malware_traffic

2020-07-30 (Thursday) - TA551 (Shathak) Word docs push IcedID (Bokbot)

Jul 30th, 2020 (edited)
8,893
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-30 (THURSDAY) TA551 WORD DOCS PUSH ICEDID (BOKBOT)
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1288904813758099457
  6.  
  7. NOTES:
  8.  
  9. - More info about TA551 (Shathak) distribution is found in my blog for Valak at Palo Alto Networks: https://unit42.paloaltonetworks.com/valak-evolution/
  10.  
  11. - Instead of pushing Valak with IcedID as follow-up malware, TA551 has been pushing only IcedID for English-speaking victims since 2020-07-14, documented at https://isc.sans.edu/forums/diary/Word+docs+with+macros+for+IcedID+Bokbot/26352/ and nearly every weekday since then.
  12.  
  13. - Today, the TA551 (Shathak) campaign in some cases used a copy of certutil.exe to retrieve the IcedID installer DLL, but in others examples it did not use certutil.exe.
  14.  
  15. - All the files below have been submitted to bazaar.abuse.ch
  16.  
  17. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
  18.  
  19. 20 EXAMPLES OF WORD DOCS WITH MACRO FOR ICEDID INSTALLER DLL:
  20.  
  21. - 092381d01ee8ceafc88163dbe0e4255f452d68a69c26bf4bf0c05b9d41303a75 intelligence_07.30.2020.doc
  22. - 09ad2e05ee1b590996b1d57461f3a991c763cc676afa8ae8b6fc02586b935407 files,07.20.doc
  23. - 15731a6037944510f53bd37eb5a8c76d762274397d7937b81c6386b8c1a81a2e inquiry,07.30.2020.doc
  24. - 254f651790d8e84d7d8b557d7fb064aca16b467af8a29d7906d01cfc3f3948c6 rule-07.30.2020.doc
  25. - 28d1b2b7dd8b8ee8c3e720236b123ea1688af0e8ff048c9662eafc5077be836b inquiry-07.20.doc
  26. - 4e8ce72ab4a9be22ab3d76e278d17259f1250c15bdf3ab15b7416c18604ae350 order,07.30.2020.doc
  27. - 59d272ffeef2cae40dbe9fd24800fbf552cdbb9f6b3bec9b02e6ab77afd94aac dictate_07.30.2020.doc
  28. - 6090c9e520211dca35fd774b94f127ba396727e25f00eafb86bfff5979bfa22a commerce ,07.20.doc
  29. - 7c46a8634e0ed291edc1e135d27c042383a9560df45bc4470d30719cb533ba47 ordain_07.20.doc
  30. - 7f14bd644f7cb4db1ca63ad27918b5752ad90e53036746e82d9c5ca0724db475 tell_07.20.doc
  31. - 884316f52ec1b6b276e585a01b3099260ffdd1ce4fe09fdb7ef252264e87caa6 tell-07.20.doc
  32. - 949e2fec1b1290bd78e9bb35c25d6c634b5a8f401bb7d13957fba17286726c2b report.07.20.doc
  33. - bd96cc2b200f1b2664339fa50cfa247ea94cee13dc2e02127066950568dc21f8 intelligence.07.20.doc
  34. - beab9687193a17c2152dbcfccd635e7e61e877862d7bb4c81afc4e56744e0f17 particulars_07.20.doc
  35. - c2525050626af56480b27b7208ffbab22a4865e252c618730ff4360f18a33d0c commerce .07.30.2020.doc
  36. - cccc1b9dc6c97b84b89efa414034da29b8ff1a1cd9921cb33797e6a25a2891c4 legal agreement-07.30.2020.doc
  37. - d66972dbf6c591bc6ee282518a953bbbe2e5ace24359731c01b53e28df8b3577 instruct_07.20.doc
  38. - ddd986b55edfcc2a7b680ecf9ffaa9b3a0548bf8eb288d670478aa7415bce522 docs,07.20.doc
  39. - ded5eb3d65a25bc62e7953174a219605e61a72f03135a48f6153b2aa5098c2f9 order_07.20.doc
  40. - ec03288989e8458f0daaee296ce994ab525642f21e6927e192905f3ffe571089 particulars_07.30.2020.doc
  41.  
  42. AT LEAST 10 DOMAINS HOSTING ICEDID INSTALLER DLL:
  43.  
  44. - 0eed1ejih[.]com - 2.57.184[.]54
  45. - 1iif89rvl[.]com - 81.29.134[.]57
  46. - 6gsdlmpym[.]com - 81.29.134[.]37
  47. - 6kd743o1w[.]com - 185.144.29[.]2
  48. - 8wsed5qkw[.]com - 95.181.157[.]197
  49. - bofzvaxf6[.]com - 95.181.157[.]198
  50. - jfmmusox0[.]com - 81.29.134[.]49
  51. - py072wgiw[.]com - 185.144.29[.]3
  52. - ybvoc9qoo[.]com - 95.181.157[.]195
  53. - z7rflq080[.]com - 95.181.157[.]199
  54.  
  55. HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
  56.  
  57. - GET /bolb/jaent.php?l=liut1.cab
  58. - GET /bolb/jaent.php?l=liut2.cab
  59. - GET /bolb/jaent.php?l=liut3.cab
  60. - GET /bolb/jaent.php?l=liut4.cab
  61. - GET /bolb/jaent.php?l=liut5.cab
  62. - GET /bolb/jaent.php?l=liut6.cab
  63. - GET /bolb/jaent.php?l=liut7.cab
  64. - GET /bolb/jaent.php?l=liut8.cab
  65. - GET /bolb/jaent.php?l=liut9.cab
  66. - GET /bolb/jaent.php?l=liut10.cab
  67. - GET /bolb/jaent.php?l=liut11.cab
  68. - GET /bolb/jaent.php?l=liut12.cab
  69. - GET /bolb/jaent.php?l=liut13.cab
  70. - GET /bolb/jaent.php?l=liut14.cab
  71. - GET /bolb/jaent.php?l=liut15.cab
  72. - GET /bolb/jaent.php?l=liut16.cab
  73. - GET /bolb/jaent.php?l=liut17.cab
  74. - GET /bolb/jaent.php?l=liut18.cab
  75.  
  76. 27 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL:
  77.  
  78. - 08e1433330dd63f0f23cfcbd0caa4ab6ad7e36c408a898af2f17f00a2356e20c
  79. - 0bac073dd46fd8ac5c68c735f7d8ddecd264107e5163a23ce4f0d1d64823c709
  80. - 10541da23f1a6299fe00f9657b9dad7dae53c3091f39f1cfec03f30a93286168
  81. - 1f5672777a723b52064ff3876f7d582c524483a5205eb509a9aa6c5566fd4f71
  82. - 202e93ce45541da3971aebc5ec5027209ab9ce01cfd65e229ecf90d396b8201d
  83. - 249604488f5145ceee176cb5345c7d3c10b28f8645b7e7b7ad43fff90e3e1141
  84. - 26814ac4a62e9a9a3fe1059ba49709b161085cc3a1cbbdf5ee20beb742908083
  85. - 27e9ab78945ccd312212192c0f7cd39a33876b0743f93abbcbd8b5086753b347
  86. - 45000434dad8947c25761ea8e2257458baa10424402b7d48472fac5b1dc5aa47
  87. - 54b5a9d4964628097caa5389be308d3306ad5feb01144cf13af0892799da41cb
  88. - 5e5d856ef6917165ca56dc2e356a25f7b86e902feb29d3570d84b2bd0b7d1529
  89. - 634de4133f7682703e21d4f98fdf1f5d761edf17882a8b37622c95d0182e582f
  90. - 7ae35c2610961499b83a35df80b4c9654d10a97fbd5020345f49497941d755a8
  91. - 7d97f43bdac6a0420b701f622c164af9f6aed64cb5f3cdbdc3bc44088b0ac2d9
  92. - 85fbffd801a6b050745336a42637077ddb544e3039905d9b93f78df310af6e02
  93. - 97c5b7288083a6a65513aff8ef98a3b53c7509ef7eaf8b5f220ff908e4fe92bb
  94. - 9e7743f112f712bdd9d1658079701138fdb195d73957b894acf5017f63feac94
  95. - b3a9d5d233d155daf54e2ef3e7694e3e1659c0465c34fe0043007fb6983cb32d
  96. - d872601623df5c1f8f378fb962df80d03922392ec2b3494437c6e347c89c3d14
  97. - da4e1bb6c651a569ee44eb2d2a37eaae7035a46d8281592b77666f0819fcf1c8
  98. - e0a4280ea1f844aa28c808c5931e3e245730b70d3c8d6ff8d5c13eaaa7115980
  99. - e2527c3c1c50b1a4b1c94066d963a0c93b19f28965fc0ad5d53b734b10bf37ed
  100. - e7d1ee172b95df20dc90f3100a5b06fb150408b76e92f159fd1e8e69c3c61035
  101. - f291bed7451bf2485250b3ebeed132e7f56712d856b316b6fb8f88a4a205d0a3
  102. - fdc1a3d88eca9afa817aaf00818f29ea8e80fc1b3a71f46d5231572fb2f69b26
  103. - ff7222b433477e4794dbfd8b0ad34dc4e6397c7673fe431c6710c6e77a69b78c
  104. - ff87844648c0e1da40aea7bb418bb8b2011f5c55f7a6c3d43228e3c0cf5c33b8
  105.  
  106. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
  107.  
  108. TWO LOCATIONS NOTED FOR THE ICEDID INSTALLER DLL FILES:
  109.  
  110. - C:\ProgramData\1.tmp
  111. - C:\Users\[username]\AppData\Local\Temp\main.theme
  112.  
  113. TRAFFIC CAUSED BY ICEDID INSTALLER DLL:
  114.  
  115. - port 443 - www.intel.com
  116. - port 443 - help.twitter.com
  117. - port 443 - support.oracle.com
  118. - port 443 - www.oracle.com
  119. - port 443 - support.apple.com
  120. - port 443 - support.microsoft.com
  121.  
  122. - 194.5.249[.]199 port 443 - ldrgopak[.]casa
  123. - 194.5.249[.]199 port 443 - loadbudapest[.]casa
RAW Paste Data