malware_traffic

2020-08-10 (Monday) TA551 (shathak) Word docs with macros for IcedID

Aug 10th, 2020 (edited)
5,019
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-08-10 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID
  2.  
  3. NOTES:
  4.  
  5. - All samples have been submitted to https://bazaar.abuse.ch/
  6. - All URLs for the loader DLLs have been submitted to https://urlhaus.abuse.ch/
  7.  
  8. 14 EXAMPLES OF WORD DOCS WITH MACROS FOR LOADER DLL:
  9.  
  10. - 75ba57403bea388c829aff5d0b4a903abfab68db3b17263da86a18b4662ef1cb adjure_08.010.2020.doc
  11. - c678f6e234acf0244245375281994f1954635cea2d6db10c62f5fdb3c4911a3d bid.08.20.doc
  12. - c938e8bb560e99f727b38ef124a70fb20796304c2da14c250ae65640b9b6f5c8 bid.08.20.doc
  13. - 0a908e414824d2ce3bf961e3f2ae3ce09c726c654bf2de57edc25d0a4a362c51 command.08.010.2020.doc
  14. - 815a8fe229db90c20ca98c7b37a7516b2df3249166050a7307e2e48ccf7aeb38 deed contract_08.010.20.doc
  15. - 1522f0f84efc2b2ec4392617d0fc296e877d965c57d8b2c3d8921b23063971aa file,08.20.doc
  16. - 6c6e6aa4e47b032246f79762c5a40abced2f23ebf2569182eed159d06493c89b input.08.20.doc
  17. - 2e216eb1be5af4fde40fd9707b58151e03643119ec9629595b237bd03177370b legal paper_08.010.2020.doc
  18. - da7635cad9e8994afa317b8386fa804b5ae47233836110d2fb710b3b6564e31e material-08.20.doc
  19. - 495a677c450cca6eb68b29d7e9356292e1004471a1727547c2543b528d14e59f official paper 08.20.doc
  20. - 6113e8a0b74b5f0338f77d6794442811bd2268f7955cc1ead0035c9eb6dbd503 rule 08.010.2020.doc
  21. - d94fc393716ac448617996c1d003175e9d4026cdf8f3da445a9b618148c72bc5 rule_08.010.2020.doc
  22. - 954eb95fe4e0850ab5c6de386722f44d90c4b9d9527aac75be2c1e6478302fc9 rule_08.20.doc
  23. - a31a51e3cb4d5a4294b2f5abef95f4a3b18271bb264be6b3ca4e2560a0bcfe50 tell_08.010.2020.doc
  24.  
  25. AT LEAST 11 DOMAINS HOSTING THE LOADER DLL:
  26.  
  27. - bz3p06l[.]com - 194.31.236[.]240
  28. - dtin0r[.]com - 82.146.34[.]177
  29. - i0avgy[.]com - 185.195.26[.]167
  30. - kgzz30[.]com - 193.107.237[.]47
  31. - kwmknxy[.]com - 95.181.179[.]206
  32. - malat0h[.]com - 185.119.59[.]110
  33. - q5pv4v[.]com - 95.181.179[.]140
  34. - rrn0xm7[.]com - 194.113.104[.]115
  35. - ts0ev73[.]com - 80.85.158[.]158
  36. - vq22znt[.]com - 93.189.42[.]134
  37. - wqu65x[.]com - 195.195.27[.]249
  38.  
  39. URLS TO RETRIEVE LOADER DLL:
  40.  
  41. - GET /peja/lezow.php?l=ryzif1.cab
  42. - GET /peja/lezow.php?l=ryzif2.cab
  43. - GET /peja/lezow.php?l=ryzif3.cab
  44. - GET /peja/lezow.php?l=ryzif4.cab
  45. - GET /peja/lezow.php?l=ryzif5.cab
  46. - GET /peja/lezow.php?l=ryzif6.cab
  47. - GET /peja/lezow.php?l=ryzif7.cab
  48. - GET /peja/lezow.php?l=ryzif8.cab
  49. - GET /peja/lezow.php?l=ryzif9.cab
  50. - GET /peja/lezow.php?l=ryzif10.cab
  51. - GET /peja/lezow.php?l=ryzif11.cab
  52. - GET /peja/lezow.php?l=ryzif12.cab
  53. - GET /peja/lezow.php?l=ryzif13.cab
  54. - GET /peja/lezow.php?l=ryzif14.cab
  55. - GET /peja/lezow.php?l=ryzif15.cab
  56. - GET /peja/lezow.php?l=ryzif16.cab
  57. - GET /peja/lezow.php?l=ryzif17.cab
  58. - GET /peja/lezow.php?l=ryzif18.cab
  59.  
  60. 10 EXAMPLES OF SHA256 HASHES FOR LOADER DLL:
  61.  
  62. - 6574682ea4a359ed97cfe9b00a4a76c8c1fa9833a5c9525ea3bc8409bac93f3c
  63. - 65ac2c8856b80610076d254d69358ffafe56bc2303e39bf8e8eb05958974d81f
  64. - 7305353cdf7ec679f061ab67a564559c95bd41330ab873af32e509c04cc10b9b
  65. - 7ea1a202effd978ba1f87e351f8d181d503e839d3cc2ef36c08961738a38bdb5
  66. - bf487cf2fa2b5a5fbe2c69bc1093d57b86e89f623c253cb74dded2ad89cc6fb8
  67. - d211906acb73763b59025aefe321109bade1d8f9d315627eea1c2a32df19c3a7
  68. - e345b30c097d70ff6e34273072a991e7d725349f09668bd362a1edbac5792051
  69. - e872ed306dfbba3554c99c1ae4ebd026f8e2a07c1e0cc3a386651152c8b1b0c4
  70. - ecc9d224a17d90915911101403c8e043dfaebdb1f91b777ab7aaafff5473e7b7
  71. - fc0f577076773c7ba2100480209cff46ecbec0add4f9c8542fc382aefda88c72
  72.  
  73. LOCATIONS FOR LOADER DLL:
  74.  
  75. - C:\ProgramData\111.tmp
  76. - C:\ProgramData\preview.jpg
  77.  
  78. DLL RUN METHOD:
  79.  
  80. - regsvr32.exe [filename]
  81.  
  82. DOMAIN RETREIVED BY LOADER DLL FOR INITIAL PNG IMAGE TO CREATE ICEDID EXE:
  83.  
  84. - soldkorean[.]top - 64.227.103[.]18
  85.  
  86. ICEDID MALWARE:
  87.  
  88. - SHA256 hash: 75195784a153205aad34eea77c000358081fd1e1c8abab6e532b2ae8e983c44b
  89. - File size: 640,000 bytes
  90. - File location example: C:\Users\[username]\AppData\Local\Temp\~1612329328.exe
  91. - File location example: C:\Users\[username]\AppData\Local\Temp\~455578.exe
  92. - File location example: C:\Users\[username]\AppData\Local\Temp\~662921.exe
  93. - File description: Initial IcedID EXE created by DLL installer
  94.  
  95. - SHA256 hash: 341621050c83b242a1779e5a88f4c6389b7efc1406d5e5ba8e7828a0d74fbb86
  96. - File size: 640,000 bytes
  97. - File location: C:\Users\[username]\AppData\[username]\[username]\uthuak32.exe
  98. - File description: IcedID EXE persistent on infected Windows host (example 1 of 2)
  99.  
  100. - SHA256 hash: 648fa862ce3d2230c2754a31f45d20b74f70d8648a9ad5897ba0d6a35627b592
  101. - File size: 640,000 bytes
  102. - File location: C:\Users\[username]\AppData\[username]\[username]\yiarpm.exe
  103. - File description: IcedID EXE persistent on infected Windows host (example 2 of 2)
  104.  
  105. ICEDID C2 DOMAINS ON 45.66.245[.]145:
  106.  
  107. - discsnooker[.]best
  108. - felliohreffer[.]co
  109. - jallioradio[.]co
  110. - debuggerhelper[.]top
  111. - youmecube[.]top
RAW Paste Data