malware_traffic

2020-07-24 (Friday) TA551 word docs with macros for IcedID

Jul 24th, 2020 (edited)
12,918
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-24 (FRIDAY) TA551 (SHATHAK) WORD DOCS PUSHING ICEDID (BOKBOT)
  2.  
  3. REFERENCE
  4.  
  5. - https://twitter.com/malware_traffic/status/1286746013680705542
  6.  
  7. NOTES:
  8.  
  9. - All the files below have been submitted to bazaar.abuse.ch
  10. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
  11.  
  12. CHAIN OF EVENTS:
  13.  
  14. - Email spoofing legitimate email chain --> password-protected zip attachment --> extracted Word doc --> enable macros --> IcedID installer DLL --> IcedID EXE
  15.  
  16. 20 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
  17.  
  18. - 023bdc925e25b0750d71a599c6b46133558a7c3c7c58050111c02ed1856a52c1 details 07.20.doc
  19. - 0b82a611bceda28384e49036dcbcf88e5ab6d752f8cddcccb49d2633c922df07 statistics_07.20.doc
  20. - 0ce3748a78fa4f6856a40794c81a8261f88a1cea510f7a7030391faedb3cccc7 facts-07.20.doc
  21. - 18ec82766533f228240fa837ee8fc2799c3a32708e9403514f9e2ec8a01421cf files-07.24.2020.doc
  22. - 1a743501f877788331cbd6faf1bc0e9473294f728580f092350c5bda278534a6 direct 07.20.doc
  23. - 223f99ee34f993d357bccf22576f510d477bc3bfdaa2c5ece86341a6a2a8bf82 bid_07.20.doc
  24. - 57f8322d94ff2292bb449be2ff537b56413646c4a3094fe634306e447bdacb0f official paper-07.20.doc
  25. - 592b7789b3795c9936409600b15e6bb05ae4d0faaa8c85c2ea2ab55c039b3206 dictate.07.24.2020.doc
  26. - 5d6306e4dce4e12af7a389b86d7c26aef1bbec87293392e3f17f0c9fc129f63b files_07.20.doc
  27. - 643d4820da0c5a4317dc0417bb8cb305aa5114949eedabb40a82e679ae77044a docs_07.20.doc
  28. - 738a757222ae93505bdffe8590ecaf6ba75d0b03aba7fe756903cedccb7cc9d6 order.07.24.2020.doc
  29. - 7c2c113f940ce804ac05ed024a0962fc908d82ebe6359a0c2ca35c2e3141a3fe material_07.20.doc
  30. - 9fef9399b35b131a0901af5d8a881841856fe10e5145d3356b3ec6199b1d6932 adjure_07.20.doc
  31. - a13b0c4825eeec6781d90ff06ae68ae9d7651849fbba458668bec84c100df506 report,07.24.20.doc
  32. - bdf670111b028631c5ef72d1a176d10f56f4f53ec97f8a3757c21287148c3dbc commerce 07.20.doc
  33. - c20e643cdd649219eac1524f5b849fa09db331ba4dac3ee35b3c3abc4c7113c1 legal paper,07.20.doc
  34. - c5316b6f4fec5e576055da9c33f7f68e7e06a96b8758840baaef8e6a386fd08a docs-07.24.20.doc
  35. - db9a11b3fa7d687d35d3ff6a53a0eb9c68a84c6acfe578e9437870f5679a7de4 decree.07.24.2020.doc
  36. - e3691793dffbc3234b4472dbb351e60b40da2fdb0ffe9cd5d5ee0ee3c84bf1bb commerce -07.20.doc
  37. - f68bbc6e0cbc6c507b80db4e7af29f9b9ed2a7c39b93f8f99c6face63362117e legal paper 07.24.2020.doc
  38.  
  39. DOMAINS HOSTING THE ICEDID INSTALLER DLL FILES:
  40.  
  41. - 63gtxkqvv[.]com - 185.195.26[.]148
  42. - b28h13xbx[.]com - 185.87.48[.]99
  43. - bpnztvz2x[.]com - 185.43.4[.]205
  44. - fg8h4913m[.]com - 95.181.179[.]145
  45. - g8gj20th7[.]com - 185.242.85[.]13
  46. - kso7s3fyt[.]com - 45.12.4[.]132
  47. - p1s7p1m95[.]com - 79.174.12[.]35
  48. - pyfdn25qu[.]com - 185.242.85[.]3
  49. - x5t3l5gnr[.]com - 185.242.85[.]12
  50. - zai5fp642[.]com - 185.242.85[.]37
  51.  
  52. URLS TO RETRIEVE THE ICEDID INSTALLER DLL FILES:
  53.  
  54. - GET /xemcl/iba.php?l=kfa1.cab
  55. - GET /xemcl/iba.php?l=kfa2.cab
  56. - GET /xemcl/iba.php?l=kfa3.cab
  57. - GET /xemcl/iba.php?l=kfa4.cab
  58. - GET /xemcl/iba.php?l=kfa5.cab
  59. - GET /xemcl/iba.php?l=kfa6.cab
  60. - GET /xemcl/iba.php?l=kfa7.cab
  61. - GET /xemcl/iba.php?l=kfa8.cab
  62. - GET /xemcl/iba.php?l=kfa9.cab
  63. - GET /xemcl/iba.php?l=kfa10.cab
  64. - GET /xemcl/iba.php?l=kfa11.cab
  65. - GET /xemcl/iba.php?l=kfa12.cab
  66. - GET /xemcl/iba.php?l=kfa13.cab
  67. - GET /xemcl/iba.php?l=kfa14.cab
  68. - GET /xemcl/iba.php?l=kfa15.cab
  69.  
  70. 20 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
  71.  
  72. - 02bba588a27c4981983117d23945d68b369c83210cfa783b02655eabdba49c18
  73. - 07fe977241ab3c72ac5653b08767c0aa6f8e37d89f292a9fcc5b30a4e407e68c
  74. - 0b4bb7af858e9428e43153bacc5bdebd4bf97f8e9f9c0dc2dd037fa181220381
  75. - 1a52bbec7ef2295d56f68188aefd79c39f9bdc859b2e918a1c430153581898b7
  76. - 2c8baba0134cce117ab6958582bbce1691c9b9ca9cffd4478ccbaf6c97d8c9fe
  77. - 35485f11536217e6799281d7dbd12e4986cedcde64c8081f28af3ac428bed54c
  78. - 461509400e7505dd553124d4ee95c073cc9031d73c8380cafed0cc9bc8b696cc
  79. - 6095525df3b44b1a3ed02aace8edfa6adce837e758ea859457f58fcff1d98095
  80. - 60cb915575571cb1875f15b6d19763bdf52535186c877867c1536e0df8c93fd9
  81. - 6196a0966d3fbe5726736f0fd7661a0a928fdce345cb377e79cea039594a79f0
  82. - 763045778cf8977b3da1f081ce871cf57570cfafa98d9d4c0334e554a0d77ac3
  83. - 773db63cdf78ec25bbc40b79ce96f2400f4b088cc620d761482e87a377eb2288
  84. - a00dd572aecd2c1fb8755b09cf33d85beecae09c804019409ca37742e55e8c3f
  85. - be939d82fb1676fdeb6060916e18daf0577b3ec8552ee9a7641c2badb8686a47
  86. - ce6e51ab9d45e2555cec4cc21eae79584f23fe843c04313d6a2ffc21e0fddd49
  87. - d4b434dc8bef0c0c2bd6935fec98cb27cf15121cf68c8e6809d7d4526e04eb50
  88. - d9b40c2b268ff23981ec939f0b1d8e395df51e0545e1ada4fd1cc16b60c574b6
  89. - e2208fafeb8a5de2f8c0af2216a6b6eea73f0c0fd9592bd269a34e9e7d17dae7
  90. - f9601ab6242b4a31667cff010680e4cab77557a549239b7602aa3680a7d949ed
  91. - fa094bff6d87bb0eba8f67b9e9732f7c5036e1dc8d9ef362699360ad02db766f
  92.  
  93. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
  94.  
  95. LOCATIONS FOR THE ICEDID INSTALLER DLL FILES:
  96.  
  97. - Same directory as the Word doc, file name: TT.pdf
  98. - Same directory as the Word doc, file name: x6.pdf
  99. - C:\Users\[username]\Documents\TT.pdf
  100. - C:\Users\[username]\AppData\Local\Temp\111.jpg
  101.  
  102. ICEDID EXE FILES FROM AN INFECTED HOST:
  103.  
  104. - 2bfb7c6f527c597c2d48cc2408f5162ecdfcc220053882f330817fcb671f4bd2
  105. - 30193b1d6545ea9f269bcdd6ba7e8f7770317668933669d425d0d4dfcf90b1c6
  106.  
  107. IP ADDRESSES/DOMAINS FOR HTTPS TRAFFIC CAUSED BY ICEDID:
  108.  
  109. 138.68.50[.]71 port 443 - loadkanoe[.]casa - GET /backgound.png
  110. 194.5.249[.]122 port 443 - passiopersio[.]top
  111. 194.5.249[.]122 port 443 - iskuliokilo[.]pw
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×