Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #icedID #BokBot #DLL #LNK #ISO
- https://pastebin.com/LaxLgeEz
- previous_contact: n/a
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid
- attack_vector
- --------------
- email > ZIP passwd > ISO > LNK+ DLL > rundll32.exe" dar.dll,DllRegisterServer > oceriesfornot.top
- # # # # # # # #
- email_headers
- # # # # # # # #
- 1st
- --------------
- Subject: RE: RE: Погодження актів та рахунків
- Received: from sitsmbx.com ([168.119.10.77])
- Received: from [192.168.1.7] (envelope-from <finance@liftzvar.com.ua>)
- Received: from VMMBX01.sits.local (192.168.1.7) by VMMBX01.sits.local with mapi id 15.01.2106.002;
- From: Liftzvar Buhgalteriya <finance@liftzvar.com.ua>
- Date: Tue, 22 Mar 2022 17:43:00 +0000
- Message-ID: <d44f059c85a9443f9c5771e129a9ae61@liftzvar.com.ua>
- x-originating-ip: [179.60.150.190]
- 2nd
- --------------
- Subject: RE: ПП УКРПРОМЛІФТЗВАР
- Received: from sitsmbx.com ([168.119.10.77])
- Received: from [192.168.1.7] (envelope-from <finance@liftzvar.com.ua>)
- Received: from VMMBX01.sits.local (192.168.1.7) by VMMBX01.sits.local with mapi id 15.01.2106.002;
- From: Liftzvar Buhgalteriya <finance@liftzvar.com.ua>
- Date: Tue, 22 Mar 2022 17:55:39 +0000
- Message-ID: <badf732ddcd74ceea79d20f573efd07b@liftzvar.com.ua>
- x-originating-ip: [179.60.150.190]
- # # # # # # # #
- files
- # # # # # # # #
- 1st
- --------------
- SHA-256 5ef0a073d1aac50876757d358711d0579671b0a2b7cd3b3581782f61d1fca4f5
- File name docs_invoice_180.zip [Zip archive data, at least v2.0 to extract]
- File size 85.39 KB (87439 bytes)
- SHA-256 2c84b5162ef66c154c66fed1d14f348e5e0054dff486a63f0473165fdbee9b2e
- File name docs_invoice_180.iso [ISO 9660 CD-ROM filesystem]
- File size 214.00 KB (219136 bytes)
- SHA-256 3ef172523e0ca0c357217012beb3fba3f3a0db7b6ad9caf1d5ab0df5beff60fe
- File name dar.dll [PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly]
- File size 150.50 KB (154112 bytes)
- SHA-256 3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6
- File name document.lnk [MS Windows shortcut]
- File size 1.21 KB (1237 bytes)
- 2nd
- --------------
- SHA-256 20ce24c143c0ee983e279fd49e94534247278ad1e19929432f142b24cbe58f65
- File name docs_invoice_113.zip [Zip archive data, at least v2.0 to extract]
- File size 85.57 KB (87626 bytes)
- SHA-256 8d30ab8260760e12a8990866eced1567ced257e0cb2fc9f7d2ea927806435208
- File name docs_invoice_113.iso [ISO 9660 CD-ROM filesystem]
- File size 212.00 KB (217088 bytes)
- SHA-256 66ff54ba902079fb4be0d7f5b6ce79752b69cdde095c76d99f8488971b0945ed
- File name dar.dll [PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly]
- File size 150.00 KB (153600 bytes)
- SHA-256 3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6
- File name document.lnk [MS Windows shortcut]
- File size 1.21 KB (1237 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR attached ISO
- C2 oceriesfornot.top [188.166.154.118] DigitalOcean, London, GB
- seaskysafe.com [138.68.42.130] DigitalOcean, SC, California
- netwrk
- --------------
- 188.166.154.118 oceriesfornot.top 80 HTTP GET / HTTP/1.1
- 138.68.42.130 seaskysafe.com 443 TLSv1 Client Hello
