Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-07-24 (FRIDAY) TA551 (SHATHAK) WORD DOCS PUSHING ICEDID (BOKBOT)
- REFERENCE
- - https://twitter.com/malware_traffic/status/1286746013680705542
- NOTES:
- - All the files below have been submitted to bazaar.abuse.ch
- - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
- CHAIN OF EVENTS:
- - Email spoofing legitimate email chain --> password-protected zip attachment --> extracted Word doc --> enable macros --> IcedID installer DLL --> IcedID EXE
- 20 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
- - 023bdc925e25b0750d71a599c6b46133558a7c3c7c58050111c02ed1856a52c1 details 07.20.doc
- - 0b82a611bceda28384e49036dcbcf88e5ab6d752f8cddcccb49d2633c922df07 statistics_07.20.doc
- - 0ce3748a78fa4f6856a40794c81a8261f88a1cea510f7a7030391faedb3cccc7 facts-07.20.doc
- - 18ec82766533f228240fa837ee8fc2799c3a32708e9403514f9e2ec8a01421cf files-07.24.2020.doc
- - 1a743501f877788331cbd6faf1bc0e9473294f728580f092350c5bda278534a6 direct 07.20.doc
- - 223f99ee34f993d357bccf22576f510d477bc3bfdaa2c5ece86341a6a2a8bf82 bid_07.20.doc
- - 57f8322d94ff2292bb449be2ff537b56413646c4a3094fe634306e447bdacb0f official paper-07.20.doc
- - 592b7789b3795c9936409600b15e6bb05ae4d0faaa8c85c2ea2ab55c039b3206 dictate.07.24.2020.doc
- - 5d6306e4dce4e12af7a389b86d7c26aef1bbec87293392e3f17f0c9fc129f63b files_07.20.doc
- - 643d4820da0c5a4317dc0417bb8cb305aa5114949eedabb40a82e679ae77044a docs_07.20.doc
- - 738a757222ae93505bdffe8590ecaf6ba75d0b03aba7fe756903cedccb7cc9d6 order.07.24.2020.doc
- - 7c2c113f940ce804ac05ed024a0962fc908d82ebe6359a0c2ca35c2e3141a3fe material_07.20.doc
- - 9fef9399b35b131a0901af5d8a881841856fe10e5145d3356b3ec6199b1d6932 adjure_07.20.doc
- - a13b0c4825eeec6781d90ff06ae68ae9d7651849fbba458668bec84c100df506 report,07.24.20.doc
- - bdf670111b028631c5ef72d1a176d10f56f4f53ec97f8a3757c21287148c3dbc commerce 07.20.doc
- - c20e643cdd649219eac1524f5b849fa09db331ba4dac3ee35b3c3abc4c7113c1 legal paper,07.20.doc
- - c5316b6f4fec5e576055da9c33f7f68e7e06a96b8758840baaef8e6a386fd08a docs-07.24.20.doc
- - db9a11b3fa7d687d35d3ff6a53a0eb9c68a84c6acfe578e9437870f5679a7de4 decree.07.24.2020.doc
- - e3691793dffbc3234b4472dbb351e60b40da2fdb0ffe9cd5d5ee0ee3c84bf1bb commerce -07.20.doc
- - f68bbc6e0cbc6c507b80db4e7af29f9b9ed2a7c39b93f8f99c6face63362117e legal paper 07.24.2020.doc
- DOMAINS HOSTING THE ICEDID INSTALLER DLL FILES:
- - 63gtxkqvv[.]com - 185.195.26[.]148
- - b28h13xbx[.]com - 185.87.48[.]99
- - bpnztvz2x[.]com - 185.43.4[.]205
- - fg8h4913m[.]com - 95.181.179[.]145
- - g8gj20th7[.]com - 185.242.85[.]13
- - kso7s3fyt[.]com - 45.12.4[.]132
- - p1s7p1m95[.]com - 79.174.12[.]35
- - pyfdn25qu[.]com - 185.242.85[.]3
- - x5t3l5gnr[.]com - 185.242.85[.]12
- - zai5fp642[.]com - 185.242.85[.]37
