Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-07-23 (THURSDAY) TA551 (SHATHAK) WORD DOCS PUSHING ICEDID (BOKBOT)
- REFERENCE
- - https://twitter.com/malware_traffic/status/1286371449540935680
- NOTES:
- - All the files below have been submitted to bazaar.abuse.ch
- - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
- CHAIN OF EVENTS:
- - Email spoofing legitimate email chain --> password-protected zip attachment --> extracted Word doc --> enable macros --> IcedID installer DLL --> IcedID EXE
- 20 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
- - 0efdedf34d958243edc8255d0a35d78e972b6d57ea109462e8b320be78a16623 decree-07.20.doc
- - 1ce37ba6b434b711802f3d6049401e1c940031654f7b1cc2fe70201d1b352503 figures.07.23.2020.doc
- - 2b1824e5094baf87ef08e0ea1282d9beba28ab9b57b049fb041926ce51c045fa input_07.23.2020.doc
- - 2f2404eaa1762c92ea08665e31ef57d6118f4e7572a0208bb102fa65c645cf95 rule.07.23.2020.doc
- - 42b380f5afc8d5a470987e95e2a82378fb902daf8a33250dada4e858adccc305 enjoin-07.23.2020.doc
- - 4547c5416d9164c926e43faa66cf6711760be1a8e6e42f46250a994fa7eb6ad9 commerce 07.23.2020.doc
- - 515728dd8d7862b30055a8fe01fbd14d30ecf1c9bc8c8ac9ca22358f01903fef adjure.07.20.doc
- - 51dc78f60b5bcd75b630bf1283e84b5bc69c98017824f537850c26eb90c43077 details 07.23.20.doc
- - 5352a82584dd199a0c02c76f5a03a1ab30008956fc4f85c030826f93abeb9963 enjoin_07.23.2020.doc
- - 58e84bbdabf09fd99841447c2d531f26a9f6ed8084b2905c70079db4d21d5be0 legislate.07.20.doc
- - 6829e26b90a88f5b485f2ef7484bf7692a032f0fd179419e491cabb1299b7dd0 decree,07.20.doc
- - 84e2969e418f746c0500a3975aad550c9c0e906691720d221ff95faa76e885dc charge-07.23.20.doc
- - 8ab51f907222bf61b973f2be8b10b76a06c9ad3d0aaa85d5185c1ab1520ca59d documents_07.20.doc
- - 9937522f6af28da39d189260f40b7dec9a4ec82dd8c56e5281d125fa9490316f report,07.20.doc
- - 9c646d782b3ded8044d293e84f08aaa07d364fb18d010db6c0189dad7123035c docs 07.20.doc
- - 9d064681e57fe17d0333b4e406feb0e2f90c1c1456871c36d677cc2a736decfd docs.07.20.doc
- - bcffa4203b3fea6aaf94f74c3a50d11bd1789bf75a239758453e068b92f11811 input-07.23.2020.doc
- - c127158480e160867e90397a0bdb3209daf448e69873de7ed491c91ea8dc66f0 direct.07.20.doc
- - d4848fde6fe4150a88389dbc9ce4faec123595c973210f87a19b496dd211f032 official paper_07.23.2020.doc
- - e4aecb7ffc7c53d86191864ee60fe6c9e59d0d8250ce0412e69d29de8a4fab73 material,07.23.20.doc
- DOMAINS HOSTING THE ICEDID INSTALLER DLL FILES:
- - 2w17h6a[.]com - 95.181.179[.]136
- - 3wuk8wv[.]com - 79.174.12[.]35
- - awb6q4j[.]com - 51.75.56[.]30
- - efc86dd[.]com - 185.43.4[.]205
- - h7llj8w[.]com - 79.174.12[.]36
- - imrhln0[.]com - 45.12.4[.]132
- - nlx6300[.]com - 95.181.179[.]142
- - redfcpi[.]com - 95.181.179[.]123
- - w4nuvjy[.]com - 185.43.4[.]241
- URLS TO RETRIEVE THE ICEDID INSTALLER DLL FILES:
- - GET /xemcl/iba.php?l=unt1.cab
- - GET /xemcl/iba.php?l=unt2.cab
- - GET /xemcl/iba.php?l=unt3.cab
