API tools faq
paste
malware_traffic

2020-09-11 (Friday) TA551 (Shathak) Word docs pushing IcedID

malware_traffic
Sep 11th, 2020 (edited)
9,084
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.98 KB | None | 0 0
raw download clone embed print report
  1. 2020-09-11 (FRIDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 24 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 3faf7acb478370a170421a1b482eb03eac2e8299c4f5a3454e5f17c36c55022b bid 09.11.2020.doc
  10. - 8d0f4f0e727e92bb5397a44f04adac98badc4df6ad8b957f38352c95daf24c1c bid_09.11.2020.doc
  11. - 3243069cdcf0b33e18e64b27f04fdde74e5c74c0782c60d71ae33ef25eb86053 certificate.09.20.doc
  12. - bd1ddeb98394b36ca719c7805a6c0b50247f34c42d65c86bfb9514a1c3bb6469 command,09.20.doc
  13. - 1bed53e1bde6be3f82fe3dd44aa51fb893f1532cb21f6269ba15997272cc20ac decree,09.20.doc
  14. - b40446babccd8f11a37ddc9e76c328d0192ac2271d6fd8ec59ab73e258f2b4e1 docs 09.11.2020.doc
  15. - 5f3ff4e03546409fcff785d95c92c991bdde635198d412d52568796064dc7e6f docs_09.11.2020.doc
  16. - ffe9a89fd37cf7b93ffa509593d9a35274d6433f0f72eaa819d86a3a4deefef2 enjoin 09.20.doc
  17. - 6df823e7c074c216cd1a908b07037139823f7ebb0f5a87d7aac278e5eada241d enjoin-09.20.doc
  18. - e67d1fa25e2b18fdf298eb28a377a3b8d550b4e8e746c6829e934cf050f1e403 inquiry 09.20.doc
  19. - 7d5bfcb69c9e77593a9c034c6d1772beabbab437fd882f8825e244f64e64ff7f intelligence 09.11.2020.doc
  20. - 8e0de87f2a89746f66591f407cac810a141a16b0710ce71e94c0dd9492d968f5 intelligence 09.20.doc
  21. - aef85fab6ec98e3578af4dbf3e2d4455e41f2818d4d420a2e22839ccc94f173a legislate 09.11.2020.doc
  22. - 76eed2d0be80328857632eea35b65fa97e6600df9047f10d7231159ad7a99efd legislate,09.20.doc
  23. - 4e7a777cc596883f81a581fb6b12fbb42a4acddd3905ee00cace076cc3c24d56 legislate-09.20.doc
  24. - 14024cb901d499a7d23ec706ef0e813c6dccaa895041632844cddf6a8a9ead10 legislate_09.11.2020.doc
  25. - ba978c0f11958ebf0cf734ceb7f9a5a08b7a224ce19582389cc9544bb8823ec0 material,09.11.2020.doc
  26. - 05b2c20f81faed55c758de46f33f68b91021d233435a82d1749b8f79fdb31a3d ordain_09.20.doc
  27. - 84f56506eefbabb6ef4d09b1632f78fc2dba9ca62f3de53d67e2e181b416b5ae question 09.20.doc
  28. - 6eb29c273c0a5b5275cd81040d4a28dc91e15d01fce392da9de4064a3147a59a report,09.11.2020.doc
  29. - 6c2a461a9082f0b2ceef42588c4568620f0ab3ae934c6d20ae8b5f8908bc64ec rule 09.11.20.doc
  30. - ac68afe990cfea9ccc01fe3c15e305338fb32597fc79b2ba2e2949f5e8310578 specifics-09.11.2020.doc
  31. - 5cae21d65fc0fe0f1b394d61694f0ae5cfe6214aaebba22bd7661aad1704a45c statistics 09.20.doc
  32. - 588032bd2e8622ba06bcdb1e64886908a29880376152b38e9c5b32bac4d686a4 tell,09.20.doc
  33.  
  34. AT LEAST 8 DOMAINS HOSTING THE ICEDID DLL:
  35.  
  36. - a66i3j[.]com - 193.38.55[.]37
  37. - bkyigbm[.]com - 62.109.11[.]237
  38. - bz3izuh[.]com - 91.208.184[.]201
  39. - cf09oe[.]com - 185.92.202[.]112
  40. - cjlf16[.]com - 188.120.236[.]106
  41. - ozxa1jr[.]com - 45.157.140[.]13
  42. - sjfmz82[.]com - 45.157.140[.]9
  43. - ugnlgg[.]com - 185.118.164[.]236
  44.  
  45. URLS FOR ICEDID DLL:
  46.  