- URLS TO RETRIEVE THE ICEDID INSTALLER DLL FILES:
- - GET /xemcl/iba.php?l=kfa1.cab
- - GET /xemcl/iba.php?l=kfa2.cab
- - GET /xemcl/iba.php?l=kfa3.cab
- - GET /xemcl/iba.php?l=kfa4.cab
- - GET /xemcl/iba.php?l=kfa5.cab
- - GET /xemcl/iba.php?l=kfa6.cab
- - GET /xemcl/iba.php?l=kfa7.cab
- - GET /xemcl/iba.php?l=kfa8.cab
- - GET /xemcl/iba.php?l=kfa9.cab
- - GET /xemcl/iba.php?l=kfa10.cab
- - GET /xemcl/iba.php?l=kfa11.cab
- - GET /xemcl/iba.php?l=kfa12.cab
- - GET /xemcl/iba.php?l=kfa13.cab
- - GET /xemcl/iba.php?l=kfa14.cab
- - GET /xemcl/iba.php?l=kfa15.cab
- 20 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
- - 02bba588a27c4981983117d23945d68b369c83210cfa783b02655eabdba49c18
- - 07fe977241ab3c72ac5653b08767c0aa6f8e37d89f292a9fcc5b30a4e407e68c
- - 0b4bb7af858e9428e43153bacc5bdebd4bf97f8e9f9c0dc2dd037fa181220381
- - 1a52bbec7ef2295d56f68188aefd79c39f9bdc859b2e918a1c430153581898b7
- - 2c8baba0134cce117ab6958582bbce1691c9b9ca9cffd4478ccbaf6c97d8c9fe
- - 35485f11536217e6799281d7dbd12e4986cedcde64c8081f28af3ac428bed54c
- - 461509400e7505dd553124d4ee95c073cc9031d73c8380cafed0cc9bc8b696cc
- - 6095525df3b44b1a3ed02aace8edfa6adce837e758ea859457f58fcff1d98095
- - 60cb915575571cb1875f15b6d19763bdf52535186c877867c1536e0df8c93fd9
- - 6196a0966d3fbe5726736f0fd7661a0a928fdce345cb377e79cea039594a79f0
- - 763045778cf8977b3da1f081ce871cf57570cfafa98d9d4c0334e554a0d77ac3
- - 773db63cdf78ec25bbc40b79ce96f2400f4b088cc620d761482e87a377eb2288
- - a00dd572aecd2c1fb8755b09cf33d85beecae09c804019409ca37742e55e8c3f
- - be939d82fb1676fdeb6060916e18daf0577b3ec8552ee9a7641c2badb8686a47
- - ce6e51ab9d45e2555cec4cc21eae79584f23fe843c04313d6a2ffc21e0fddd49
- - d4b434dc8bef0c0c2bd6935fec98cb27cf15121cf68c8e6809d7d4526e04eb50
- - d9b40c2b268ff23981ec939f0b1d8e395df51e0545e1ada4fd1cc16b60c574b6
- - e2208fafeb8a5de2f8c0af2216a6b6eea73f0c0fd9592bd269a34e9e7d17dae7
- - f9601ab6242b4a31667cff010680e4cab77557a549239b7602aa3680a7d949ed
- - fa094bff6d87bb0eba8f67b9e9732f7c5036e1dc8d9ef362699360ad02db766f
- - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
- LOCATIONS FOR THE ICEDID INSTALLER DLL FILES:
- - Same directory as the Word doc, file name: TT.pdf
- - Same directory as the Word doc, file name: x6.pdf
- - C:\Users\[username]\Documents\TT.pdf
- - C:\Users\[username]\AppData\Local\Temp\111.jpg
- ICEDID EXE FILES FROM AN INFECTED HOST:
- - 2bfb7c6f527c597c2d48cc2408f5162ecdfcc220053882f330817fcb671f4bd2
- - 30193b1d6545ea9f269bcdd6ba7e8f7770317668933669d425d0d4dfcf90b1c6
- IP ADDRESSES/DOMAINS FOR HTTPS TRAFFIC CAUSED BY ICEDID:
- 138.68.50[.]71 port 443 - loadkanoe[.]casa - GET /backgound.png
- 194.5.249[.]122 port 443 - passiopersio[.]top
- 194.5.249[.]122 port 443 - iskuliokilo[.]pw
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement