API tools faq
paste
malware_traffic

2020-09-10 (Thursday) TA551 (Shathak) Word docs pushing IcedID

malware_traffic
Sep 10th, 2020 (edited)
9,087
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.98 KB | None | 0 0
raw download clone embed print report
  1. 2020-09-10 (THURSDAY) - TA551 (SHATHAK) WORD DOCUMENTS WITH MACROS PUSHING ICEDID MALWARE:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 20 EXAMPLES OF SHA256 HASHES FOR WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - e0049f935ec700adc982587b74932f53725b862f2e755489d5c9830c4fab691e bid,09.010.2020.doc
  10. - 3fd629c5c1390a5b2db2dbf4be0cc1975b0b5189b2793a9d557e1acc5a1a0c8a bid,09.20.doc
  11. - 324edd5f108cc6b117e58888ea13051b063e037317cae6ba96d7a1007c9c08b9 bid-09.20.doc
  12. - ebcfd72f2f1677b764b92d332006529fd505034980319c450ea5dbc90244e7ec bid.09.20.doc
  13. - c6172a40bbe5989c7d4ace5007d5b13975fd87845af6fb7255c8ec86c0a1c906 charge 09.20.doc
  14. - 6c81be8e47d734de3a797c77151cf93ce78270142a82122f0f00a4c679175bb7 command 09.20.doc
  15. - 08b4d55e1eb7681faeb49ebe73da5262f5d3cb54f281eba1a405e0d1128a19e2 command,09.010.2020.doc
  16. - cb3f20a55244238074c0669fe71d3d6b21f6f982769d982dfab2c63a12d13266 command-09.20.doc
  17. - 299240b17e3a006fa5875d0f69ac433a039f55c197a8f948b648327660d9abab deed contract-09.20.doc
  18. - d7f43ade2ffa447615e7934183bcd427c6f0e5fa2b263e404fa71f49e3821ef8 details-09.20.doc
  19. - dbb19998cb1d2363026670095b2bd39cce825453f4ee8399bdc96a1a21c8973d documents 09.010.2020.doc
  20. - 555050fb30783764b319fa09e420a6ee0fc79fdbd896ab531aa9453d3c2f60a0 figures,09.20.doc
  21. - d5ba2e88c7d26a7b7086637b874c464bd08ea8380feccb0f8360dd9e1d90e7bc instrument indenture 09.010.2020.doc
  22. - 46a27d16fbe212b6063277dc3f3f93d0a2b08200f38018b6b6255f40daf7cdaf legal agreement-09.20.doc
  23. - f7c48790933a2d3556cec777760827aa46bbdab22a736d26fa54db8d5b7c0a5e legal paper.09.010.2020.doc
  24. - 61c7c624738acfd9386163a5c002a984daddbfcd8104f6d9dc6c775d2c535220 prescribe ,09.20.doc
  25. - 6eb8a9932ae95ec0ea1d0ab727c55b854b064dc208458f5a4bf56c00c1efc0e7 prescribe -09.20.doc
  26. - 5959a0aad4a371be6769db351fc3bf6210c7ab38e4c433eeaf9bdbe2cbe2a0df report_09.20.doc
  27. - 657422689cf1dc08f7cddc4e85ee44f7dc7cea87415a5c007d000d66296848a8 rule.09.20.doc
  28. - a972412d7eee3b76fef362dc2dfa14d1e77ecc230c4edd7904d3f2ad24c8a3f8 statistics 09.20.doc
  29.  
  30. AT LEAST 10 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - 1gsegpf[.]com - 193.38.55[.]37
  33. - avrb37f[.]com - 45.157.140[.]13
  34. - dr8r2rq[.]com - 185.220.32[.]112
  35. - jr1faao[.]com - 194.61.2[.]205
  36. - krqegpf[.]com - 188.120.236[.]106
  37. - krtew5f[.]com - 95.213.165[.]40
  38. - rfa8t14[.]com - 45.157.140[.]9
  39. - sasbrng[.]com - 185.82.202[.]112
  40. - ssa3afk[.]com - 45.139.184[.]133
  41. - z3as34q[.]com - 95.213.179[.]236
  42.  
  43. GET REQUESTS FOR THE INSTALLER DLL:
  44.  
  45. - GET /hokril/kolasc.php?l=anass1.cab
  46. - GET /hokril/kolasc.php?l=anass2.cab
  47. - GET /hokril/kolasc.php?l=anass3.cab
  48. - GET /hokril/kolasc.php?l=anass4.cab
  49. - GET /hokril/kolasc.php?l=anass5.cab
  50. - GET /hokril/kolasc.php?l=anass6.cab
  51. - GET /hokril/kolasc.php?l=anass7.cab
  52. - GET /hokril/kolasc.php?l=anass8.cab
  53. - GET /hokril/kolasc.php?l=anass9.cab
  54. - GET /hokril/kolasc.php?l=anass10.cab
  55. - GET /hokril/kolasc.php?l=anass11.cab
  56. - GET /hokril/kolasc.php?l=anass12.cab
  57. - GET /hokril/kolasc.php?l=anass13.cab
  58. - GET /hokril/kolasc.php?l=anass14.cab
  59. - GET /hokril/kolasc.php?l=anass15.cab
  60. - GET /hokril/kolasc.php?l=anass16.cab
  61. - GET /hokril/kolasc.php?l=anass17.cab
  62. - GET /hokril/kolasc.php?l=anass18.cab
  63.  
  64. 12 EXAMPLES OF SHA256 HASHES FOR DLL FILES USED TO INSTALL ICEDID:
  65.  
  66. - 14a26870b13d0bb57b4847728159c4f62fa4e6d734811cac644cb8c387c2892b
  67. - 32653980c15ef2c4a6b12411b5b9e2d2db7bbfb28a3595bbf707df2a9d7b84b3
  68. - 41f6ce28c517dd80c2877330f33bfe41f3977664c7d4a7cc1bad540b676e1e7e
  69. - 68545a58aea71f627758867a88a17e7e380ab786a575080ca16b7c790870f6a9
  70. - 6b2eb4a0767e551244e0d8e253550332dad808025ebfae65a31ef4376df94deb
  71. - 79d585b28d8211b54994c24243d7051ca849e2104d1aa08b50584ef36b359d59
  72. - 9151ccd149d7b0df138c7ed93e565fc2db3e531b135384f4f479627b944c1da8
  73. - a8b3ca30010c477ed5bdd06b90253d6ee8d35a56e3cbe582d50cffa23068d3a9
  74. - b25c8c35e0e2a69aa6b02ffd44e3117a4a103b626ea85ea77771ff35efd9449b
  75. - d2a19f169f78955014f2308c5257facb6e9745573ed33aeeddf52557452595ba
  76. - d5fd16ffba6b4ce79abbd1f169a90e99b8ab6d8e903375cde2fcf20f3a57493d
  77. - ef05f451610efef1893d9dc215c5e935f4fde56f33891080b4446f5a5d71b54c
  78.  
  79. EXAMPLES OF LOCATIONS FOR THE INSTALLER DLL FILES:
  80.  
  81. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  82. - C:\ProgramData\bafb9.hello
  83. - C:\ProgramData\b2a0e.hello
  84. - C:\ProgramData\c9f11.hello
  85. - C:\ProgramData\e001f.hello
  86.  
  87. RUN METHOD FOR INSTALLER DLL:
  88.  
  89. - regsvr32.exe [filename]
  90.  
  91. AT LEAST 4 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  92.  
  93. - 194.113.34[.]92 port 443 - loadbejing[.]casa - GET /background.png
  94. - 194.113.34[.]92 port 443 - loadnewjersey[.]casa - GET /background.png
  95. - 52.210.73[.]176 port 443 - loaderooker[.]casa - GET /background.png
  96. - 52.210.73[.]176 port 443 - loadfrooker[.]casa - GET /background.png
  97.  
  98. 5 EXAMPLES OF SHA256 HASHES FOR THE ICEDID EXE CREATED BY ICEDID INSTALLER:
  99.  
  100. - 051329b4ccb54a317d1e02d5912585c21fc887fe551ae3e3a97c671aa50bb55b
  101. - 2579c8c3ae7cd58a61f86a7b984eac8bff9bd5a92de65fc0c124d18a1e675bd1
  102. - 7cc5bf547bcf1746d4d710c4c9750a2763547176bd3fdb4e40f301ff7fdc1d18
  103. - d6e3f20c3d9cf39d7a052c31e192b933705a84282a73225fb30f1ec980854847
  104. - e9e401467503627981ea0ff7a7971b20aef92d26d67991881f193a1c8b9ceee9
  105.  
  106. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE SOME OF THE ICEDID EXE FILES:
  107.  
  108. - 164.90.153[.]241 port 443 - aspellino[.]cyou
  109. - 164.90.153[.]241 port 443 - gastellino[.]top
  110. - 164.90.153[.]241 port 443 - hurmaniut[.]cyou
  111. - 164.90.153[.]241 port 443 - matrossinio[.]xyz
  112. - 164.90.153[.]241 port 443 - povoliporillio[.]xyz
  113.  
  114. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE SOME OF THE ICEDID EXE FILES:
  115.  
  116. - 79.141.171[.]157 port 443 - 10hesadety[.]pw
  117. - 79.141.171[.]157 port 443 - 85vumbut[.]best
  118. - 79.141.171[.]157 port 443 - asnerkifa[.]cyou
  119. - 79.141.171[.]157 port 443 - bcertyuo[.]cyou
  120. - 79.141.171[.]157 port 443 - zopenret[.]top
  121.  
  122. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  123.  
  124. - port 443 - help.twitter.com
  125. - port 443 - support.apple.com
  126. - port 443 - support.microsoft.com
  127. - port 443 - support.oracle.com
  128. - port 443 - www.intel.com
  129. - port 443 - www.oracle.com
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!