2020-07-24 (Friday) TA551 word docs with macros for IcedID

1. 2020-07-24 (FRIDAY) TA551 (SHATHAK) WORD DOCS PUSHING ICEDID (BOKBOT)
2.  
3. REFERENCE
4.  
5. - https://twitter.com/malware_traffic/status/1286746013680705542
6.  
7. NOTES:
8.  
9. - All the files below have been submitted to bazaar.abuse.ch
10. - All of the URLs for the IcedID installer have been submitted to urlhaus.abuse.ch
11.  
12. CHAIN OF EVENTS:
13.  
14. - Email spoofing legitimate email chain --> password-protected zip attachment --> extracted Word doc --> enable macros --> IcedID installer DLL --> IcedID EXE
15.  
16. 20 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
17.  
18. - 023bdc925e25b0750d71a599c6b46133558a7c3c7c58050111c02ed1856a52c1 details 07.20.doc
19. - 0b82a611bceda28384e49036dcbcf88e5ab6d752f8cddcccb49d2633c922df07 statistics_07.20.doc
20. - 0ce3748a78fa4f6856a40794c81a8261f88a1cea510f7a7030391faedb3cccc7 facts-07.20.doc
21. - 18ec82766533f228240fa837ee8fc2799c3a32708e9403514f9e2ec8a01421cf files-07.24.2020.doc
22. - 1a743501f877788331cbd6faf1bc0e9473294f728580f092350c5bda278534a6 direct 07.20.doc
23. - 223f99ee34f993d357bccf22576f510d477bc3bfdaa2c5ece86341a6a2a8bf82 bid_07.20.doc
24. - 57f8322d94ff2292bb449be2ff537b56413646c4a3094fe634306e447bdacb0f official paper-07.20.doc
25. - 592b7789b3795c9936409600b15e6bb05ae4d0faaa8c85c2ea2ab55c039b3206 dictate.07.24.2020.doc
26. - 5d6306e4dce4e12af7a389b86d7c26aef1bbec87293392e3f17f0c9fc129f63b files_07.20.doc
27. - 643d4820da0c5a4317dc0417bb8cb305aa5114949eedabb40a82e679ae77044a docs_07.20.doc
28. - 738a757222ae93505bdffe8590ecaf6ba75d0b03aba7fe756903cedccb7cc9d6 order.07.24.2020.doc
29. - 7c2c113f940ce804ac05ed024a0962fc908d82ebe6359a0c2ca35c2e3141a3fe material_07.20.doc
30. - 9fef9399b35b131a0901af5d8a881841856fe10e5145d3356b3ec6199b1d6932 adjure_07.20.doc
31. - a13b0c4825eeec6781d90ff06ae68ae9d7651849fbba458668bec84c100df506 report,07.24.20.doc
32. - bdf670111b028631c5ef72d1a176d10f56f4f53ec97f8a3757c21287148c3dbc commerce 07.20.doc
33. - c20e643cdd649219eac1524f5b849fa09db331ba4dac3ee35b3c3abc4c7113c1 legal paper,07.20.doc
34. - c5316b6f4fec5e576055da9c33f7f68e7e06a96b8758840baaef8e6a386fd08a docs-07.24.20.doc
35. - db9a11b3fa7d687d35d3ff6a53a0eb9c68a84c6acfe578e9437870f5679a7de4 decree.07.24.2020.doc
36. - e3691793dffbc3234b4472dbb351e60b40da2fdb0ffe9cd5d5ee0ee3c84bf1bb commerce -07.20.doc
37. - f68bbc6e0cbc6c507b80db4e7af29f9b9ed2a7c39b93f8f99c6face63362117e legal paper 07.24.2020.doc
38.  
39. DOMAINS HOSTING THE ICEDID INSTALLER DLL FILES:
40.  
41. - 63gtxkqvv[.]com - 185.195.26[.]148
42. - b28h13xbx[.]com - 185.87.48[.]99
43. - bpnztvz2x[.]com - 185.43.4[.]205
44. - fg8h4913m[.]com - 95.181.179[.]145
45. - g8gj20th7[.]com - 185.242.85[.]13
46. - kso7s3fyt[.]com - 45.12.4[.]132
47. - p1s7p1m95[.]com - 79.174.12[.]35
48. - pyfdn25qu[.]com - 185.242.85[.]3
49. - x5t3l5gnr[.]com - 185.242.85[.]12
50. - zai5fp642[.]com - 185.242.85[.]37
51.  
52. URLS TO RETRIEVE THE ICEDID INSTALLER DLL FILES:
53.  
