Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-07-28 (TUESDAY) TA551 WORD DOCS PUSH ICEDID (BOKBOT)
- REFERENCE:
- - https://twitter.com/malware_traffic/status/1288207411824795653
- NOTES:
- - More info about TA551 (Shathak) distribution is found in my blog for Valak at Palo Alto Networks: https://unit42.paloaltonetworks.com/valak-evolution/
- - Instead of pushing Valak with IcedID as follow-up malware, TA551 has been pushing IcedID for English-speaking victims since 2020-07-14, documented at https://isc.sans.edu/forums/diary/Word+docs+with+macros+for+IcedID+Bokbot/26352/ and nearly every weekday since then.
- - Today, the TA551 (Shathak) campaign in some cases used cURL to retrieve the IcedID installer DLL, but in others examples it did not use cURL.
- - All the files below have been submitted to bazaar.abuse.ch
- - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
- 22 EXAMPLES OF WORD DOCS WITH MACRO FOR ICEDID INSTALLER DLL:
- - 039656f8243e9e537900ba68d8423c4d7184ee10c674aa3b27f91036d455f5e7 legal paper_07.20.doc
- - 0870014bc562398f6abd9f7f696125fe3011514b3f00aee681c26332ed54dbff deed contract 07.28.2020.doc
- - 12b06f5a1fc87d6dd87d27f757ad8459326ed14cd8281322a286eb2e7746ba3a material-07.28.2020.doc
- - 218b4a719235caf750e6fda2dc3229e3b8b1fcd356bb8eab9595d5a386b92abe specifics-07.20.doc
- - 2707b436f988971e1815829709757c8d16deb127754dc28ccbed5e84e108da0a statistics,07.20.doc
- - 28bb801aa3dd211f9523f177a9ae26f92be2f231d772fced6d3f820336771efe dictate,07.28.2020.doc
- - 387cdfcf67b4da48cc776beac716cc23f7df5a76070ea7a194cb51289a6b5deb direct.07.20.doc
- - 4a32f27e6f5a8eabed71deea02e7b1376e51773df279057a186afec4a2383430 rule.07.20.doc
- - 58d2da9734e0b24325d6ba4a98192c63acc9777030b46b978e02a1de94a9bebe inquiry_07.20.doc
- - 5d6d0b4724435390f4b7cee53818d57de355e9fce908fc9eba3eb94e827f10d9 inquiry-07.20.doc
- - 728ebe4d9c2159cde89df4c7d8d231f355140cec8c62f87a1426ea1dbdad785d bid 07.28.20.doc
- - 8d75e83e570e8faba7bfaf17b7d836d35681cd45e0bcf5366e29381fefb04dc1 legal paper_07.28.2020.doc
- - 8e382b34276f8a42ee4c136c43ecbdff7c060c82995cac7bb1bc00413d5bcaae question,07.20.doc
- - ae04de29b06fa33bd3a227ed6408254fe82916fa057f009ed355a04d86573ace docs-07.20.doc
- - b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1 document,07.20.doc
- - ce10adcc2ae1459b5beadb88a408d2825f272006c648d3b353a9ed1d53b7ebb9 documents 07.28.2020.doc
- - cf2f969423de372c2649bade9139afed3a8fd277a51902f34a3b14567e7467c7 facts_07.20.doc
- - d20708c9395310f9fcf5d1bc735378e1bddfdbd54efc4ef569edf65a6034657b details_07.28.2020.doc
- - d77845f1806ae94b32e01192ab65493548fec4cdedc02c0f0c89053eb06aa215 details,07.20.doc
- - dee2b395158c42d849060164f4132ddef7c3aa33288b0ae6775fd88c746be6ed enjoin-07.20.doc
- - e7c1916efb3298b5f4537e195aa957664971e19f29561863c3751275006d631d report-07.20.doc
- - e83da5fd9fb4d4c4a7e48bdaba482d024787a31d4ddf4d3fc5ed4b3fb7554a59 docs_07.28.20.doc
- AT LEAST 10 DOMAINS HOSTING ICEDID INSTALLER DLL:
- - 0uso87[.]com - 185.239.51[.]217
- - 60c4wn[.]com - 185.119.57[.]20
- - 8cfayv[.]com - 92.63.98[.]49
- - apc846[.]com - 92.63.98[.]141
- - c3au3r[.]com - 89.191.227[.]140
- - qzg0oi[.]com - 92.63.98[.]30
- - ycjjvl[.]com - 185.239.50[.]118
- - yt549w[.]com - 89.191.225[.]190
- - vkr0bt[.]com - 82.146.41[.]87
- - zgo2ze[.]com - 185.239.50[.]116
- HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
- - GET /bolb/jaent.php?l=liut1.cab
- - GET /bolb/jaent.php?l=liut2.cab
- - GET /bolb/jaent.php?l=liut3.cab
- - GET /bolb/jaent.php?l=liut4.cab
- - GET /bolb/jaent.php?l=liut5.cab
- - GET /bolb/jaent.php?l=liut6.cab
- - GET /bolb/jaent.php?l=liut7.cab
- - GET /bolb/jaent.php?l=liut8.cab
- - GET /bolb/jaent.php?l=liut9.cab
- - GET /bolb/jaent.php?l=liut10.cab
- - GET /bolb/jaent.php?l=liut11.cab
- - GET /bolb/jaent.php?l=liut12.cab
- - GET /bolb/jaent.php?l=liut13.cab
- - GET /bolb/jaent.php?l=liut14.cab
- - GET /bolb/jaent.php?l=liut15.cab
- 22 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL:
- - 082c37029ae98221ceb74eda3ff2ca6466dabb49080ce0343a7463699ea451bd
- - 1226f06efc6ec7de3acc3612bb777846643361a09d226c41bf4ef745c1a34683
- - 252aae7a965a2fbb2bb5e1d51a1da836fec68bbe7552ad8c5134a3a1ee873af3
- - 2a40ab63e0da2da3c16ecbee0eab68f7572fb765788f87f9d5c446994bb7cd24
- - 327e74266c32db3be1a8d97680808dae8eca9ece47e54a0a2dd3d05bd82e0229
- - 4034c710ef15fc9f912432d31817bd98a100d909c1c97b09dbcf58c8ca6b9d81
- - 47300c5428551b47d47e40c1e0b96460b2a0d4f5b370db241892381cece57260
- - 49545ac232947f35d2a9e0e32bd8c106f188b2b4fe412f6a492af3ee928fbd5e
- - 4cd6ca9e36b8871754a3904018d67cff4ce8b0cf78b07c906a73962e0b26be46
- - 5b70013de8ecc7b8abeb19d8f79778a9ce359a4c107f109f315633fc67839155
- - 6a9a322e68a49edc6def678051843ad3fdb2be385de2f9cc924309daaa9e1dd6
- - 9faabefae513e08168beb59d0c43bb808e0e1a1f5db0ecd84ca38190887228c5
- - badc69230c3a7ea3c726209c29983b26cd9c0f908d302a754c813f2b03b1608a
- - bbba62fd27ddca3936108c7a7528fd6f7ffd36de5426f345efd67071752da7cd
- - c4666a49eebe8c110cd96e5c7a158dab93ce5dcec67a82d148e3e3c691ced74e
- - d01e2855e1ec680ec524223de287fcdae55b6e5bcf6fd75b29323291ed3f38b9
- - d69a6522331e3eed2b457dadfaadc15a063c199edd53189068990424fc5a1aa2
- - d97b51ddc7d0a774fe90eb28f414a01f8d4fc6f4884d48cea952f0fafd634c68
- - dd9adf52e33980df9ebb82672e2dac9481216b7a1f43c99b4d3fc6b0e0ca1e99
- - e0d95fb5cdc39ae78f0ec651050285bac678c0314c2de07b34a361a93a6c464e
- - e9abcecf77c0c55f725bfe2c433428c3223254c94646b68acdda4f3bfd08f37c
- - f017946be3eebc95390540a4346eb8d35872492e9d0635b04acc3f747930e8a8
- - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
- TWO LOCATIONS NOTED FOR THE ICEDID INSTALLER DLL FILES:
- - C:\ProgramData\1.tmp
- - C:\Users\[username]\AppData\Local\Temp\main.theme
- TRAFFIC CAUSED BY ICEDID INSTALLER DLL:
- - port 443 - support.apple.com
- - port 443 - support.microsoft.com
- - port 443 - help.twitter.com
- - 159.89.174[.]73 port 443 - ldrfoxtrot[.]casa
- - 194.5.249[.]184 port 443 - ldrvals[.]casa
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement