecb7ffc7c53d86191864ee60fe6c9e59d0d8250ce0412e69d29de8a4fab73  material,07.23.20.doc
  38.  
  39. DOMAINS HOSTING THE ICEDID INSTALLER DLL FILES:
  40.  
  41. - 2w17h6a[.]com - 95.181.179[.]136
  42. - 3wuk8wv[.]com - 79.174.12[.]35
  43. - awb6q4j[.]com - 51.75.56[.]30
  44. - efc86dd[.]com - 185.43.4[.]205
  45. - h7llj8w[.]com - 79.174.12[.]36
  46. - imrhln0[.]com - 45.12.4[.]132
  47. - nlx6300[.]com - 95.181.179[.]142
  48. - redfcpi[.]com - 95.181.179[.]123
  49. - w4nuvjy[.]com - 185.43.4[.]241
  50.  
  51. URLS TO RETRIEVE THE ICEDID INSTALLER DLL FILES:
  52.  
  53. - GET /xemcl/iba.php?l=unt1.cab
  54. - GET /xemcl/iba.php?l=unt2.cab
  55. - GET /xemcl/iba.php?l=unt3.cab
  56. - GET /xemcl/iba.php?l=unt4.cab
  57. - GET /xemcl/iba.php?l=unt5.cab
  58. - GET /xemcl/iba.php?l=unt6.cab
  59. - GET /xemcl/iba.php?l=unt7.cab
  60. - GET /xemcl/iba.php?l=unt8.cab
  61. - GET /xemcl/iba.php?l=unt9.cab
  62. - GET /xemcl/iba.php?l=unt10.cab
  63. - GET /xemcl/iba.php?l=unt11.cab
  64. - GET /xemcl/iba.php?l=unt12.cab
  65. - GET /xemcl/iba.php?l=unt13.cab
  66. - GET /xemcl/iba.php?l=unt14.cab
  67. - GET /xemcl/iba.php?l=unt15.cab
  68.  
  69. 24 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
  70.  
  71. - 08605832a51e9b9b15ed35538064c26dfee05343bb09c62a83ed4b5fe2bfdb72
  72. - 14af8a42733f87e2eb26240c5dc649351e68b7920477f880fd4a7e614d3cb042
  73. - 2ab9bf80e3dd6d73b43e711b8941e81a2606ac315ffb771fdb9212033e90520d
  74. - 2ca554a264d85b3e0c84bbfe31c8f34a96fedccb37b3398d1f85b0d85a1b2a9c
  75. - 3bdf5d01989e203e6edb9ee61fd310d79bd4c7163ca4b8aeef66f5ec035bee87
  76. - 3f2c7f661e8613d8fde12919afa48c3a2f931926406327409941d31081031b62
  77. - 46dd2eaaefa964086da4a459b539d15d16b965164d4a180cffcb9f975d5084c2
  78. - 4a222b602fba21c1679cdb179bbcc7d1543c7c63d8305cf284f0f57f108c34e1
  79. - 536d688b029e003eae01b29bdebd7b44d939c61da6274aee13241919f77d2090
  80. - 539c339c67f87349e48c9c48faf7d38673f53f8fbf8ee5ba8f67a2f670092ba3
  81. - 5dad316f13bfad0dc5609d4df8fade8cb4ca358b734c13e6ea4970081038375b
  82. - 85f8716f1a34c62372794b8c74cee10444d261db90064ffe19e6da11b3b7fbe6
  83. - 8acca08a2375c6e143aa203ccd4e16f8b13f3cd54254c3eb4c272aeac43f555f
  84. - 8f0325a3648ae0bea65ba84f6157726c6b81b19daa9f6266863e4778823f95a0
  85. - aa19e1e52193fcc1daa61148713cf4567ba8a3925b6d0bda03e6f0a1014984ad
  86. - ab7765cafe9cab11e9e2d5ff1a1fffa3fdc7fb9cb8c1e35874f56ea9d3432042
  87. - ae0be78e4d1f86fc40075ae7cf3d2191933035d8ca788b112a9e3079b395226a
  88. - ba0bec6631ee868697950ea1127324681640d5c64d4fc2ae10dfaaf618b57bfa
  89. - ca7c50311550cf18c758203e677f3e45277f5de65f2c214ee55f2efb77cbce0d
  90. - e01d66acad3bfd485e7248b2f08e000a8d57a23305539d72da1663a08cf141c7
  91. - e51009c72bcb9932ce4a2b6c24410bff3ee4e486a7e1c3ec4c144c572206ae2f
  92. - f8b33e3024d57ca7c338c695c501d8b08c11862239e58c44318bc58171265b63
  93. - feb8effd6d099b72f777c7fb5086fb1a43388ca9c9bc2fabc0a150c5c657d24c
  94. - ffeb14131f5dff40f5b0e82c3b2f246ddb43003fa3282450845d20cb3c36048c
  95.  
  96. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
  97.  
  98. LOCATIONS FOR THE ICEDID INSTALLER DLL FILES:
  99.  
  100. - C:\Users\[username]\AppData\Local\Temp\1.jpg
  101. - Same directory as the Word doc, named Ub.pdf
  102. - C:\Users\[username]\Documents\Ub.pdf
  103.  
  104. ICEDID EXE FILES FROM AN INFECTED HOST:
  105.  
  106. - 58215823021c2da84fcf725bbb9b118aba9b72178577cba1d4c69545b9ae7fa2
  107. - d197285f37378d669afe2da7d3c60dcb93c118acf0d059d14ca67dcd73708ed2
  108.  
  109. IP ADDRESSES/DOMAINS FOR HTTPS TRAFFIC CAUSED BY ICEDID:
  110.  
  111. 138.68.50[.]71 port 443 - loadhnichar[.]co - GET /backgound.png
  112. 194.5.249[.]122 port 443 - passiopersio[.]top
  113. 194.5.249[.]122 port 443 - iskuliokilo[.]pw
  114. 194.5.249[.]122 port 443 - betfrosner[.]best
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×