malware_traffic

2020-07-24 (Friday) TA551 word docs with macros for IcedID

Jul 24th, 2020 (edited)
11,963
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-24 (FRIDAY) TA551 (SHATHAK) WORD DOCS PUSHING ICEDID (BOKBOT)
  2.  
  3. REFERENCE
  4.  
  5. - https://twitter.com/malware_traffic/status/1286746013680705542
  6.  
  7. NOTES:
  8.  
  9. - All the files below have been submitted to bazaar.abuse.ch
  10. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
  11.  
  12. CHAIN OF EVENTS:
  13.  
  14. - Email spoofing legitimate email chain --> password-protected zip attachment --> extracted Word doc --> enable macros --> IcedID installer DLL --> IcedID EXE
  15.  
  16. 20 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
  17.  
  18. - 023bdc925e25b0750d71a599c6b46133558a7c3c7c58050111c02ed1856a52c1 details 07.20.doc
  19. - 0b82a611bceda28384e49036dcbcf88e5ab6d752f8cddcccb49d2633c922df07 statistics_07.20.doc
  20. - 0ce3748a78fa4f6856a40794c81a8261f88a1cea510f7a7030391faedb3cccc7 facts-07.20.doc
  21. - 18ec82766533f228240fa837ee8fc2799c3a32708e9403514f9e2ec8a01421cf files-07.24.2020.doc
  22. - 1a743501f877788331cbd6faf1bc0e9473294f728580f092350c5bda278534a6 direct 07.20.doc
  23. - 223f99ee34f993d357bccf22576f510d477bc3bfdaa2c5ece86341a6a2a8bf82 bid_07.20.doc
  24. - 57f8322d94ff2292bb449be2ff537b56413646c4a3094fe634306e447bdacb0f official paper-07.20.doc
  25. - 592b7789b3795c9936409600b15e6bb05ae4d0faaa8c85c2ea2ab55c039b3206 dictate.07.24.2020.doc
  26. - 5d6306e4dce4e12af7a389b86d7c26aef1bbec87293392e3f17f0c9fc129f63b files_07.20.doc
  27. - 643d4820da0c5a4317dc0417bb8cb305aa5114949eedabb40a82e679ae77044a docs_07.20.doc
  28. - 738a757222ae93505bdffe8590ecaf6ba75d0b03aba7fe756903cedccb7cc9d6 order.07.24.2020.doc
  29. - 7c2c113f940ce804ac05ed024a0962fc908d82ebe6359a0c2ca35c2e3141a3fe material_07.20.doc
  30. - 9fef9399b35b131a0901af5d8a881841856fe10e5145d3356b3ec6199b1d6932 adjure_07.20.doc
  31. - a13b0c4825eeec6781d90ff06ae68ae9d7651849fbba458668bec84c100df506 report,07.24.20.doc
  32. - bdf670111b028631c5ef72d1a176d10f56f4f53ec97f8a3757c21287148c3dbc commerce 07.20.doc
  33. - c20e643cdd649219eac1524f5b849fa09db331ba4dac3ee35b3c3abc4c7113c1 legal paper,07.20.doc
  34. - c5316b6f4fec5e576055da9c33f7f68e7e06a96b8758840baaef8e6a386fd08a docs-07.24.20.doc
  35. - db9a11b3fa7d687d35d3ff6a53a0eb9c68a84c6acfe578e9437870f5679a7de4 decree.07.24.2020.doc
  36. - e3691793dffbc3234b4472dbb351e60b40da2fdb0ffe9cd5d5ee0ee3c84bf1bb commerce -07.20.doc
  37. - f68bbc6e0cbc6c507b80db4e7af29f9b9ed2a7c39b93f8f99c6face63362117e legal paper 07.24.2020.doc
  38.  
  39. DOMAINS HOSTING THE ICEDID INSTALLER DLL FILES:
  40.  
  41. - 63gtxkqvv[.]com - 185.195.26[.]148
  42. - b28h13xbx[.]com - 185.87.48[.]99
  43. - bpnztvz2x[.]com - 185.43.4[.]205
  44. - fg8h4913m[.]com - 95.181.179[.]145
  45. - g8gj20th7[.]com - 185.242.85[.]13
  46. - kso7s3fyt[.]com - 45.12.4[.]132
  47. - p1s7p1m95[.]com - 79.174.12[.]35
  48. - pyfdn25qu[.]com - 185.242.85[.]3
  49. - x5t3l5gnr[.]com - 185.242.85[.]12
  50. - zai5fp642[.]com - 185.242.85[.]37
  51.  
  52. URLS TO RETRIEVE THE ICEDID INSTALLER DLL FILES:
  53.  