54. - GET /xemcl/iba.php?l=kfa1.cab
55. - GET /xemcl/iba.php?l=kfa2.cab
56. - GET /xemcl/iba.php?l=kfa3.cab
57. - GET /xemcl/iba.php?l=kfa4.cab
58. - GET /xemcl/iba.php?l=kfa5.cab
59. - GET /xemcl/iba.php?l=kfa6.cab
60. - GET /xemcl/iba.php?l=kfa7.cab
61. - GET /xemcl/iba.php?l=kfa8.cab
62. - GET /xemcl/iba.php?l=kfa9.cab
63. - GET /xemcl/iba.php?l=kfa10.cab
64. - GET /xemcl/iba.php?l=kfa11.cab
65. - GET /xemcl/iba.php?l=kfa12.cab
66. - GET /xemcl/iba.php?l=kfa13.cab
67. - GET /xemcl/iba.php?l=kfa14.cab
68. - GET /xemcl/iba.php?l=kfa15.cab
69.  
70. 20 EXAMPLES OF SHA256 HASHES FOR ICEDID INSTALLER DLL FILES:
71.  
72. - 02bba588a27c4981983117d23945d68b369c83210cfa783b02655eabdba49c18
73. - 07fe977241ab3c72ac5653b08767c0aa6f8e37d89f292a9fcc5b30a4e407e68c
74. - 0b4bb7af858e9428e43153bacc5bdebd4bf97f8e9f9c0dc2dd037fa181220381
75. - 1a52bbec7ef2295d56f68188aefd79c39f9bdc859b2e918a1c430153581898b7
76. - 2c8baba0134cce117ab6958582bbce1691c9b9ca9cffd4478ccbaf6c97d8c9fe
77. - 35485f11536217e6799281d7dbd12e4986cedcde64c8081f28af3ac428bed54c
78. - 461509400e7505dd553124d4ee95c073cc9031d73c8380cafed0cc9bc8b696cc
79. - 6095525df3b44b1a3ed02aace8edfa6adce837e758ea859457f58fcff1d98095
80. - 60cb915575571cb1875f15b6d19763bdf52535186c877867c1536e0df8c93fd9
81. - 6196a0966d3fbe5726736f0fd7661a0a928fdce345cb377e79cea039594a79f0
82. - 763045778cf8977b3da1f081ce871cf57570cfafa98d9d4c0334e554a0d77ac3
83. - 773db63cdf78ec25bbc40b79ce96f2400f4b088cc620d761482e87a377eb2288
84. - a00dd572aecd2c1fb8755b09cf33d85beecae09c804019409ca37742e55e8c3f
85. - be939d82fb1676fdeb6060916e18daf0577b3ec8552ee9a7641c2badb8686a47
86. - ce6e51ab9d45e2555cec4cc21eae79584f23fe843c04313d6a2ffc21e0fddd49
87. - d4b434dc8bef0c0c2bd6935fec98cb27cf15121cf68c8e6809d7d4526e04eb50
88. - d9b40c2b268ff23981ec939f0b1d8e395df51e0545e1ada4fd1cc16b60c574b6
89. - e2208fafeb8a5de2f8c0af2216a6b6eea73f0c0fd9592bd269a34e9e7d17dae7
90. - f9601ab6242b4a31667cff010680e4cab77557a549239b7602aa3680a7d949ed
91. - fa094bff6d87bb0eba8f67b9e9732f7c5036e1dc8d9ef362699360ad02db766f
92.  
93. - NOTE: All the above DLL files run with: Regsvr32.exe [filename]
94.  
95. LOCATIONS FOR THE ICEDID INSTALLER DLL FILES:
96.  
97. - Same directory as the Word doc, file name: TT.pdf
98. - Same directory as the Word doc, file name: x6.pdf
99. - C:\Users\[username]\Documents\TT.pdf
100. - C:\Users\[username]\AppData\Local\Temp\111.jpg
101.  
102. ICEDID EXE FILES FROM AN INFECTED HOST:
103.  
104. - 2bfb7c6f527c597c2d48cc2408f5162ecdfcc220053882f330817fcb671f4bd2
105. - 30193b1d6545ea9f269bcdd6ba7e8f7770317668933669d425d0d4dfcf90b1c6
106.  
107. IP ADDRESSES/DOMAINS FOR HTTPS TRAFFIC CAUSED BY ICEDID:
108.  
109. 138.68.50[.]71 port 443 - loadkanoe[.]casa - GET /backgound.png
110. 194.5.249[.]122 port 443 - passiopersio[.]top
111. 194.5.249[.]122 port 443 - iskuliokilo[.]pw