Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-12-07 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH TEMPLATE PUSH ICEDID:
- CHAIN OF EVENTS:
- - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
- 10 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
- - 3e670878dd1bec8ea456d334a47600c9e174a380afd89d86725fa8e81b9bc8f4 certificate_12.20.doc
- - 55f3a89d2ca7bce56709fa843c39e0556c3960680ff9e66b7c3c897734828824 command,12.20.doc
- - 0cc40f89721a9d22358c612aa94164b3ce259da696798c2d6fde6ad7c82d396e commerce ,12.20.doc
- - 2dd512c4f4c8940207a3eadaf64ae639c0f295239a629466bb1f2d45253a8a93 direct-12.20.doc
- - 385794d14430b56014a7ec11add05404f0038dc39b6e0f6617c67a13128e176a dictate,12.07.2020.doc
- - 2016bab0c36eafaba9a47f2872310f48613e055492bb7b450ce807cec8ed0a53 files.12.20.doc
- - 7acb240bc3c034e23250eaa44f8352aa1810c9bbdfc97dfa9a8e9bd4297f1af5 files_12.20.doc
- - 9f727b8bb2c30ceb1c8d60520588ca81353eb18ef40b0de2f8401b01029781a2 input.12.07.2020.doc
- - aea06bc980d083aa2e2ae3ab821352033e663dc21739db859a274cf0556941f3 input-12.20.doc
- - ea85265f62418bd9f42f8fe23454517503eb7e29bc267a4e6526df8618c9039b legislate,12.07.2020.doc
- AT LEAST 6 DOMAINS HOSTING THE INSTALLER DLL:
- - bfc372alarm[.]com - 81.29.143[.]133
- - k741faint[.]com - 185.80.129[.]225
- - n687desert[.]com - 193.201.126[.]22
- - phfvg141cruel[.]com - 193.201.126[.]34
- - qs809erupt[.]com - 193.47.34[.]254
- - twvf572scout[.]com - 81.29.143[.]146
- EXAMPLES OF URLS FOR INSTALLER DLL:
- - GET /analytics/lj5lmXsb/Is64F5UGK5UEASi3y81IMMTLTJZFG/BTkmPhFTXqlPmsSTSK1WzNh3YXAzn0p78mqstc04/zzfp1?hLjj=morurDliqsm&YvtFL=YiMQxzSNhS&Pdx=fkBagAla&wcH=_eZAbvTDAzHi
- - GET /analytics/rksKzdm3wHGqhK6_7Ht3LBU0v9Bp63wep3MGdgDBHA8JZ8DmTu4B8SMhVqEj/zzfp5?Nw=OyzZljDoldpKJ&nxD=MdrmtRCeJlmmOHro&EpF=DPnSmNKa&a=_RTsxzz&ZFy=hxtZRwKvovtVp&byT=OnqhKgMKIgbd
- - GET /analytics/2OzBR4lkXXKrMxxTPfXk2Q7g2c4PTLUBEqBe8XQ0TNlFAmIjGmQqU58_Ge7aqDMec2ZLOhPVMZM/zzfp6?xO=KUBuvxcdxn&xMKej=APHAnKUhGa&ck=lxAFAZTpUrZ&RDNeq=MFrCYsGaYvhprYcuI
- - GET /analytics/YphTTjDQ65j6coqjXevFWKs20rHBDExuMhh1EHRz60qOtBjrpeIltGlXtlIxFB2QJ/zzfp10?wC=LuYNFvD&gNRAU=NNdymGdtsPswTCVPd&gnDoV=rQWkbotgQPfNqb&QhIgf=X_KjJvEfXsjzl&GYrZt=GSsAYmUf&RZV=LQHhLNgGHfar
- - GET /analytics/mVAQZZC32DqDIkxQn/COdVXlLdBsY1I8jO9ATa8fdVcwPIJTFS2R/zzfp13?zWrg=RBYcqwrnBjPMkmR&RYF=EgTKqek&_Wg=_gTxlNWoF&OYqth=qbRTqOqWqqJVPZpHC
- - GET /analytics/56cFxiBoDfQ0txm_dGZ_SY1h2Jgan21K95byCVcIzAWcGw/zzfp14?cmMw=IPnawGTX&FxAyf=xIccgp&EY=BQGKZPRzjCVSqA&LOBB=UYqJADq&lTni=bVCLSwAVpxVjS
- - GET GET /analytics/CnVBfJlSmMSyD5mymsI1WL6pCygIlWtl/R5YrqArn2Z30a35vNf09OpyTA/zzfp15?TI=ZFzIpeJMkY&Rewt=fflcvocG_Zrbr&PmLq=_FCmKXbRrWqv_c&meR=BLAqFWhtJZtrVm
- 7 EXAMPLES OF INSTALLER DLLS:
- - 02952f2ea12635c239d66a403c6ef4bef2e52d9f5c41b76343fc777e9aafea56
- - 07972c064aeed1bd984a22d0a21514bc15a57d775ad546c5f08a7b0962e6fb3d
- - 31cdf9cae93b228d186ac36bff4e60d292f61234f178128c70e24bb49d4ff615
- - 384eaa2aa32cdcb20a62051a875d96bf8c6bc52db34e156d0cdba29e2b3d923b
- - ac8f13231b09121ce180b011a716619804490a319f88563a40a8f23c1d159f43
- - b96a38f600aa2437c0e60869d0ad660408965005fb3657c71a1653404c38939c
- - d1ebffb2628905ed1fdaff0f099239f611b7a551743738053ac09914dd3b6810
- EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
- - C:\ProgramData\a6Uns.pdf
- - C:\ProgramData\aK2TUb.pdf
- - C:\ProgramData\aNkDL.pdf
- - C:\ProgramData\aP8CD.pdf
- - C:\ProgramData\aPJ75.pdf
- - C:\ProgramData\aT2QI.pdf
- - C:\ProgramData\aWFPjN.pdf
- DLL RUN METHOD:
- - rundll32.exe [filename],ShowDialogA -r
- HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
- - port 443 - facebook.com
- - port 443 - www.facebook.com
- - port 443 - instagram.com
- - port 443 - www.instagram.com
- - port 443 - twitter.com
- - port 443 - www.tumblr.com
- AT LEAST 4 DOMAINS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
- - 167.71.138[.]137 port 443 - oldaquafrsh[.]cyou
- - 167.71.138[.]137 port 443 - rotapetek[.]cyou
