Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-09-21 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
- CHAIN OF EVENTS:
- - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
- 12 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
- - 9f240737183f8b52fc33daa475e11a3fc0655538728e56edc71ff49626549ada certificate 09.20.doc
- - 2d2f0a3e263c64c98457a3d4bce8a22d53d1c7f9c2326dcdd1578cb5037587fe commerce -09.21.2020.doc
- - 3e12c287478608aafc8ef1abeba25c526863e9e47d78d314cfc20077d73ae653 commerce ,09.20.doc
- - 562956706eb0b658fcad5f23d11c4a8670dda18666b04bf7127f9b1ac1be8907 docs.09.21.20.doc
- - 2925f852e2fc04c4849b5e47306373837305d9bf003e79ceb08762b505759259 document,09.20.doc
- - 0f9ae46bd910f799fd11c5cc46f7c3ffbc0a2f7280cc3fe867b763a5f5f64258 inquiry_09.20.doc
- - c37dd0bbd07f3acedf516c07c3fdc023b0ba5082c3959ddda9498fa6c52df09f instrument_indenture,09.20.doc
- - ad33adc035c689f4ab8f1d3cd49027b9ef804bb60c9a44bff2be585c02e794b3 legal agreement 09.21.2020.doc
- - 749140091ae47c29826a9f92a19381e060eff987299c2eb521f9ce833b2954f2 material_09.20.doc
- - c388475c08bcac2336e8b1efdf524d12a6194818e3c8194516b953fba654ac8f prescribe 09.20.doc
- - 8e9e0af52ff82cdc71e27bf27b157ef3adc00d3078a949d4deeb16a5e4225874 require 09.21.2020.doc
- - c3da3134de3b14d168e4e0f29c7c893ff3920b9d5ed6e566e0e15c4348ad9659 statistics,09.20.doc
- AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL:
- - csxciyt[.]com - 83.166.214[.]17
- - dsb5vd[.]com - 185.159.129[.]44
- - f9pv81[.]com - 185.219.40[.]246
- - hq1m7wt[.]com - 37.230.117[.]49
- - ldzcb4[.]com - 185.135.81[.]234
- - lkcij4k[.]com - 185.87.51[.]204
- - k21ddmo[.]com - 212.109.221[.]95
- - mwd3sq[.]com - 194.31.237[.]38
- - q9d2ya[.]com - 80.87.197[.]19
- - rb16q6a[.]com - 89.223.100[.]173
- URLS FOR ICEDID DLL:
- - GET /foqa/kucow.php?l=kofo1.cab
- - GET /foqa/kucow.php?l=kofo2.cab
- - GET /foqa/kucow.php?l=kofo3.cab
- - GET /foqa/kucow.php?l=kofo4.cab
- - GET /foqa/kucow.php?l=kofo5.cab
- - GET /foqa/kucow.php?l=kofo6.cab
- - GET /foqa/kucow.php?l=kofo7.cab
- - GET /foqa/kucow.php?l=kofo8.cab
- - GET /foqa/kucow.php?l=kofo9.cab
- - GET /foqa/kucow.php?l=kofo10.cab
- - GET /foqa/kucow.php?l=kofo11.cab
- - GET /foqa/kucow.php?l=kofo12.cab
- - GET /foqa/kucow.php?l=kofo13.cab
- - GET /foqa/kucow.php?l=kofo14.cab
- - GET /foqa/kucow.php?l=kofo15.cab
- - GET /foqa/kucow.php?l=kofo16.cab
- - GET /foqa/kucow.php?l=kofo17.cab
- - GET /foqa/kucow.php?l=kofo18.cab
- 12 EXAMPLES OF ICEDID INSTALLER DLLS:
- - 1d916a05e07aa61bb84504cd7cf70e920549dde98a3eafebfde3e13d3137df24
- - 2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236
- - 30ac7415f1cdd5984cdfe15961eb46211c444786c453cfe8525dacd7c76c28b6
- - 705e14735da74b107357a676c15b07c0f0c86888b8f98ba86e1029ff4e4858df
- - 7c94b78d14c95b438b0af4eb93596c2f7a64d8a9a1b2c9b300f5d4c43661a9b9
- - 89e881e0beb8adc93f3b45e835e68355e855d951a44d18153b7f042989b353e0
- - 8efa3aea51c2da764f118b7808fa096c3e3a841b676b1e046cdd6ad50cf8af3d
- - ad91cc0f5f38735a2a88df59382b93919a0f3112cae592f4a0477e20ef414469
- - c24e8099dffe2d9ddebc10b44b6d992043a7a88f0c24bdd7b462e750813dd92e
- - c53e0f2ba4d0ff61ed41d31cb5671c96ba8a98afbf32f1e76cd88e5061c20370
- - d4daab6448cab62e16091169f451e9b455a3607df6ceabccdd0610473d419a6c
- - ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d
- EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILE:
- - C:\ProgramData\b467e.pdf
- - C:\ProgramData\cbd30.pdf
- - C:\ProgramData\dbf1f.pdf
- - C:\ProgramData\e325b.pdf
- - C:\ProgramData\ff2ac.pdf
- - C:\ProgramData\ffadc.pdf
- DLL RUN METHOD:
- - regsvr32.exe [filename]
- AT LEAST x DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
- - 142.93.218[.]110 port 443 - ldrphound[.]casa - GET /background.png
- - 142.93.218[.]110 port 443 - ldrpeso[.]casa - GET /background.png
- - 134.122.55[.]164 port 443 - ldrruble[.]casa - GET /background.png
- SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1 OF 2):
- - 4aa11721ca11223bc5dd7d756c7fe5cc9d2d05d7e20f1e0b66c68fd0d59fb172 (initial)
- - 4ab7976b062def0c7c1231e2a8d663c8a2e0c14f305b573dbc0b8ff49d10f3ba (persistent)
- HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
- - 134.122.101[.]157 port 443 - likofedo[.]club
- - 134.122.101[.]157 port 443 - doremifasol[.]online
- - 134.122.101[.]157 port 443 - 10hesadety[.]pw
- - 134.122.101[.]157 port 443 - bcertyou[.]cyou
- - 134.122.101[.]157 port 443 - 85.vumbut[.]best
- SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2 OF 2):
- - 5892f7ad0218286a2e52a5eedbea62c80532a70fa51b2d202b38ad2fcf61cedb (initial)
- - aa1c66821155d2d77cdc8e114c2b9cdf5bcc5ea35ecfd7d3681e254882080cca (persistent)
- HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
- - 161.35.33[.]38 port 443 - gaagachelo[.]cyou
- - 161.35.33[.]38 port 443 - odnovoennbundes[.]cyou
- - 161.35.33[.]38 port 443 - obnaprimezert[.]cyou
- - 161.35.33[.]38 port 443 - sprbumazna[.]club
- - 161.35.33[.]38 port 443 - uragapediculez[.]top
- HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:
- - port 443 - www.intel.com
- - port 443 - support.oracle.com
- - port 443 - www.oracle.com
- - port 443 - support.apple.com
- - port 443 - support.microsoft.com
- - port 443 - help.twitter.com
Add Comment
Please, Sign In to add comment