  47. - GET /fuho/zahel.php?l=xavab1.cab
  48. - GET /fuho/zahel.php?l=xavab2.cab
  49. - GET /fuho/zahel.php?l=xavab3.cab
  50. - GET /fuho/zahel.php?l=xavab4.cab
  51. - GET /fuho/zahel.php?l=xavab5.cab
  52. - GET /fuho/zahel.php?l=xavab6.cab
  53. - GET /fuho/zahel.php?l=xavab7.cab
  54. - GET /fuho/zahel.php?l=xavab8.cab
  55. - GET /fuho/zahel.php?l=xavab9.cab
  56. - GET /fuho/zahel.php?l=xavab10.cab
  57. - GET /fuho/zahel.php?l=xavab11.cab
  58. - GET /fuho/zahel.php?l=xavab12.cab
  59.  
  60. 14 EXAMPLES OF ICEDID INSTALLER DLLS:
  61.  
  62. - 1b17fc75a68fe091ae05f11e691996f4ecf647c9fb67fec38ebf51d4d7a62b40
  63. - 3ef3619c3a30eb03404764d7267199efdda86e88b6f4f5ba20e641ffd253eecf
  64. - 43dc5609f777298976914cf417b149f909faf6084a36e83b71cf94dd73e9cb1e
  65. - 485e15d8c1b907a2daaade0ef3817411621f192effcfcd4e158684d6032b82e8
  66. - 6d405d85091429bfef38e34aab90e5fa509eab2e4eec28ba93b5a2ce0d9b1748
  67. - 75a7cb73ca0e01413462b0ec15317c855bc24bec0850324b97eb72c4fd429313
  68. - 839aee5f9b2423c3be1f78f949ae3cfcee9094434297a35ff0318791ef87bf3e
  69. - a48f59d33ac08e950742939e171916ada09359132110009ccb0fc14d45dcd876
  70. - c2a2b61003dba1e5d6da5b397439e2f7f79615ef10a3f8cb57ac90fe9a0b5fb7
  71. - d40581eae03d0d9e188296e6c15fbfb4fae8d4272d6803f9f0be349e6f237adc
  72. - df63a9a56f4a68d159e7aaa9067e3c8be8cb3c2af583d087835b7d147f0903b1
  73. - e39108f06a9bdc616ab8f3e768662c5c5db946e9511d8949ec4da3e9ff0b4633
  74. - efe2e772af8c69f1eadde7e5e75d5f7b39ab8c14a2c8685bbc39f52290839b57
  75. - f626c9dfd4f8e8c2aea66ff011aa1a1dd06106133bf5a80cdcbb48a608a9f03f
  76.  
  77. EXAMPLES OF LOCATIONS FOR THE INSTALLER DLL FILES:
  78.  
  79. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  80. - C:\ProgramData\bcbfa.hello
  81. - C:\ProgramData\cb54e.hello
  82. - C:\ProgramData\cd23e.hello
  83. - C:\ProgramData\ebf45.hello
  84. - C:\ProgramData\f8a36.hello
  85.  
  86. DLL RUN METHOD:
  87.  
  88. - regsvr32.exe [filename]
  89.  
  90. AT LEAST 3 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  91.  
  92. - 194.113.34[.]92 port 443 - loadperventin[.]casa - GET /background.png
  93. - 159.65.137[.]90 port 443 - ldrplastic[.]casa - GET /background.png
  94. - 159.65.137[.]90 port 443 - loadspanny[.]casa - GET /background.png
  95.  
  96. SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1):
  97.  
  98. - 3b95da4a63198b1250b585db653af3b21bb20cc1689bf768f042d62d815c6ee4 (initial)
  99. - 0f77b1fb5f4848703da462f84d0de845268f7a1bfb6f08d59726a3e224a4567a (persistent)
  100.  
  101. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
  102.  
  103. - 68.183.47[.]194 port 443 - budagent[.]cyou
  104. - 68.183.47[.]194 port 443 - castrovillage[.]cyou
  105. - 68.183.47[.]194 port 443 - delegatoz[.]xyz
  106. - 68.183.47[.]194 port 443 - patriwifecis[.]cyou
  107.  
  108. SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2):
  109.  
  110. - 49a6d713a8ffe3a194498f25450bc11a1e85657530798318378cbfae479a28dd (initial)
  111. - 691484e4df83d6f592a0ddebd8bd1afffc4568205a3b7f51c11c549124a1150c (persistent)
  112.  
  113. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
  114.  
  115. - 164.90.153[.]241 port 443 - jheckler[.]top
  116. - 164.90.153[.]241 port 443 - tizersincluded[.]best
  117. - 164.90.153[.]241 port 443 - saqerisation[.]best
  118. - 164.90.153[.]241 port 443 - matrossinio[.]xyz
  119. - 164.90.153[.]241 port 443 - povoliporillio[.]xyz
  120.  
  121. HTTPS TRAFFIC TO LEGITIMATE DOMAINS FROM THE INFECTION:
  122.  
  123. - port 443 - www.intel.com
  124. - port 443 - support.oracle.com
  125. - port 443 - www.oracle.com
  126. - port 443 - support.apple.com
  127. - port 443 - support.microsoft.com
  128. - port 443 - help.twitter.com
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!