- - 188.166.88[.]45 port 443 - milliship[.]top
- - 188.166.88[.]45 port 443 - portugalloindostan[.]top
- 4 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
- - 39238c2728a4f6af81b57e38456aa1f9efc8c19ad0e8fbd2f3bad803dd1b75e1 (initial, 1st run)
- - d7a2b612bc7124c22cb058518ecf40a39b670042a7fbad01d4fa49d0ce20d344 (persistent, 1st run)
- - a221d6b02ae406bd0505a4f6fa8fe32503aa85a96c6715fade6dcf73a1eac2c1 (initial, 2nd run)
- - 13ad7de7f561825af82ab9ba920f82b72908ce9aacb944dc0c6a7b1875327e5d (persistent, 2nd run)
- HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES (1ST RUN):
- - 5.149.254[.]27 port 443 - reshailam[.]biz
- - 5.149.254[.]27 port 443 - ottepel[.]biz
- - 5.149.254[.]27 port 443 - t3476[.]top
- - 5.149.254[.]27 port 443 - vollhafer[.]top
- - 5.149.254[.]27 port 443 - fiscalclub[.]top
- HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES (2ND RUN):
- - 185.38.185[.]103 port 443 - chainoftheapril[.]cyou
- - 185.38.185[.]103 port 443 - unprofessional[.]club
- - 185.38.185[.]103 port 443 - lukapedrilla[.]cyou
- - 185.38.185[.]103 port 443 - xilophones[.]best
- - 185.38.185[.]103 port 443 - localallcases[.]xyz
- MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST - 1ST RUN:
- - SHA256 hash: 1b167f1532a1d9b1ffdef5ef4cb8dcab1da70f1bbb586a083b7b88e111b6da59
- - File size: 201,087 bytes
- - File location: C:\Users\[username]\AppData\Local\Temp\005c14a1.png
- - File type: PNG image data, 480 x 249, 8-bit/color RGB, non-interlaced
- - File description: PNG image with encoded data used to create initial IcedID DLL
- - SHA256 hash: 39238c2728a4f6af81b57e38456aa1f9efc8c19ad0e8fbd2f3bad803dd1b75e1
- - File size: 196,608 bytes
- - File location: C:\Users\[username]\AppData\Local\Betweenwhere.dat
- - File description: Initial IcedID DLL created by installer DLL using data from above PNG image
- - Run method: regsvr32.exe /s [filename]
- - SHA256 hash: f6ea81aaf9a07e24a82b07254a8ed4fcf63d5a8e6ea7b57062f4c5baf9ef8bf2
- - File size: 678,288 bytes
- - File location: C:\Users\[username]\AppData\Roaming\[username]\{6B397018-C748-AA01-4FF0-48B6F31AC4D7}\Ecaxxaac4.png
- - File type: PNG image data, 605 x 399, 8-bit/color RGB, non-interlaced
- - File description: PNG image with encoded data created during the infection process
- - SHA256 hash: d7a2b612bc7124c22cb058518ecf40a39b670042a7fbad01d4fa49d0ce20d344
- - File size: 196,608 bytes
- - File location: C:\Users\[username]\AppData\Local\Jiexci2\saguoy\otgewd.dll
- - File description: IcedID DLL persistent on the infected host
- MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST - 2ND RUN:
- - SHA256 hash: 71613eceb54609f4ad0c14fe41b92914ddb94cc1f1f56dbb3a583992a362a608
- - File size: 182655 bytes
- - File location: C:\Users\[username]\AppData\Local\Temp\000ad4c4.png
- - File type: PNG image data, 386 x 486, 8-bit/color RGB, non-interlaced
- - File description: PNG image with encoded data used to create initial IcedID DLL
- - SHA256 hash: a221d6b02ae406bd0505a4f6fa8fe32503aa85a96c6715fade6dcf73a1eac2c1
- - File size: 178,176 bytes
- - File location: C:\Users\[username]\AppData\Local\Coralindex.dat
- - File description: Initial IcedID DLL created by installer DLL using data from above PNG image
- - Run method: regsvr32.exe /s [filename]
- - SHA256 hash: f6ea81aaf9a07e24a82b07254a8ed4fcf63d5a8e6ea7b57062f4c5baf9ef8bf2
- - File size: 678,288 bytes
- - File location: C:\Users\[username]\AppData\Local\[username]\taevac.png
- - File type: PNG image data, 605 x 399, 8-bit/color RGB, non-interlaced
- - File description: PNG image with encoded data created during the infection process
- - SHA256 hash: 13ad7de7f561825af82ab9ba920f82b72908ce9aacb944dc0c6a7b1875327e5d
- - File size: 178,176 bytes
- - File location: C:\Users\[username]\AppData\Roaming\[username]\Zuobyi64\Oqefuw2.dll
- - File description: IcedID DLL persistent on the infected host
Add Comment
Please, Sign In to add comment
