malware_traffic

2020-07-30 (Thursday) - TA551 (Shathak) Word docs push IcedID (Bokbot)

Jul 30th, 2020 (edited)
9,960
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-30 (THURSDAY) TA551 WORD DOCS PUSH ICEDID (BOKBOT)
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1288904813758099457
  6.  
  7. NOTES:
  8.  
  9. - More info about TA551 (Shathak) distribution is found in my blog for Valak at Palo Alto Networks: https://unit42.paloaltonetworks.com/valak-evolution/
  10.  
  11. - Instead of pushing Valak with IcedID as follow-up malware, TA551 has been pushing only IcedID for English-speaking victims since 2020-07-14, documented at https://isc.sans.edu/forums/diary/Word+docs+with+macros+for+IcedID+Bokbot/26352/ and nearly every weekday since then.
  12.  
  13. - Today, the TA551 (Shathak) campaign in some cases used a copy of certutil.exe to retrieve the IcedID installer DLL, but in others examples it did not use certutil.exe.
  14.  
  15. - All the files below have been submitted to bazaar.abuse.ch
  16.  
  17. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
  18.  
  19. 20 EXAMPLES OF WORD DOCS WITH MACRO FOR ICEDID INSTALLER DLL:
  20.  
  21. - 092381d01ee8ceafc88163dbe0e4255f452d68a69c26bf4bf0c05b9d41303a75 intelligence_07.30.2020.doc
  22. - 09ad2e05ee1b590996b1d57461f3a991c763cc676afa8ae8b6fc02586b935407 files,07.20.doc
  23. - 15731a6037944510f53bd37eb5a8c76d762274397d7937b81c6386b8c1a81a2e inquiry,07.30.2020.doc
  24. - 254f651790d8e84d7d8b557d7fb064aca16b467af8a29d7906d01cfc3f3948c6 rule-07.30.2020.doc
  25. - 28d1b2b7dd8b8ee8c3e720236b123ea1688af0e8ff048c9662eafc5077be836b inquiry-07.20.doc
  26. - 4e8ce72ab4a9be22ab3d76e278d17259f1250c15bdf3ab15b7416c18604ae350 order,07.30.2020.doc
  27. - 59d272ffeef2cae40dbe9fd24800fbf552cdbb9f6b3bec9b02e6ab77afd94aac dictate_07.30.2020.doc
  28. - 6090c9e520211dca35fd774b94f127ba396727e25f00eafb86bfff5979bfa22a commerce ,07.20.doc
  29. - 7c46a8634e0ed291edc1e135d27c042383a9560df45bc4470d30719cb533ba47 ordain_07.20.doc
  30. - 7f14bd644f7cb4db1ca63ad27918b5752ad90e53036746e82d9c5ca0724db475 tell_07.20.doc
  31. - 884316f52ec1b6b276e585a01b3099260ffdd1ce4fe09fdb7ef252264e87caa6 tell-07.20.doc
  32. - 949e2fec1b1290bd78e9bb35c25d6c634b5a8f401bb7d13957fba17286726c2b report.07.20.doc
  33. - bd96cc2b200f1b2664339fa50cfa247ea94cee13dc2e02127066950568dc21f8 intelligence.07.20.doc
  34. - beab9687193a17c2152dbcfccd635e7e61e877862d7bb4c81afc4e56744e0f17 particulars_07.20.doc
  35. - c2525050626af56480b27b7208ffbab22a4865e252c618730ff4360f18a33d0c commerce .07.30.2020.doc
  36. - cccc1b9dc6c97b84b89efa414034da29b8ff1a1cd9921cb33797e6a25a2891c4 legal agreement-07.30.2020.doc
  37. - d66972dbf6c591bc6ee282518a953bbbe2e5ace24359731c01b53e28df8b3577 instruct_07.20.doc
  38. - ddd986b55edfcc2a7b680ecf9ffaa9b3a0548bf8eb288d670478aa7415bce522 docs,07.20.doc
  39. - ded5eb3d65a25bc62e7953174a219605e61a72f03135a48f6153b2aa5098c2f9 order_07.20.doc
  40. - ec03288989e8458f0daaee296ce994ab525642f21e6927e192905f3ffe571089 particulars_07.30.2020.doc
  41.  
  42. AT LEAST 10 DOMAINS HOSTING ICEDID INSTALLER DLL:
  43.  
  44. - 0eed1ejih[.]com - 2.57.184[.]54
  45. - 1iif89rvl[.]com - 81.29.134[.]57
  46. - 6gsdlmpym[.]com - 81.29.134[.]37
  47. - 6kd743o1w[.]com - 185.144.29[.]2
  48. - 8wsed5qkw[.]com - 95.181.157[.]197
  49. - bofzvaxf6[.]com - 95.181.157[.]198
  50. - jfmmusox0[.]com - 81.29.134[.]49
  51. - py072wgiw[.]com - 185.144.29[.]3
  52. - ybvoc9qoo[.]com - 95.181.157[.]195
  53. - z7rflq080[.]com - 95.181.157[.]199
  54.  
  55. HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
  56.  
  57. - GET /bolb/jaent.php?l=liut1.cab
  58. - GET /bolb/jaent.php?l=liut2.cab
  59. - GET /bolb/jaent.php?l=liut3.cab
  60. - GET /bolb/jaent.php?l=liut4.cab
  61. - GET /bolb/jaent.php?l=liut5.cab
  62. - GET /bolb/jaent.php?l=liut6.cab
  63. - GET /bolb/jaent.php?l=liut7.cab
  64. - GET /bolb/jaent.php?l=liut8.cab
  65. - GET /bolb/jaent.php?l=liut9.cab
  66. - GET /bolb/jaent.php?l=liut10.cab
  67. - GET /bolb/jaent.php?l=liut11.cab
  68. - GET /bolb/jaent.php?l=liut12.cab
  69. - GET /bolb/jaent.php?l=liut13.cab
  70. - GET /bolb/jaent.php?l=liut14.cab
  71. - GET /bolb/jaent.php?l=liut15.cab
  72. - GET /bolb/jaent.php?l=liut16.cab
  73. - GET /bolb/jaent.php?l=liut17.cab
  74. - GET /bolb/jaent.php?l=liut18.cab
  75.  
  76. 27 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL:
  77.  
  78. - 08e1433330dd63f0f23cfcbd0caa4ab6ad7e36c408a898af2f17f00a2356e20c
  79. - 0bac073dd46fd8ac5c68c735f7d8ddecd264107e5163a23ce4f0d1d64823c709
  80. - 10541da23f1a6299fe00f9657b9dad7dae53c3091f39f1cfec03f30a93286168
  81. - 1f5672777a723b52064ff3876f7d582c524483a5205eb509a9aa6c5566fd4f71
  82. - 202e93ce45541da3971aebc5ec5027209ab9ce01cfd65e229ecf90d396b8201d
  83. - 249604488f5145ceee176cb5345c7d3c10b28f8645b7e7b7ad43fff90e3e1141
  84. - 26814ac4a62e9a9a3fe1059ba49709b161085cc3a1cbbdf5ee20beb742908083
  85. - 27e9ab78945ccd312212192c0f7cd39a33876b0743f93abbcbd8b5086753b347
  86. - 45000434dad8947c25761ea8e2257458baa10424402b7d48472fac5b1dc5aa47
  87. - 54b5a9d4964628097caa5389be308d3306ad5feb01144cf13af0892799da41cb
  88. - 5e5d856ef6917165ca56dc2e356a25f7b86e902feb29d3570d84b2bd0b7d1529
  89. - 634de4133f7682703e21d4f98fdf1f5d761edf17882a8b37622c95d0182e582f
  90. - 7ae35c2610961499b83a35df80b4c9654d10a97fbd5020345f49497941d755a8
  91. - 7d97f43bdac6a0420b701f622c164af9f6aed64cb5f3cdbdc3bc44088b0ac2d9
  92. - 85fbffd801a6b050745336a42637077ddb544e3039905d9b93f78df310af6e02
  93. - 97c5b7288083a6a65513aff8ef98a3b53c7509ef7eaf8b5f220ff908e4fe92bb
  94. - 9e7743f112f712bdd9d1658079701138fdb195d73957b894acf5017f63feac94
  95. - b3a9d5d233d155daf54e2ef3e7694e3e1659c0465c34fe0043007fb6983cb32d
  96. - d872601623df5c1f8f378fb962df80d03922392ec2b3494437c6e347c89c3d14
  97. - da4e1bb6c651a569ee44eb2d2a37eaae7035a46d8281592b77666f0819fcf1c8
  98. - e0a4280ea1f844aa28c808c5931e3e245730b70d3c8d6ff8d5c13eaaa7115980
  99. - e2527c3c1c50b1a4b1c94066d963a0c93b19f28965fc0ad5d53b734b10bf37ed
  100. - e7d1ee172b95df20dc90f3100a5b06fb150408b76e92f159fd1e8e69c3c61035
  101. - f291bed7451bf2485250b3ebeed132e7f56712d856b316b6fb8f88a4a205d0a3
  102. - fdc1a3d88eca9afa817aaf00818f29ea8e80fc1b3a71f46d5231572fb2f69b26
  103. - ff7222b433477e4794dbfd8b0ad34dc4e6397c7673fe431c6710c6e77a69b78c
  104. - ff87844648c0e1da40aea7bb418bb8b2011f5c55f7a6c3d43228e3c0cf5c33b8
  105.  
  106. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
  107.  
  108. TWO LOCATIONS NOTED FOR THE ICEDID INSTALLER DLL FILES:
  109.  
  110. - C:\ProgramData\1.tmp
  111. - C:\Users\[username]\AppData\Local\Temp\main.theme
  112.  
  113. TRAFFIC CAUSED BY ICEDID INSTALLER DLL:
  114.  
  115. - port 443 - www.intel.com
  116. - port 443 - help.twitter.com
  117. - port 443 - support.oracle.com
  118. - port 443 - www.oracle.com
  119. - port 443 - support.apple.com
  120. - port 443 - support.microsoft.com
  121.  
  122. - 194.5.249[.]199 port 443 - ldrgopak[.]casa
  123. - 194.5.249[.]199 port 443 - loadbudapest[.]casa
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×