  54. - GET /xemcl/iba.php?l=kfa1.cab
  55. - GET /xemcl/iba.php?l=kfa2.cab
  56. - GET /xemcl/iba.php?l=kfa3.cab
  57. - GET /xemcl/iba.php?l=kfa4.cab
  58. - GET /xemcl/iba.php?l=kfa5.cab
  59. - GET /xemcl/iba.php?l=kfa6.cab
  60. - GET /xemcl/iba.php?l=kfa7.cab
  61. - GET /xemcl/iba.php?l=kfa8.cab
  62. - GET /xemcl/iba.php?l=kfa9.cab
  63. - GET /xemcl/iba.php?l=kfa10.cab
  64. - GET /xemcl/iba.php?l=kfa11.cab
  65. - GET /xemcl/iba.php?l=kfa12.cab
  66. - GET /xemcl/iba.php?l=kfa13.cab
  67. - GET /xemcl/iba.php?l=kfa14.cab
  68. - GET /xemcl/iba.php?l=kfa15.cab
  69.  
  70. 20 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
  71.  
  72. - 02bba588a27c4981983117d23945d68b369c83210cfa783b02655eabdba49c18
  73. - 07fe977241ab3c72ac5653b08767c0aa6f8e37d89f292a9fcc5b30a4e407e68c
  74. - 0b4bb7af858e9428e43153bacc5bdebd4bf97f8e9f9c0dc2dd037fa181220381
  75. - 1a52bbec7ef2295d56f68188aefd79c39f9bdc859b2e918a1c430153581898b7
  76. - 2c8baba0134cce117ab6958582bbce1691c9b9ca9cffd4478ccbaf6c97d8c9fe
  77. - 35485f11536217e6799281d7dbd12e4986cedcde64c8081f28af3ac428bed54c
  78. - 461509400e7505dd553124d4ee95c073cc9031d73c8380cafed0cc9bc8b696cc
  79. - 6095525df3b44b1a3ed02aace8edfa6adce837e758ea859457f58fcff1d98095
  80. - 60cb915575571cb1875f15b6d19763bdf52535186c877867c1536e0df8c93fd9
  81. - 6196a0966d3fbe5726736f0fd7661a0a928fdce345cb377e79cea039594a79f0
  82. - 763045778cf8977b3da1f081ce871cf57570cfafa98d9d4c0334e554a0d77ac3
  83. - 773db63cdf78ec25bbc40b79ce96f2400f4b088cc620d761482e87a377eb2288
  84. - a00dd572aecd2c1fb8755b09cf33d85beecae09c804019409ca37742e55e8c3f
  85. - be939d82fb1676fdeb6060916e18daf0577b3ec8552ee9a7641c2badb8686a47
  86. - ce6e51ab9d45e2555cec4cc21eae79584f23fe843c04313d6a2ffc21e0fddd49
  87. - d4b434dc8bef0c0c2bd6935fec98cb27cf15121cf68c8e6809d7d4526e04eb50
  88. - d9b40c2b268ff23981ec939f0b1d8e395df51e0545e1ada4fd1cc16b60c574b6
  89. - e2208fafeb8a5de2f8c0af2216a6b6eea73f0c0fd9592bd269a34e9e7d17dae7
  90. - f9601ab6242b4a31667cff010680e4cab77557a549239b7602aa3680a7d949ed
  91. - fa094bff6d87bb0eba8f67b9e9732f7c5036e1dc8d9ef362699360ad02db766f
  92.  
  93. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
  94.  
  95. LOCATIONS FOR THE ICEDID INSTALLER DLL FILES:
  96.  
  97. - Same directory as the Word doc, file name: TT.pdf
  98. - Same directory as the Word doc, file name: x6.pdf
  99. - C:\Users\[username]\Documents\TT.pdf
  100. - C:\Users\[username]\AppData\Local\Temp\111.jpg
  101.  
  102. ICEDID EXE FILES FROM AN INFECTED HOST:
  103.  
  104. - 2bfb7c6f527c597c2d48cc2408f5162ecdfcc220053882f330817fcb671f4bd2
  105. - 30193b1d6545ea9f269bcdd6ba7e8f7770317668933669d425d0d4dfcf90b1c6
  106.  
  107. IP ADDRESSES/DOMAINS FOR HTTPS TRAFFIC CAUSED BY ICEDID:
  108.  
  109. 138.68.50[.]71 port 443 - loadkanoe[.]casa - GET /backgound.png
  110. 194.5.249[.]122 port 443 - passiopersio[.]top
  111. 194.5.249[.]122 port 443 - iskuliokilo[.]pw
RAW Paste Data