malware_traffic

2020-07-28 (Tuesday) - TA551 word docs pushing IcedID (Bokbot)

Jul 28th, 2020 (edited)
9,447
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-28 (TUESDAY) TA551 WORD DOCS PUSH ICEDID (BOKBOT)
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1288207411824795653
  6.  
  7. NOTES:
  8.  
  9. - More info about TA551 (Shathak) distribution is found in my blog for Valak at Palo Alto Networks: https://unit42.paloaltonetworks.com/valak-evolution/
  10.  
  11. - Instead of pushing Valak with IcedID as follow-up malware, TA551 has been pushing IcedID for English-speaking victims since 2020-07-14, documented at https://isc.sans.edu/forums/diary/Word+docs+with+macros+for+IcedID+Bokbot/26352/ and nearly every weekday since then.
  12.  
  13. - Today, the TA551 (Shathak) campaign in some cases used cURL to retrieve the IcedID installer DLL, but in others examples it did not use cURL.
  14.  
  15. - All the files below have been submitted to bazaar.abuse.ch
  16.  
  17. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
  18.  
  19. 22 EXAMPLES OF WORD DOCS WITH MACRO FOR ICEDID INSTALLER DLL:
  20.  
  21. - 039656f8243e9e537900ba68d8423c4d7184ee10c674aa3b27f91036d455f5e7 legal paper_07.20.doc
  22. - 0870014bc562398f6abd9f7f696125fe3011514b3f00aee681c26332ed54dbff deed contract 07.28.2020.doc
  23. - 12b06f5a1fc87d6dd87d27f757ad8459326ed14cd8281322a286eb2e7746ba3a material-07.28.2020.doc
  24. - 218b4a719235caf750e6fda2dc3229e3b8b1fcd356bb8eab9595d5a386b92abe specifics-07.20.doc
  25. - 2707b436f988971e1815829709757c8d16deb127754dc28ccbed5e84e108da0a statistics,07.20.doc
  26. - 28bb801aa3dd211f9523f177a9ae26f92be2f231d772fced6d3f820336771efe dictate,07.28.2020.doc
  27. - 387cdfcf67b4da48cc776beac716cc23f7df5a76070ea7a194cb51289a6b5deb direct.07.20.doc
  28. - 4a32f27e6f5a8eabed71deea02e7b1376e51773df279057a186afec4a2383430 rule.07.20.doc
  29. - 58d2da9734e0b24325d6ba4a98192c63acc9777030b46b978e02a1de94a9bebe inquiry_07.20.doc
  30. - 5d6d0b4724435390f4b7cee53818d57de355e9fce908fc9eba3eb94e827f10d9 inquiry-07.20.doc
  31. - 728ebe4d9c2159cde89df4c7d8d231f355140cec8c62f87a1426ea1dbdad785d bid 07.28.20.doc
  32. - 8d75e83e570e8faba7bfaf17b7d836d35681cd45e0bcf5366e29381fefb04dc1 legal paper_07.28.2020.doc
  33. - 8e382b34276f8a42ee4c136c43ecbdff7c060c82995cac7bb1bc00413d5bcaae question,07.20.doc
  34. - ae04de29b06fa33bd3a227ed6408254fe82916fa057f009ed355a04d86573ace docs-07.20.doc
  35. - b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1 document,07.20.doc
  36. - ce10adcc2ae1459b5beadb88a408d2825f272006c648d3b353a9ed1d53b7ebb9 documents 07.28.2020.doc
  37. - cf2f969423de372c2649bade9139afed3a8fd277a51902f34a3b14567e7467c7 facts_07.20.doc
  38. - d20708c9395310f9fcf5d1bc735378e1bddfdbd54efc4ef569edf65a6034657b details_07.28.2020.doc
  39. - d77845f1806ae94b32e01192ab65493548fec4cdedc02c0f0c89053eb06aa215 details,07.20.doc
  40. - dee2b395158c42d849060164f4132ddef7c3aa33288b0ae6775fd88c746be6ed enjoin-07.20.doc
  41. - e7c1916efb3298b5f4537e195aa957664971e19f29561863c3751275006d631d report-07.20.doc
  42. - e83da5fd9fb4d4c4a7e48bdaba482d024787a31d4ddf4d3fc5ed4b3fb7554a59 docs_07.28.20.doc
  43.  
  44. AT LEAST 10 DOMAINS HOSTING ICEDID INSTALLER DLL:
  45.  
  46. - 0uso87[.]com - 185.239.51[.]217
  47. - 60c4wn[.]com - 185.119.57[.]20
  48. - 8cfayv[.]com - 92.63.98[.]49
  49. - apc846[.]com - 92.63.98[.]141
  50. - c3au3r[.]com - 89.191.227[.]140
  51. - qzg0oi[.]com - 92.63.98[.]30
  52. - ycjjvl[.]com - 185.239.50[.]118
  53. - yt549w[.]com - 89.191.225[.]190
  54. - vkr0bt[.]com - 82.146.41[.]87
  55. - zgo2ze[.]com - 185.239.50[.]116
  56.  
  57. HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
  58.  
  59. - GET /bolb/jaent.php?l=liut1.cab
  60. - GET /bolb/jaent.php?l=liut2.cab
  61. - GET /bolb/jaent.php?l=liut3.cab
  62. - GET /bolb/jaent.php?l=liut4.cab
  63. - GET /bolb/jaent.php?l=liut5.cab
  64. - GET /bolb/jaent.php?l=liut6.cab
  65. - GET /bolb/jaent.php?l=liut7.cab
  66. - GET /bolb/jaent.php?l=liut8.cab
  67. - GET /bolb/jaent.php?l=liut9.cab
  68. - GET /bolb/jaent.php?l=liut10.cab
  69. - GET /bolb/jaent.php?l=liut11.cab
  70. - GET /bolb/jaent.php?l=liut12.cab
  71. - GET /bolb/jaent.php?l=liut13.cab
  72. - GET /bolb/jaent.php?l=liut14.cab
  73. - GET /bolb/jaent.php?l=liut15.cab
  74.  
  75. 22 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL:
  76.  
  77. - 082c37029ae98221ceb74eda3ff2ca6466dabb49080ce0343a7463699ea451bd
  78. - 1226f06efc6ec7de3acc3612bb777846643361a09d226c41bf4ef745c1a34683
  79. - 252aae7a965a2fbb2bb5e1d51a1da836fec68bbe7552ad8c5134a3a1ee873af3
  80. - 2a40ab63e0da2da3c16ecbee0eab68f7572fb765788f87f9d5c446994bb7cd24
  81. - 327e74266c32db3be1a8d97680808dae8eca9ece47e54a0a2dd3d05bd82e0229
  82. - 4034c710ef15fc9f912432d31817bd98a100d909c1c97b09dbcf58c8ca6b9d81
  83. - 47300c5428551b47d47e40c1e0b96460b2a0d4f5b370db241892381cece57260
  84. - 49545ac232947f35d2a9e0e32bd8c106f188b2b4fe412f6a492af3ee928fbd5e
  85. - 4cd6ca9e36b8871754a3904018d67cff4ce8b0cf78b07c906a73962e0b26be46
  86. - 5b70013de8ecc7b8abeb19d8f79778a9ce359a4c107f109f315633fc67839155
  87. - 6a9a322e68a49edc6def678051843ad3fdb2be385de2f9cc924309daaa9e1dd6
  88. - 9faabefae513e08168beb59d0c43bb808e0e1a1f5db0ecd84ca38190887228c5
  89. - badc69230c3a7ea3c726209c29983b26cd9c0f908d302a754c813f2b03b1608a
  90. - bbba62fd27ddca3936108c7a7528fd6f7ffd36de5426f345efd67071752da7cd
  91. - c4666a49eebe8c110cd96e5c7a158dab93ce5dcec67a82d148e3e3c691ced74e
  92. - d01e2855e1ec680ec524223de287fcdae55b6e5bcf6fd75b29323291ed3f38b9
  93. - d69a6522331e3eed2b457dadfaadc15a063c199edd53189068990424fc5a1aa2
  94. - d97b51ddc7d0a774fe90eb28f414a01f8d4fc6f4884d48cea952f0fafd634c68
  95. - dd9adf52e33980df9ebb82672e2dac9481216b7a1f43c99b4d3fc6b0e0ca1e99
  96. - e0d95fb5cdc39ae78f0ec651050285bac678c0314c2de07b34a361a93a6c464e
  97. - e9abcecf77c0c55f725bfe2c433428c3223254c94646b68acdda4f3bfd08f37c
  98. - f017946be3eebc95390540a4346eb8d35872492e9d0635b04acc3f747930e8a8
  99.  
  100. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
  101.  
  102. TWO LOCATIONS NOTED FOR THE ICEDID INSTALLER DLL FILES:
  103.  
  104. - C:\ProgramData\1.tmp
  105. - C:\Users\[username]\AppData\Local\Temp\main.theme
  106.  
  107. TRAFFIC CAUSED BY ICEDID INSTALLER DLL:
  108.  
  109. - port 443 - support.apple.com
  110. - port 443 - support.microsoft.com
  111. - port 443 - help.twitter.com
  112.  
  113. - 159.89.174[.]73 port 443 - ldrfoxtrot[.]casa
  114. - 194.5.249[.]184 port 443 - ldrvals[.]casa
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×