#icedID_140422

1. #IOC #OptiData #VR #icedID #BokBot #DLL #Macro #VBA
2.  
3. https://pastebin.com/X4EvL8N6
4.  
5. previous_contact:
6. 23/03/2022 https://pastebin.com/LaxLgeEz
7.  
8. FAQ:
9. https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid
10.  
11. attack_vector
12. --------------
13. email > XLS > VBA > GET 66.150.66.167/su.dll > rundll32.exe C:\Windows\Tasks\su.dll, PluginInit > ertimadifa.com
14.  
15.  
16. # # # # # # # #
17. email_headers
18. # # # # # # # #
19.  
20. Subject: Мобилизационный список Указом Президента про термінову мобілізацію
21. Received: from tiger.cfi.lu.lv (tiger.cfi.lu.lv [5.179.5.2])
22. X-Virus-Scanned: amavisd-new at cfi.lu.lv
23. Received: from webmail.cfi.lu.lv (tiger.cfi.lu.lv [IPv6:2001:67c:2198:44::2]) (Authenticated sender: ievalr) by tiger.cfi.lu.lv (Postfix) with ESMTPSA id 8AC2EC30448;
24. From: Ieva Lācenberga-Rocēna <ieva.lacenberga-rocena@cfi.lu.lv>
25. Date: Thu, 14 Apr 2022 19:38:03 +0000
26. Message-ID: <c06241db60aabf1f7ac815e69a0890d6@cfi.lu.lv>
27. X-Sender: ieva.lacenberga-rocena@cfi.lu.lv
28.  
29.  
30. # # # # # # # #
31. files
32. # # # # # # # #
33.  
34. SHA-256 08d30d6646117cd96320447042fb3857b4f82d80a92f31ee91b16044b87929c0
35. File name Мобілізаційний список.xls [ Microsoft Excel sheet ]
36. File size 32.50 KB (33280 bytes)
37.  
38. SHA-256 55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9
39. File name su.dll [ Win32 DLL , PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly ]
40. File size 150.50 KB (154112 bytes)
41.  
42. SHA-256 548f11606b71fbc6f5fabb02003ecc600e282352b30f65fbce9c4ed52a044757
43. File name Qoalodpf3.dll [ Win32 DLL , PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly ]
44. File size 138.00 KB (141312 bytes)
45.  
46.  
47. # # # # # # # #
48. activity
49. # # # # # # # #
50.  
51. PL_SCR http://66.150.66.167/su.dll
52.  
53. C2 ertimadifa.com 164.92.104.194
54. rresteraftin.com 51.89.88.113
55. detreville.top 45.142.214.176
56. ndlestomak.top 51.89.88.113
57.  
58.  
59. netwrk
60. --------------
61. 66.150.66.167 66.150.66.167 80 HTTP GET /su.dll HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0)
62. 164.92.104.194 ertimadifa.com 80 HTTP GET / HTTP/1.1
63. 51.89.88.113 rresteraftin.com 443 TLSv1 Client Hello
64. 45.142.214.176 detreville.top 443 TLSv1 Client Hello
65. 51.89.88.113 ndlestomak.top 443 TLSv1 Client Hello
66.  
67.  
68. comp
69. --------------
70. EXCEL.EXE 3500 TCP 66.150.66.167 80 ESTABLISHED
71. rundll32.exe 3276 TCP 164.92.104.194 80 ESTABLISHED
72. rundll32.exe 3276 TCP 51.89.88.113 443 ESTABLISHED
73. rundll32.exe 3276 TCP 45.142.214.176 443 ESTABLISHED
74.  
75.  
76. proc
77. --------------
78. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
79. C:\Windows\SysWOW64\rundll32.exe C:\Windows\Tasks\su.dll, PluginInit
80. C:\Windows\system32\rundll32.exe C:\Windows\Tasks\su.dll, PluginInit
81.  
82. persist
83. --------------
84. \nofecuunvi_{FEEAF16C-A218-784B-8F1A-9F7313AED5EA}
85. c:\users\operator\appdata\local\{5f5ab27b-8b0f-a2dd-da8e-04c7f98cd02a}\qoalodpf3.dll 26.12.2015 11:47
86. \nofecuunvi_{FEEAF16C-A218-784B-8F1A-9F7313AED5EA} c:\users\operator\appdata\local\{5f5ab27b-8b0f-a2dd-da8e-04c7f98cd02a}\qoalodpf3.dll 26.12.2015 11:47
87.  
88.  
89. drop
90. --------------
91. C:\tmp\Temporary Internet Files\Content.IE5\9XH0ADWM\su[1].dll
92. C:\Windows\Tasks\su.dll
93. C:\Users\operator\AppData\Local\{5F5AB27B-8B0F-A2DD-DA8E-04C7F98CD02A}\Qoalodpf3.dll
94.  
95.  
96. # # # # # # # #
97. additional info
98. # # # # # # # #
99.  
100. xls metadata
101. --------------
102. File Name : Мобілізаційний список.xls
103. Directory : .
104. File Size : 32 KiB
105. File Modification Date/Time : 2022:04:15 10:08:43+03:00
106. File Access Date/Time : 2022:04:15 16:18:56+03:00
107. File Inode Change Date/Time : 2022:04:15 18:42:20+03:00
108. File Permissions : -rw-rw-r--
109. File Type : XLS
110. File Type Extension : xls
111. MIME Type : application/vnd.ms-excel
112. Author :
113. Software : Microsoft Excel
114. Create Date : 2022:04:14 18:51:43
115. Modify Date : 2022:04:14 18:51:43
116. Security : None
117. Code Page : Windows Cyrillic
118. Company :
119. App Version : 15.0000
120. Scale Crop : No
121. Links Up To Date : No
122. Shared Doc : No
123. Hyperlinks Changed : No
124. Title Of Parts : Лист1
125. Heading Pairs : Листы, 1
126. Comp Obj User Type Len : 26
127. Comp Obj User Type : ���� Microsoft Excel 2003
128.  
129.  
130. # # # # # # # #
131. VT & Intezer
132. # # # # # # # #
133.  
134. Dropped files
135. **************
136. https://www.virustotal.com/gui/file/08d30d6646117cd96320447042fb3857b4f82d80a92f31ee91b16044b87929c0/details
137. https://www.virustotal.com/gui/file/55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9/details
138. https://analyze.intezer.com/analyses/ec3a5660-0f3d-478b-8ac9-e6ff9f567946
139. https://www.virustotal.com/gui/file/548f11606b71fbc6f5fabb02003ecc600e282352b30f65fbce9c4ed52a044757/details
140. https://analyze.intezer.com/analyses/79c92ddf-cfc0-4875-a1ba-373f70f353c7
141.  
142. PL_SCR
143. **************
144. https://www.virustotal.com/gui/url/bf874a0c033677efaa3032ac45c4b1f4c7e357bc5c5c83371af71feb529d1ef7/details
145.  
146. C2
147. **************
148. https://www.virustotal.com/gui/domain/ertimadifa.com/details
149.  
150. VR