API tools faq
paste
VRad

#icedID_230322

VRad
Mar 24th, 2022 (edited)
266
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.44 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #icedID #BokBot #DLL #LNK #ISO
  2.  
  3. https://pastebin.com/LaxLgeEz
  4.  
  5. previous_contact: n/a
  6.  
  7. FAQ:
  8. https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid
  9.  
  10. attack_vector
  11. --------------
  12. email > ZIP passwd > ISO > LNK+ DLL > rundll32.exe" dar.dll,DllRegisterServer > oceriesfornot.top
  13.  
  14.  
  15. # # # # # # # #
  16. email_headers
  17. # # # # # # # #
  18.  
  19. 1st
  20. --------------
  21. Subject: RE: RE: Погодження актів та рахунків
  22. Received: from sitsmbx.com ([168.119.10.77])
  23. Received: from [192.168.1.7] (envelope-from <finance@liftzvar.com.ua>)
  24. Received: from VMMBX01.sits.local (192.168.1.7) by VMMBX01.sits.local with mapi id 15.01.2106.002;
  25. From: Liftzvar Buhgalteriya <finance@liftzvar.com.ua>
  26. Date: Tue, 22 Mar 2022 17:43:00 +0000
  27. Message-ID: <d44f059c85a9443f9c5771e129a9ae61@liftzvar.com.ua>
  28. x-originating-ip: [179.60.150.190]
  29.  
  30.  
  31. 2nd
  32. --------------
  33. Subject: RE: ПП УКРПРОМЛІФТЗВАР
  34. Received: from sitsmbx.com ([168.119.10.77])
  35. Received: from [192.168.1.7] (envelope-from <finance@liftzvar.com.ua>)
  36. Received: from VMMBX01.sits.local (192.168.1.7) by VMMBX01.sits.local with mapi id 15.01.2106.002;
  37. From: Liftzvar Buhgalteriya <finance@liftzvar.com.ua>
  38. Date: Tue, 22 Mar 2022 17:55:39 +0000
  39. Message-ID: <badf732ddcd74ceea79d20f573efd07b@liftzvar.com.ua>
  40. x-originating-ip: [179.60.150.190]
  41.  
  42.  
  43. # # # # # # # #
  44. files
  45. # # # # # # # #
  46.  
  47. 1st
  48. --------------
  49. SHA-256 5ef0a073d1aac50876757d358711d0579671b0a2b7cd3b3581782f61d1fca4f5
  50. File name docs_invoice_180.zip [Zip archive data, at least v2.0 to extract]
  51. File size 85.39 KB (87439 bytes)
  52.  
  53. SHA-256 2c84b5162ef66c154c66fed1d14f348e5e0054dff486a63f0473165fdbee9b2e
  54. File name docs_invoice_180.iso [ISO 9660 CD-ROM filesystem]
  55. File size 214.00 KB (219136 bytes)
  56.  
  57. SHA-256 3ef172523e0ca0c357217012beb3fba3f3a0db7b6ad9caf1d5ab0df5beff60fe
  58. File name dar.dll [PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly]
  59. File size 150.50 KB (154112 bytes)
  60.  
  61. SHA-256 3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6
  62. File name document.lnk [MS Windows shortcut]
  63. File size 1.21 KB (1237 bytes)
  64.  
  65.  
  66. 2nd
  67. --------------
  68. SHA-256 20ce24c143c0ee983e279fd49e94534247278ad1e19929432f142b24cbe58f65
  69. File name docs_invoice_113.zip [Zip archive data, at least v2.0 to extract]
  70. File size 85.57 KB (87626 bytes)
  71.  
  72. SHA-256 8d30ab8260760e12a8990866eced1567ced257e0cb2fc9f7d2ea927806435208
  73. File name docs_invoice_113.iso [ISO 9660 CD-ROM filesystem]
  74. File size 212.00 KB (217088 bytes)
  75.  
  76. SHA-256 66ff54ba902079fb4be0d7f5b6ce79752b69cdde095c76d99f8488971b0945ed
  77. File name dar.dll [PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly]
  78. File size 150.00 KB (153600 bytes)
  79.  
  80. SHA-256 3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6
  81. File name document.lnk [MS Windows shortcut]
  82. File size 1.21 KB (1237 bytes)
  83.  
  84.  
  85. # # # # # # # #
  86. activity
  87. # # # # # # # #
  88.  
  89. PL_SCR attached ISO
  90.  
  91. C2 oceriesfornot.top [188.166.154.118] DigitalOcean, London, GB
  92. seaskysafe.com [138.68.42.130] DigitalOcean, SC, California
  93.  
  94. netwrk
  95. --------------
  96. 188.166.154.118 oceriesfornot.top 80 HTTP GET / HTTP/1.1
  97. 138.68.42.130 seaskysafe.com 443 TLSv1 Client Hello
  98.  
  99. comp
  100. --------------
  101. rundll32.exe 2664 49222 188.166.154.118 80 ESTABLISHED
  102. rundll32.exe 2664 49223 138.68.42.130 443 ESTABLISHED
  103.  
  104. proc
  105. --------------
  106. C:\Windows\Explorer.EXE
  107. "C:\Windows\System32\rundll32.exe" dar.dll,DllRegisterServer
  108. C:\Windows\System32\cmd.exe /c chcp >&2
  109. C:\Windows\System32\Wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
  110. C:\Windows\System32\ipconfig.exe /all
  111. C:\Windows\System32\systeminfo.exe
  112. C:\Windows\System32\net.exe config workstation
  113. C:\Windows\System32\nltest.exe /domain_trusts
  114. C:\Windows\System32\nltest.exe /domain_trusts /all_trusts
  115. C:\Windows\System32\net.exe view /all /domain
  116. C:\Windows\System32\net.exe view /all
  117. C:\Windows\System32\net.exe group "Domain Admins" /domain
  118.  
  119. persist
  120. --------------
  121. Task Scheduler
  122. \ayacutzako_{9018AAA7-CFA0-0795-8A9A-841ED11433B6}
  123. c:\users\operator\appdata\roaming\operator\gimauzsw2.dll 08.08.2015 18:18
  124.  
  125. drop
  126. --------------
  127. %temp%\sqlite64.dll
  128. C:\Users\operator\AppData\Roaming\SketchRare\license.dat
  129. C:\Users\operator\AppData\Roaming\operator\Gimauzsw2.dll
  130.  
  131. # # # # # # # #
  132. additional info
  133. # # # # # # # #
  134. lnkinfo document.lnk
  135. C:\Windows\System32\rundll32.exe dar.dll,DllRegisterServer
  136.  
  137. Link information:
  138. Creation time : Feb 11, 2022 18:03:18.700434400 UTC
  139. Modification time : Feb 11, 2022 18:03:18.700434400 UTC
  140. Access time : Mar 22, 2022 10:40:06.757972400 UTC
  141. File size : 71680 bytes
  142. Icon index : 1
  143. Show Window value : 0x00011800
  144. Hot Key value : 6144
  145. File attribute flags : 0x00000020
  146. Should be archived (FILE_ATTRIBUTE_ARCHIVE)
  147. Drive type : Fixed (3)
  148. Drive serial number : 0x4a08fd24
  149. Volume label :
  150. Local path : C:\Windows\System32\rundll32.exe
  151. Relative path : ..\..\..\..\Windows\System32\rundll32.exe
  152. Command line arguments : dar.dll,DllRegisterServer
  153. Icon location : %SystemRoot%\System32\SHELL32.dll
  154.  
  155.  
  156. # # # # # # # #
  157. VT & Intezer
  158. # # # # # # # #
  159.  
  160. Dropped files
  161. **************
  162. https://www.virustotal.com/gui/file/5ef0a073d1aac50876757d358711d0579671b0a2b7cd3b3581782f61d1fca4f5/details
  163. https://www.virustotal.com/gui/file/2c84b5162ef66c154c66fed1d14f348e5e0054dff486a63f0473165fdbee9b2e/details
  164. https://www.virustotal.com/gui/file/3ef172523e0ca0c357217012beb3fba3f3a0db7b6ad9caf1d5ab0df5beff60fe/details
  165. https://www.virustotal.com/gui/file/3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6/details
  166. https://analyze.intezer.com/analyses/a24495f6-704c-41f6-bedb-189cf95e579e
  167.  
  168. https://www.virustotal.com/gui/file/20ce24c143c0ee983e279fd49e94534247278ad1e19929432f142b24cbe58f65/details
  169. https://www.virustotal.com/gui/file/8d30ab8260760e12a8990866eced1567ced257e0cb2fc9f7d2ea927806435208/details
  170. https://www.virustotal.com/gui/file/66ff54ba902079fb4be0d7f5b6ce79752b69cdde095c76d99f8488971b0945ed/details
  171. https://www.virustotal.com/gui/file/3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6/details
  172. https://analyze.intezer.com/analyses/b4d7f7ae-4ec8-428d-bdf3-c956ddc4b3a3
  173.  
  174. C2
  175. **************
  176. https://www.virustotal.com/gui/domain/oceriesfornot.top/details
  177.  
  178. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!