malware_traffic

2020-07-28 (Tuesday) - TA551 word docs pushing IcedID (Bokbot)

Jul 28th, 2020 (edited)
8,453
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-28 (TUESDAY) TA551 WORD DOCS PUSH ICEDID (BOKBOT)
  2.  
  3. REFERENCE:
  4.  
  5. - https://twitter.com/malware_traffic/status/1288207411824795653
  6.  
  7. NOTES:
  8.  
  9. - More info about TA551 (Shathak) distribution is found in my blog for Valak at Palo Alto Networks: https://unit42.paloaltonetworks.com/valak-evolution/
  10.  
  11. - Instead of pushing Valak with IcedID as follow-up malware, TA551 has been pushing IcedID for English-speaking victims since 2020-07-14, documented at https://isc.sans.edu/forums/diary/Word+docs+with+macros+for+IcedID+Bokbot/26352/ and nearly every weekday since then.
  12.  
  13. - Today, the TA551 (Shathak) campaign in some cases used cURL to retrieve the IcedID installer DLL, but in others examples it did not use cURL.
  14.  
  15. - All the files below have been submitted to bazaar.abuse.ch
  16.  
  17. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
  18.  
  19. 22 EXAMPLES OF WORD DOCS WITH MACRO FOR ICEDID INSTALLER DLL:
  20.  
  21. - 039656f8243e9e537900ba68d8423c4d7184ee10c674aa3b27f91036d455f5e7 legal paper_07.20.doc
  22. - 0870014bc562398f6abd9f7f696125fe3011514b3f00aee681c26332ed54dbff deed contract 07.28.2020.doc
  23. - 12b06f5a1fc87d6dd87d27f757ad8459326ed14cd8281322a286eb2e7746ba3a material-07.28.2020.doc
  24. - 218b4a719235caf750e6fda2dc3229e3b8b1fcd356bb8eab9595d5a386b92abe specifics-07.20.doc
  25. - 2707b436f988971e1815829709757c8d16deb127754dc28ccbed5e84e108da0a statistics,07.20.doc
  26. - 28bb801aa3dd211f9523f177a9ae26f92be2f231d772fced6d3f820336771efe dictate,07.28.2020.doc
  27. - 387cdfcf67b4da48cc776beac716cc23f7df5a76070ea7a194cb51289a6b5deb direct.07.20.doc
  28. - 4a32f27e6f5a8eabed71deea02e7b1376e51773df279057a186afec4a2383430 rule.07.20.doc
  29. - 58d2da9734e0b24325d6ba4a98192c63acc9777030b46b978e02a1de94a9bebe inquiry_07.20.doc
  30. - 5d6d0b4724435390f4b7cee53818d57de355e9fce908fc9eba3eb94e827f10d9 inquiry-07.20.doc
  31. - 728ebe4d9c2159cde89df4c7d8d231f355140cec8c62f87a1426ea1dbdad785d bid 07.28.20.doc
  32. - 8d75e83e570e8faba7bfaf17b7d836d35681cd45e0bcf5366e29381fefb04dc1 legal paper_07.28.2020.doc
  33. - 8e382b34276f8a42ee4c136c43ecbdff7c060c82995cac7bb1bc00413d5bcaae question,07.20.doc
  34. - ae04de29b06fa33bd3a227ed6408254fe82916fa057f009ed355a04d86573ace docs-07.20.doc
  35. - b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1 document,07.20.doc
  36. - ce10adcc2ae1459b5beadb88a408d2825f272006c648d3b353a9ed1d53b7ebb9 documents 07.28.2020.doc
  37. - cf2f969423de372c2649bade9139afed3a8fd277a51902f34a3b14567e7467c7 facts_07.20.doc
  38. - d20708c9395310f9fcf5d1bc735378e1bddfdbd54efc4ef569edf65a6034657b details_07.28.2020.doc
  39. - d77845f1806ae94b32e01192ab65493548fec4cdedc02c0f0c89053eb06aa215 details,07.20.doc
  40. - dee2b395158c42d849060164f4132ddef7c3aa33288b0ae6775fd88c746be6ed enjoin-07.20.doc
  41. - e7c1916efb3298b5f4537e195aa957664971e19f29561863c3751275006d631d report-07.20.doc
  42. - e83da5fd9fb4d4c4a7e48bdaba482d024787a31d4ddf4d3fc5ed4b3fb7554a59 docs_07.28.20.doc
  43.  
  44. AT LEAST 10 DOMAINS HOSTING ICEDID INSTALLER DLL:
  45.  
  46. - 0uso87[.]com - 185.239.51[.]217
  47. - 60c4wn[.]com - 185.119.57[.]20
  48. - 8cfayv[.]com - 92.63.98[.]49
  49. - apc846[.]com - 92.63.98[.]141
  50. - c3au3r[.]com - 89.191.227[.]140
  51. - qzg0oi[.]com - 92.63.98[.]30
  52. - ycjjvl[.]com - 185.239.50[.]118
  53. - yt549w[.]com - 89.191.225[.]190
  54. - vkr0bt[.]com - 82.146.41[.]87
  55. - zgo2ze[.]com - 185.239.50[.]116
  56.  
  57. HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
  58.  
  59. - GET /bolb/jaent.php?l=liut1.cab
  60. - GET /bolb/jaent.php?l=liut2.cab
  61. - GET /bolb/jaent.php?l=liut3.cab
  62. - GET /bolb/jaent.php?l=liut4.cab
  63. - GET /bolb/jaent.php?l=liut5.cab
  64. - GET /bolb/jaent.php?l=liut6.cab
  65. - GET /bolb/jaent.php?l=liut7.cab
  66. - GET /bolb/jaent.php?l=liut8.cab
  67. - GET /bolb/jaent.php?l=liut9.cab
  68. - GET /bolb/jaent.php?l=liut10.cab
  69. - GET /bolb/jaent.php?l=liut11.cab
  70. - GET /bolb/jaent.php?l=liut12.cab
  71. - GET /bolb/jaent.php?l=liut13.cab
  72. - GET /bolb/jaent.php?l=liut14.cab
  73. - GET /bolb/jaent.php?l=liut15.cab
  74.  
  75. 22 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL:
  76.  
  77. - 082c37029ae98221ceb74eda3ff2ca6466dabb49080ce0343a7463699ea451bd
  78. - 1226f06efc6ec7de3acc3612bb777846643361a09d226c41bf4ef745c1a34683
  79. - 252aae7a965a2fbb2bb5e1d51a1da836fec68bbe7552ad8c5134a3a1ee873af3
  80. - 2a40ab63e0da2da3c16ecbee0eab68f7572fb765788f87f9d5c446994bb7cd24
  81. - 327e74266c32db3be1a8d97680808dae8eca9ece47e54a0a2dd3d05bd82e0229
  82. - 4034c710ef15fc9f912432d31817bd98a100d909c1c97b09dbcf58c8ca6b9d81
  83. - 47300c5428551b47d47e40c1e0b96460b2a0d4f5b370db241892381cece57260
  84. - 49545ac232947f35d2a9e0e32bd8c106f188b2b4fe412f6a492af3ee928fbd5e
  85. - 4cd6ca9e36b8871754a3904018d67cff4ce8b0cf78b07c906a73962e0b26be46
  86. - 5b70013de8ecc7b8abeb19d8f79778a9ce359a4c107f109f315633fc67839155
  87. - 6a9a322e68a49edc6def678051843ad3fdb2be385de2f9cc924309daaa9e1dd6
  88. - 9faabefae513e08168beb59d0c43bb808e0e1a1f5db0ecd84ca38190887228c5
  89. - badc69230c3a7ea3c726209c29983b26cd9c0f908d302a754c813f2b03b1608a
  90. - bbba62fd27ddca3936108c7a7528fd6f7ffd36de5426f345efd67071752da7cd
  91. - c4666a49eebe8c110cd96e5c7a158dab93ce5dcec67a82d148e3e3c691ced74e
  92. - d01e2855e1ec680ec524223de287fcdae55b6e5bcf6fd75b29323291ed3f38b9
  93. - d69a6522331e3eed2b457dadfaadc15a063c199edd53189068990424fc5a1aa2
  94. - d97b51ddc7d0a774fe90eb28f414a01f8d4fc6f4884d48cea952f0fafd634c68
  95. - dd9adf52e33980df9ebb82672e2dac9481216b7a1f43c99b4d3fc6b0e0ca1e99
  96. - e0d95fb5cdc39ae78f0ec651050285bac678c0314c2de07b34a361a93a6c464e
  97. - e9abcecf77c0c55f725bfe2c433428c3223254c94646b68acdda4f3bfd08f37c
  98. - f017946be3eebc95390540a4346eb8d35872492e9d0635b04acc3f747930e8a8
  99.  
  100. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
  101.  
  102. TWO LOCATIONS NOTED FOR THE ICEDID INSTALLER DLL FILES:
  103.  
  104. - C:\ProgramData\1.tmp
  105. - C:\Users\[username]\AppData\Local\Temp\main.theme
  106.  
  107. TRAFFIC CAUSED BY ICEDID INSTALLER DLL:
  108.  
  109. - port 443 - support.apple.com
  110. - port 443 - support.microsoft.com
  111. - port 443 - help.twitter.com
  112.  
  113. - 159.89.174[.]73 port 443 - ldrfoxtrot[.]casa
  114. - 194.5.249[.]184 port 443 - ldrvals[.]casa
RAW Paste Data