malware_traffic

2020-09-10 (Thursday) TA551 (Shathak) Word docs pushing IcedID

Sep 10th, 2020 (edited)
994
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-09-10 (THURSDAY) - TA551 (SHATHAK) WORD DOCUMENTS WITH MACROS PUSHING ICEDID MALWARE:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 20 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - e0049f935ec700adc982587b74932f53725b862f2e755489d5c9830c4fab691e bid,09.010.2020.doc
  10. - 3fd629c5c1390a5b2db2dbf4be0cc1975b0b5189b2793a9d557e1acc5a1a0c8a bid,09.20.doc
  11. - 324edd5f108cc6b117e58888ea13051b063e037317cae6ba96d7a1007c9c08b9 bid-09.20.doc
  12. - ebcfd72f2f1677b764b92d332006529fd505034980319c450ea5dbc90244e7ec bid.09.20.doc
  13. - c6172a40bbe5989c7d4ace5007d5b13975fd87845af6fb7255c8ec86c0a1c906 charge 09.20.doc
  14. - 6c81be8e47d734de3a797c77151cf93ce78270142a82122f0f00a4c679175bb7 command 09.20.doc
  15. - 08b4d55e1eb7681faeb49ebe73da5262f5d3cb54f281eba1a405e0d1128a19e2 command,09.010.2020.doc
  16. - cb3f20a55244238074c0669fe71d3d6b21f6f982769d982dfab2c63a12d13266 command-09.20.doc
  17. - 299240b17e3a006fa5875d0f69ac433a039f55c197a8f948b648327660d9abab deed contract-09.20.doc
  18. - d7f43ade2ffa447615e7934183bcd427c6f0e5fa2b263e404fa71f49e3821ef8 details-09.20.doc
  19. - dbb19998cb1d2363026670095b2bd39cce825453f4ee8399bdc96a1a21c8973d documents 09.010.2020.doc
  20. - 555050fb30783764b319fa09e420a6ee0fc79fdbd896ab531aa9453d3c2f60a0 figures,09.20.doc
  21. - d5ba2e88c7d26a7b7086637b874c464bd08ea8380feccb0f8360dd9e1d90e7bc instrument indenture 09.010.2020.doc
  22. - 46a27d16fbe212b6063277dc3f3f93d0a2b08200f38018b6b6255f40daf7cdaf legal agreement-09.20.doc
  23. - f7c48790933a2d3556cec777760827aa46bbdab22a736d26fa54db8d5b7c0a5e legal paper.09.010.2020.doc
  24. - 61c7c624738acfd9386163a5c002a984daddbfcd8104f6d9dc6c775d2c535220 prescribe ,09.20.doc
  25. - 6eb8a9932ae95ec0ea1d0ab727c55b854b064dc208458f5a4bf56c00c1efc0e7 prescribe -09.20.doc
  26. - 5959a0aad4a371be6769db351fc3bf6210c7ab38e4c433eeaf9bdbe2cbe2a0df report_09.20.doc
  27. - 657422689cf1dc08f7cddc4e85ee44f7dc7cea87415a5c007d000d66296848a8 rule.09.20.doc
  28. - a972412d7eee3b76fef362dc2dfa14d1e77ecc230c4edd7904d3f2ad24c8a3f8 statistics 09.20.doc
  29.  
  30. AT LEAST 10 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - 1gsegpf[.]com - 193.38.55[.]37
  33. - avrb37f[.]com - 45.157.140[.]13
  34. - dr8r2rq[.]com - 185.220.32[.]112
  35. - jr1faao[.]com - 194.61.2[.]205
  36. - krqegpf[.]com - 188.120.236[.]106
  37. - krtew5f[.]com - 95.213.165[.]40
  38. - rfa8t14[.]com - 45.157.140[.]9
  39. - sasbrng[.]com - 185.82.202[.]112
  40. - ssa3afk[.]com - 45.139.184[.]133
  41. - z3as34q[.]com - 95.213.179[.]236
  42.  
  43. GET REQUESTS FOR THE INSTALLER DLL:
  44.  
  45. - GET /hokril/kolasc.php?l=anass1.cab
  46. - GET /hokril/kolasc.php?l=anass2.cab
  47. - GET /hokril/kolasc.php?l=anass3.cab
  48. - GET /hokril/kolasc.php?l=anass4.cab
  49. - GET /hokril/kolasc.php?l=anass5.cab
  50. - GET /hokril/kolasc.php?l=anass6.cab
  51. - GET /hokril/kolasc.php?l=anass7.cab
  52. - GET /hokril/kolasc.php?l=anass8.cab
  53. - GET /hokril/kolasc.php?l=anass9.cab
  54. - GET /hokril/kolasc.php?l=anass10.cab
  55. - GET /hokril/kolasc.php?l=anass11.cab
  56. - GET /hokril/kolasc.php?l=anass12.cab
  57. - GET /hokril/kolasc.php?l=anass13.cab
  58. - GET /hokril/kolasc.php?l=anass14.cab
  59. - GET /hokril/kolasc.php?l=anass15.cab
  60. - GET /hokril/kolasc.php?l=anass16.cab
  61. - GET /hokril/kolasc.php?l=anass17.cab
  62. - GET /hokril/kolasc.php?l=anass18.cab
  63.  
  64. 12 EXAMPLES OF SHA256 HASHES FOR DLL FILES USED TO INSTALL ICEDID:
  65.  
  66. - 14a26870b13d0bb57b4847728159c4f62fa4e6d734811cac644cb8c387c2892b
  67. - 32653980c15ef2c4a6b12411b5b9e2d2db7bbfb28a3595bbf707df2a9d7b84b3
  68. - 41f6ce28c517dd80c2877330f33bfe41f3977664c7d4a7cc1bad540b676e1e7e
  69. - 68545a58aea71f627758867a88a17e7e380ab786a575080ca16b7c790870f6a9
  70. - 6b2eb4a0767e551244e0d8e253550332dad808025ebfae65a31ef4376df94deb
  71. - 79d585b28d8211b54994c24243d7051ca849e2104d1aa08b50584ef36b359d59
  72. - 9151ccd149d7b0df138c7ed93e565fc2db3e531b135384f4f479627b944c1da8
  73. - a8b3ca30010c477ed5bdd06b90253d6ee8d35a56e3cbe582d50cffa23068d3a9
  74. - b25c8c35e0e2a69aa6b02ffd44e3117a4a103b626ea85ea77771ff35efd9449b
  75. - d2a19f169f78955014f2308c5257facb6e9745573ed33aeeddf52557452595ba
  76. - d5fd16ffba6b4ce79abbd1f169a90e99b8ab6d8e903375cde2fcf20f3a57493d
  77. - ef05f451610efef1893d9dc215c5e935f4fde56f33891080b4446f5a5d71b54c
  78.  
  79. EXAMPLES OF LOCATIONS FOR THE INSTALLER DLL FILES:
  80.  
  81. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  82. - C:\ProgramData\bafb9.hello
  83. - C:\ProgramData\b2a0e.hello
  84. - C:\ProgramData\c9f11.hello
  85. - C:\ProgramData\e001f.hello
  86.  
  87. RUN METHOD FOR INSTALLER DLL:
  88.  
  89. - regsvr32.exe [filename]
  90.  
  91. AT LEAST 4 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  92.  
  93. - 194.113.34[.]92 port 443 - loadbejing[.]casa - GET /background.png
  94. - 194.113.34[.]92 port 443 - loadnewjersey[.]casa - GET /background.png
  95. - 52.210.73[.]176 port 443 - loaderooker[.]casa - GET /background.png
  96. - 52.210.73[.]176 port 443 - loadfrooker[.]casa - GET /background.png
  97.  
  98. 5 EXAMPLES OF SHA256 HASHES FOR THE ICEDID EXE CREATED BY ICEDID INSTALLER:
  99.  
  100. - 051329b4ccb54a317d1e02d5912585c21fc887fe551ae3e3a97c671aa50bb55b
  101. - 2579c8c3ae7cd58a61f86a7b984eac8bff9bd5a92de65fc0c124d18a1e675bd1
  102. - 7cc5bf547bcf1746d4d710c4c9750a2763547176bd3fdb4e40f301ff7fdc1d18
  103. - d6e3f20c3d9cf39d7a052c31e192b933705a84282a73225fb30f1ec980854847
  104. - e9e401467503627981ea0ff7a7971b20aef92d26d67991881f193a1c8b9ceee9
  105.  
  106. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE SOME OF THE ICEDID EXE FILES:
  107.  
  108. - 164.90.153[.]241 port 443 - aspellino[.]cyou
  109. - 164.90.153[.]241 port 443 - gastellino[.]top
  110. - 164.90.153[.]241 port 443 - hurmaniut[.]cyou
  111. - 164.90.153[.]241 port 443 - matrossinio[.]xyz
  112. - 164.90.153[.]241 port 443 - povoliporillio[.]xyz
  113.  
  114. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE SOME OF THE ICEDID EXE FILES:
  115.  
  116. - 79.141.171[.]157 port 443 - 10hesadety[.]pw
  117. - 79.141.171[.]157 port 443 - 85vumbut[.]best
  118. - 79.141.171[.]157 port 443 - asnerkifa[.]cyou
  119. - 79.141.171[.]157 port 443 - bcertyuo[.]cyou
  120. - 79.141.171[.]157 port 443 - zopenret[.]top
  121.  
  122. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  123.  
  124. - port 443 - help.twitter.com
  125. - port 443 - support.apple.com
  126. - port 443 - support.microsoft.com
  127. - port 443 - support.oracle.com
  128. - port 443 - www.intel.com
  129. - port 443 - www.oracle.com
RAW Paste Data