- - GET /xemcl/iba.php?l=unt4.cab
- - GET /xemcl/iba.php?l=unt5.cab
- - GET /xemcl/iba.php?l=unt6.cab
- - GET /xemcl/iba.php?l=unt7.cab
- - GET /xemcl/iba.php?l=unt8.cab
- - GET /xemcl/iba.php?l=unt9.cab
- - GET /xemcl/iba.php?l=unt10.cab
- - GET /xemcl/iba.php?l=unt11.cab
- - GET /xemcl/iba.php?l=unt12.cab
- - GET /xemcl/iba.php?l=unt13.cab
- - GET /xemcl/iba.php?l=unt14.cab
- - GET /xemcl/iba.php?l=unt15.cab
- 24 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
- - 08605832a51e9b9b15ed35538064c26dfee05343bb09c62a83ed4b5fe2bfdb72
- - 14af8a42733f87e2eb26240c5dc649351e68b7920477f880fd4a7e614d3cb042
- - 2ab9bf80e3dd6d73b43e711b8941e81a2606ac315ffb771fdb9212033e90520d
- - 2ca554a264d85b3e0c84bbfe31c8f34a96fedccb37b3398d1f85b0d85a1b2a9c
- - 3bdf5d01989e203e6edb9ee61fd310d79bd4c7163ca4b8aeef66f5ec035bee87
- - 3f2c7f661e8613d8fde12919afa48c3a2f931926406327409941d31081031b62
- - 46dd2eaaefa964086da4a459b539d15d16b965164d4a180cffcb9f975d5084c2
- - 4a222b602fba21c1679cdb179bbcc7d1543c7c63d8305cf284f0f57f108c34e1
- - 536d688b029e003eae01b29bdebd7b44d939c61da6274aee13241919f77d2090
- - 539c339c67f87349e48c9c48faf7d38673f53f8fbf8ee5ba8f67a2f670092ba3
- - 5dad316f13bfad0dc5609d4df8fade8cb4ca358b734c13e6ea4970081038375b
- - 85f8716f1a34c62372794b8c74cee10444d261db90064ffe19e6da11b3b7fbe6
- - 8acca08a2375c6e143aa203ccd4e16f8b13f3cd54254c3eb4c272aeac43f555f
- - 8f0325a3648ae0bea65ba84f6157726c6b81b19daa9f6266863e4778823f95a0
- - aa19e1e52193fcc1daa61148713cf4567ba8a3925b6d0bda03e6f0a1014984ad
- - ab7765cafe9cab11e9e2d5ff1a1fffa3fdc7fb9cb8c1e35874f56ea9d3432042
- - ae0be78e4d1f86fc40075ae7cf3d2191933035d8ca788b112a9e3079b395226a
- - ba0bec6631ee868697950ea1127324681640d5c64d4fc2ae10dfaaf618b57bfa
- - ca7c50311550cf18c758203e677f3e45277f5de65f2c214ee55f2efb77cbce0d
- - e01d66acad3bfd485e7248b2f08e000a8d57a23305539d72da1663a08cf141c7
- - e51009c72bcb9932ce4a2b6c24410bff3ee4e486a7e1c3ec4c144c572206ae2f
- - f8b33e3024d57ca7c338c695c501d8b08c11862239e58c44318bc58171265b63
- - feb8effd6d099b72f777c7fb5086fb1a43388ca9c9bc2fabc0a150c5c657d24c
- - ffeb14131f5dff40f5b0e82c3b2f246ddb43003fa3282450845d20cb3c36048c
- - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
- LOCATIONS FOR THE ICEDID INSTALLER DLL FILES:
- - C:\Users\[username]\AppData\Local\Temp\1.jpg
- - Same directory as the Word doc, named Ub.pdf
- - C:\Users\[username]\Documents\Ub.pdf
- ICEDID EXE FILES FROM AN INFECTED HOST:
- - 58215823021c2da84fcf725bbb9b118aba9b72178577cba1d4c69545b9ae7fa2
- - d197285f37378d669afe2da7d3c60dcb93c118acf0d059d14ca67dcd73708ed2
- IP ADDRESSES/DOMAINS FOR HTTPS TRAFFIC CAUSED BY ICEDID:
- 138.68.50[.]71 port 443 - loadhnichar[.]co - GET /backgound.png
- 194.5.249[.]122 port 443 - passiopersio[.]top
- 194.5.249[.]122 port 443 - iskuliokilo[.]pw
- 194.5.249[.]122 port 443 - betfrosner[.]best
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement