API tools faq
paste
malware_traffic

2020-10-20 (Tuesday) - TA551 (shathak) Word docs push IcedID

malware_traffic
Oct 21st, 2020
7,979
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.52 KB | None | 0 0
raw download clone embed print report
  1. 2020-10-20 (TUESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID malware
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 05f6290301015b21d682fafebf09f8977aa90a9c2dfc15941b9405b620b68b6d charge.010.20.2020.doc
  10. - 52fa2def2b9e4189b1aeb1f91d7d0165f3bb344b69c9c0bdd029ebccd95ad100 command_010.20.20.doc
  11. - 825a14c317b5f2284e573b7ee92fb0890c390bf181ed0f3098a089368437af8d decree_010.20 copy.doc
  12. - 825a14c317b5f2284e573b7ee92fb0890c390bf181ed0f3098a089368437af8d decree_010.20.doc
  13. - f0a494813c3806654094dfbd046a942bb96b6d62bb1d63c3b254322e21dc46c0 details,010.20.2020.doc
  14. - d1459a88b196ba1dfd255066feb9ef2655bfe2599a7139adb5059f19e3e450eb direct 010.20.20.doc
  15. - ca9b7276bf105413d56c04035ec5c03a3f11b299a909589bd92ec0e9cbe4c9e2 direct.010.20.2020.doc
  16. - 357ccefba10d43c0502c97fceb8d465e1c902bf24402146e938f451ff11dca39 docs-010.20.2020.doc
  17. - 2b3f1434a39bbc209450442a4ca6cc54219f3300780b5d9befb7ef622a685aaa document-010.20.20.doc
  18. - 4aef7ab42b5c5df0d536c65ec5161a76ee4df7b66075ea875d4c3dac0b2f1f92 documents_010.20.doc
  19. - 66cf070eb74978c9c88da7d02efd24c5691cfddf39602f1ad2467ab6a095b373 facts,010.20.2020.doc
  20. - 4d12df94b84a0fe3c96ba796c60c9172d28fe4b437d0c3deb1663511ffe4927e file,010.20.2020.doc
  21. - 45b2e313fb54c7334a201c7b13a6ec7ce1db6f604266e3c9f2f85eeff3c4bb28 inquiry.010.20.2020.doc
  22. - 9f2db3f52027102c0a9e225766bcf63bc8a949ae164b280b8f65ada8bd937f68 legal agreement-010.20.doc
  23. - 7d97f4ad7bc3f62a6a12afa449febf78e21eb4a71e799a53a877d5a9c1c7f7b1 legal paper,010.20.doc
  24. - 05ec2931b0562d7e999f7ec400875d994d1629a3592ba4df28086327580815a1 ordain,010.20.doc
  25. - 98128bc0d5bfe3bb8d057330d440671317f20628f41a0f8ebc54340c4f17fb6e prescribe 010.20.doc
  26. - 12728dcd608d0e635b5341fcd82e96d5b57bde3f31cbc20e6b113ee7f6b10b48 question 010.20.doc
  27. - 2e9bedb2af9fbfcd2f970ac78be4f0ea111f6023f7cbfc293b2f8b22de2f1f2a require 010.20.20.doc
  28. - ba83b48a660695baf0724965a7ed516cdf29c99fa417d787b11835b75556c5f0 tell 010.20.doc
  29.  
  30. AT LEAST 9 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - b7nfcx4[.]com - 185.103.109[.]51
  33. - bsls9ny[.]com - 194.40.243[.]61
  34. - cte64uc3ede65oq[.]com - 193.187.174[.]162
  35. - g33r59eug[.]com - 80.85.158[.]53
  36. - egmr6csa9qsg[.]com - 45.129.237[.]33
  37. - gm9rlei16lamz5[.]com - 178.250.157[.]193
  38. - p4uk749i8t6vay[.]com - 149.154.64[.]179
  39. - rbjh933kw0xx65x8[.]com - 45.8.124[.]36
  40. - xf8z9878f[.]com - 62.109.14[.]179
  41.  
  42. URLS FOR INSTALLER DLL:
  43.  
  44. - GET /_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon1.ppt&lhe=[20 character string]
  45.  
  46. - NOTE 1: URLS used chfon1.ppt through chfon15.ppt
  47. - NOTE 2: 20 character string at the end is random lower-case alpha-numeric letters and underscores
  48.  
  49. Examples:
  50.  
  51. - hxxp://bsls9ny[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon4.ppt&lhe=hcqjvtfezhsogtrdxdfs
  52.  
  53. - hxxp://rbjh933kw0xx65x8[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon1.ppt&lhe=vowttxwamytebmdqfkcv
  54.  
  55. - hxxp://cte64uc3ede65oq[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon8.ppt&lhe=wmwelbfp_ob_pqjchbrl
  56.  
  57. - hxxp://g33r59eug[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon11.ppt&lhe=sjroljhppkmvgi_q_hfm
  58.  
  59. - htxxp://p4uk749i8t6vay[.]com/_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?l=chfon6.ppt&lhe=cgxnmmztlqrsgthykcgj
  60.  
  61. 10 EXAMPLES OF INSTALLER DLL FILES:
  62.  
  63. - 0585271d56833eff99561769bb27fbc98e0bdda5f539247bf838ee62a28bf4f4
  64. - 059c85ab99ed30c53fda03c14bacac9622512861acbfae16bfc6f515d07709b0
  65. - 4e6878db8d54213e7c8003b023547f32957285e1335875cee3052da37efcfcaf
  66. - 5069c3e89ab5e79ff53991f175ff2f113c147c7351beda4e52374fae4f90853c
  67. - 50c916244cec9cd3dd11d76e5198154bad38b94ba67b56071b6c03440659bd8d
  68. - 605d6dbb783fb7ffd54f5f8d9a3cbaf6aa23bbe5c7b384b3c9aa7a23b9b3c150
  69. - 663a448eafe2e093006cea58f9f747178f2c2036230e973acd89641d8611b44e
  70. - 6e6a69b8584b2da246d9bd09316898d59154159a57e87fb4c8bdd02071f85cd6
  71. - 8b6db170ac6eddb4a0d7b5d59b45e04423c39cfe4183104a9cf59d280e089a33
  72. - 920601e91179d453c9c7c751e6f6b557bb8cfd97e8243b77cf2a4532a336ad2c
  73.  
  74. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  75.  
  76. - C:\Users\Public\EyeuD.txt
  77. - C:\Users\Public\gOYgv.txt
  78. - C:\Users\Public\HlGKL.txt
  79. - C:\Users\Public\HsESD.txt
  80. - C:\Users\Public\LYpDf.txt
  81. - C:\Users\Public\PevXe.txt
  82. - C:\Users\Public\wNkeO.txt
  83.  
  84. INSTALLER DLL RUN METHOD:
  85.  
  86. - regsvr32.exe [filename]
  87.  
  88. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:
  89.  
  90. - port 443 - support.oracle.com
  91. - port 443 - www.oracle.com
  92. - port 443 - support.apple.com
  93. - port 443 - support.microsoft.com
  94. - port 443 - help.twitter.com
  95.  
  96. AT LEAST 2 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  97.  
  98. - 46.101.0[.]125 port 443 - loadcessna[.]asia - GET /background.png
  99. - 46.101.0[.]125 port 443 - loadnelliko[.]click - GET /background.png
  100.  
  101. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID MALWARE DLL CREATED BY INSTALLER:
  102.  
  103. - ba4253b54cb921073ad49e34cf931ca6f1bcdd79a53366f36240d42b7f132ccb (initial)
  104. - dc376b4c1d4acbdd5101df5d51bac34cc147b6fd499d741bc68145016fb3c574 (persistent)
  105.  
  106. ICEDID DLL RUN METHOD:
  107.  
  108. - regsvr32.exe /s [filename]
  109.  
  110. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID MALWARE DLL FILES:
  111.  
  112. - 159.65.114[.]23 port 443 - filopipilo[.]top
  113. - 159.65.114[.]23 port 443 - familyfromforrest[.]club
  114. - 159.65.114[.]23 port 443 - fihokiliopo[.]pw
  115. - 159.65.114[.]23 port 443 - millogorillo[.]pw
  116. - 159.65.114[.]23 port 443 - mishagrisha[.]top
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!