- comp
- --------------
- rundll32.exe 2664 49222 188.166.154.118 80 ESTABLISHED
- rundll32.exe 2664 49223 138.68.42.130 443 ESTABLISHED
- proc
- --------------
- C:\Windows\Explorer.EXE
- "C:\Windows\System32\rundll32.exe" dar.dll,DllRegisterServer
- C:\Windows\System32\cmd.exe /c chcp >&2
- C:\Windows\System32\Wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
- C:\Windows\System32\ipconfig.exe /all
- C:\Windows\System32\systeminfo.exe
- C:\Windows\System32\net.exe config workstation
- C:\Windows\System32\nltest.exe /domain_trusts
- C:\Windows\System32\nltest.exe /domain_trusts /all_trusts
- C:\Windows\System32\net.exe view /all /domain
- C:\Windows\System32\net.exe view /all
- C:\Windows\System32\net.exe group "Domain Admins" /domain
- persist
- --------------
- Task Scheduler
- \ayacutzako_{9018AAA7-CFA0-0795-8A9A-841ED11433B6}
- c:\users\operator\appdata\roaming\operator\gimauzsw2.dll 08.08.2015 18:18
- drop
- --------------
- %temp%\sqlite64.dll
- C:\Users\operator\AppData\Roaming\SketchRare\license.dat
- C:\Users\operator\AppData\Roaming\operator\Gimauzsw2.dll
- # # # # # # # #
- additional info
- # # # # # # # #
- lnkinfo document.lnk
- C:\Windows\System32\rundll32.exe dar.dll,DllRegisterServer
- Link information:
- Creation time : Feb 11, 2022 18:03:18.700434400 UTC
- Modification time : Feb 11, 2022 18:03:18.700434400 UTC
- Access time : Mar 22, 2022 10:40:06.757972400 UTC
- File size : 71680 bytes
- Icon index : 1
- Show Window value : 0x00011800
- Hot Key value : 6144
- File attribute flags : 0x00000020
- Should be archived (FILE_ATTRIBUTE_ARCHIVE)
- Drive type : Fixed (3)
- Drive serial number : 0x4a08fd24
- Volume label :
- Local path : C:\Windows\System32\rundll32.exe
- Relative path : ..\..\..\..\Windows\System32\rundll32.exe
- Command line arguments : dar.dll,DllRegisterServer
- Icon location : %SystemRoot%\System32\SHELL32.dll
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- Dropped files
- **************
- https://www.virustotal.com/gui/file/5ef0a073d1aac50876757d358711d0579671b0a2b7cd3b3581782f61d1fca4f5/details
- https://www.virustotal.com/gui/file/2c84b5162ef66c154c66fed1d14f348e5e0054dff486a63f0473165fdbee9b2e/details
- https://www.virustotal.com/gui/file/3ef172523e0ca0c357217012beb3fba3f3a0db7b6ad9caf1d5ab0df5beff60fe/details
- https://www.virustotal.com/gui/file/3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6/details
- https://analyze.intezer.com/analyses/a24495f6-704c-41f6-bedb-189cf95e579e
- https://www.virustotal.com/gui/file/20ce24c143c0ee983e279fd49e94534247278ad1e19929432f142b24cbe58f65/details
- https://www.virustotal.com/gui/file/8d30ab8260760e12a8990866eced1567ced257e0cb2fc9f7d2ea927806435208/details
- https://www.virustotal.com/gui/file/66ff54ba902079fb4be0d7f5b6ce79752b69cdde095c76d99f8488971b0945ed/details
- https://www.virustotal.com/gui/file/3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6/details
- https://analyze.intezer.com/analyses/b4d7f7ae-4ec8-428d-bdf3-c956ddc4b3a3
- C2
- **************
- https://www.virustotal.com/gui/domain/oceriesfornot.top/details
- VR
Add Comment
Please, Sign In to add comment