malware_traffic

2020-07-21 (Tuesday) - Word docs pushing IcedID (Bokbot)

Jul 21st, 2020
5,361
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-21 (TUESDAY) - WORD DOCS PUSHING ICEDID (BOKBOT)
  2.  
  3. NOTES:
  4.  
  5. - All of the docs/DLLs/EXEs listed below have been uploaded to bazaar.abuse.ch
  6. - All of the URLs for IcedID installer DLLs have been submitted to urlhaus.abuse.ch
  7.  
  8. 12 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
  9.  
  10. - 8d218e741cdb92926e8dd416837bdbc4f47e59c3b8fae9d855998c428ec4e654 charge_07.20 2.doc
  11. - 0a3b4eafcfe8686eb400862cfd59aa2ee5258ef6834c873efca7a17edae12586 commerce ,07.20.doc
  12. - 5c080eb57e3ea26223742b1411a6c6e6d7c2abfe5b8b46ae1329101c0fd9a4b6 commerce_ 07.21.20.doc
  13. - d14e72cd5330cc44a19396c48fc669f531f079b8b9806402d080f679af9c7de2 details,07.20.doc
  14. - 22b51dd1d452b515d73da1ebf5fd9b238c5ab5718b52c7cff76e3cc2c2297a77 details.07.20.doc
  15. - bf4a85f6b9a0cb4cdfa42636b32c02d2d49fe7efa299b1607d776314de5dfca6 figures-07.20.doc
  16. - aed425aa20d8567069aeeb3f6ef2da2d474e3ce98cd5c1fec5379583bff81f90 instruct.07.20.doc
  17. - 3872646ea1074f8e640a3eb962b0204404f05faf5c1810807aef66c6222939f5 instrument indenture.07.21.2020.doc
  18. - a4f444ea73901fda907160f53e90656176d9afca987da328bd49724f8a564f43 legal agreement 07.20.doc
  19. - 2bcab5487facca5e777469181503d4b25e8040390988d4be812db6025bd5a0d8 ordain,07.20.doc
  20. - ed8b56e107a2a66b612cfc34eda5e454c55ecbba01d7b3ce6d3d398a36a2bce1 prescribe -07.20.doc
  21. - 3fd048d0ffbbc318a482976da2982d1daf6b1113ea047469d0dcd7bd37e6f3f0 question-07.21.20.doc
  22.  
  23. DOMAINS HOSTING ICEDID INSTALLER DLL:
  24.  
  25. - 9ryhmsk[.]com - 51.75.56[.]30
  26. - na6j8eg[.]com - 77.87.212[.]133
  27. - pd2iyml[.]com - 45.12.4[.]132
  28. - qxe3uaq[.]com - 79.174.12[.]34
  29. - vx9c3ku[.]com - 185.43.4[.]205
  30. - xei319b[.]com - 185.144.29[.]183
  31. - xo4z0sl[.]com - 79.174.12[.]36
  32. - y0wssdb[.]com - 194.31.236[.]205
  33. - zpx0okh[.]com - 79.174.12[.]26
  34.  
  35. HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
  36.  
  37. - GET /4adr/lotv.php?l=zug1.cab
  38. - GET /4adr/lotv.php?l=zug2.cab
  39. - GET /4adr/lotv.php?l=zug3.cab
  40. - GET /4adr/lotv.php?l=zug4.cab
  41. - GET /4adr/lotv.php?l=zug5.cab
  42. - GET /4adr/lotv.php?l=zug6.cab
  43. - GET /4adr/lotv.php?l=zug7.cab
  44. - GET /4adr/lotv.php?l=zug8.cab
  45. - GET /4adr/lotv.php?l=zug9.cab
  46. - GET /4adr/lotv.php?l=zug1.cab
  47. - GET /4adr/lotv.php?l=zug10.cab
  48. - GET /4adr/lotv.php?l=zug11.cab
  49. - GET /4adr/lotv.php?l=zug12.cab
  50. - GET /4adr/lotv.php?l=zug13.cab
  51. - GET /4adr/lotv.php?l=zug14.cab
  52. - GET /4adr/lotv.php?l=zug15.cab
  53.  
  54. 13 EXAMPLES OF ICEDID INSTALLER DLL FILES:
  55.  
  56. - 03ca4c1202c3c86a29ad28ea3dfafafc7e85eeffc9b7ffb0ca42b5d72b17d431
  57. - 10cc78e17139d3cc2ec90c88806f85d3a660bf445eda3814650200448df846d7
  58. - 2f0b5a8ab3fe7aa986b274bea8ec987b5d91ab6e0cdf0dc12f90963a503287b5
  59. - 730b0df2831f288def59337087cbf2ced2cc952fa56ffb6ca1fce39af283534b
  60. - 99e6a600342a88285e8688db40fd1872985a9e45edce84d431c7ce357b5bf8f5
  61. - 9b0078b82b81f25c971db8e1c9304cde7c4e283a3c05d4cd63b8268db1d24f49
  62. - a01bf264eb49cdb6b0183efa50273edf73f7550670a2e8d3c6eb3f082f81e7e1
  63. - b978e28636b8a01e959330b06e7ab362c6a4228131a0598b17ee3fe6a5e75332
  64. - c59d5da3bff62c6fc414f424c066cef398873365debbbbb2b9c893ece632cbb4
  65. - cb046873b3f030de0d766f937da4c80774804c4f14ffbaa087e710ebfbcd22f7
  66. - e07ff447643a533928a78d98fef9bdde00b65fe06b05166404e3e9c607721384
  67. - d67086e4432757bf18da61a66519056e6031f36989b53a3661d24a26d6927929
  68. - f2cfcd36f36c0a6fe66e63d9f274329e59c060d942a5d2d6eb24d936a1d3acd3
  69.  
  70. - Run method: Regsvr32.exe [filename]
  71.  
  72. LOCATIONS OF ICEDID INSTALLER DLL FILES:
  73.  
  74. - Same directory path as Word doc, named mp.pdf
  75. - C:\Users\[username]\AppData\Local\Temp\index.jpg
  76.  
  77. ICEDID MALWARE:
  78.  
  79. - SHA256 hash: f9e63320c3a3c14847155de9abdbbf38e44866500402d8985312d92f149df23b
  80. - File size: 257,024 bytes
  81. - File location: C:\Users\[username]\AppData\Local\Temp\~5174078.exe
  82. - File description: Initial IcedID EXE
  83.  
  84. - SHA256 hash: fd9ed4c7107c4fb86d348d13f7e6c3b6c23e6c12084adc45ddfef4bc2ef2fbaf
  85. - File size: 257,024 bytes
  86. - File location: C:\Users\[username]\AppData\Roaming\{EECB8901-0304-6FD5-8C6D-A353ACF116A9}\{E6EBA939-5CF0-9AF5-3E9A-914F0177D383}\Obmuebps64.exe
  87. - File description: IcedID EXE persistent on the infected Windows host
  88.  
  89. DOMAINS USED BY ICEDID:
  90.  
  91. - 45.66.250[.]229 - loaderprototype[.]casa
  92. - 45.66.250[.]16 - helicopterstarted[.]top
  93. - 45.66.250[.]16 - blmfuck[.]top
RAW Paste Data