API tools faq
paste
malware_traffic

2020-07-21 (Tuesday) - Word docs pushing IcedID (Bokbot)

malware_traffic
Jul 21st, 2020
12,618
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.90 KB | None | 0 0
raw download clone embed print report
  1. 2020-07-21 (TUESDAY) - WORD DOCS PUSHING ICEDID (BOKBOT)
  2.  
  3. NOTES:
  4.  
  5. - All of the docs/DLLs/EXEs listed below have been uploaded to bazaar.abuse.ch
  6. - All of the URLs for IcedID installer DLLs have been submitted to urlhaus.abuse.ch
  7.  
  8. 12 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
  9.  
  10. - 8d218e741cdb92926e8dd416837bdbc4f47e59c3b8fae9d855998c428ec4e654 charge_07.20 2.doc
  11. - 0a3b4eafcfe8686eb400862cfd59aa2ee5258ef6834c873efca7a17edae12586 commerce ,07.20.doc
  12. - 5c080eb57e3ea26223742b1411a6c6e6d7c2abfe5b8b46ae1329101c0fd9a4b6 commerce_ 07.21.20.doc
  13. - d14e72cd5330cc44a19396c48fc669f531f079b8b9806402d080f679af9c7de2 details,07.20.doc
  14. - 22b51dd1d452b515d73da1ebf5fd9b238c5ab5718b52c7cff76e3cc2c2297a77 details.07.20.doc
  15. - bf4a85f6b9a0cb4cdfa42636b32c02d2d49fe7efa299b1607d776314de5dfca6 figures-07.20.doc
  16. - aed425aa20d8567069aeeb3f6ef2da2d474e3ce98cd5c1fec5379583bff81f90 instruct.07.20.doc
  17. - 3872646ea1074f8e640a3eb962b0204404f05faf5c1810807aef66c6222939f5 instrument indenture.07.21.2020.doc
  18. - a4f444ea73901fda907160f53e90656176d9afca987da328bd49724f8a564f43 legal agreement 07.20.doc
  19. - 2bcab5487facca5e777469181503d4b25e8040390988d4be812db6025bd5a0d8 ordain,07.20.doc
  20. - ed8b56e107a2a66b612cfc34eda5e454c55ecbba01d7b3ce6d3d398a36a2bce1 prescribe -07.20.doc
  21. - 3fd048d0ffbbc318a482976da2982d1daf6b1113ea047469d0dcd7bd37e6f3f0 question-07.21.20.doc
  22.  
  23. DOMAINS HOSTING ICEDID INSTALLER DLL:
  24.  
  25. - 9ryhmsk[.]com - 51.75.56[.]30
  26. - na6j8eg[.]com - 77.87.212[.]133
  27. - pd2iyml[.]com - 45.12.4[.]132
  28. - qxe3uaq[.]com - 79.174.12[.]34
  29. - vx9c3ku[.]com - 185.43.4[.]205
  30. - xei319b[.]com - 185.144.29[.]183
  31. - xo4z0sl[.]com - 79.174.12[.]36
  32. - y0wssdb[.]com - 194.31.236[.]205
  33. - zpx0okh[.]com - 79.174.12[.]26
  34.  
  35. HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
  36.  
  37. - GET /4adr/lotv.php?l=zug1.cab
  38. - GET /4adr/lotv.php?l=zug2.cab
  39. - GET /4adr/lotv.php?l=zug3.cab
  40. - GET /4adr/lotv.php?l=zug4.cab
  41. - GET /4adr/lotv.php?l=zug5.cab
  42. - GET /4adr/lotv.php?l=zug6.cab
  43. - GET /4adr/lotv.php?l=zug7.cab
  44. - GET /4adr/lotv.php?l=zug8.cab
  45. - GET /4adr/lotv.php?l=zug9.cab
  46. - GET /4adr/lotv.php?l=zug1.cab
  47. - GET /4adr/lotv.php?l=zug10.cab
  48. - GET /4adr/lotv.php?l=zug11.cab
  49. - GET /4adr/lotv.php?l=zug12.cab
  50. - GET /4adr/lotv.php?l=zug13.cab
  51. - GET /4adr/lotv.php?l=zug14.cab
  52. - GET /4adr/lotv.php?l=zug15.cab
  53.  
  54. 13 EXAMPLES OF ICEDID INSTALLER DLL FILES:
  55.  
  56. - 03ca4c1202c3c86a29ad28ea3dfafafc7e85eeffc9b7ffb0ca42b5d72b17d431
  57. - 10cc78e17139d3cc2ec90c88806f85d3a660bf445eda3814650200448df846d7
  58. - 2f0b5a8ab3fe7aa986b274bea8ec987b5d91ab6e0cdf0dc12f90963a503287b5
  59. - 730b0df2831f288def59337087cbf2ced2cc952fa56ffb6ca1fce39af283534b
  60. - 99e6a600342a88285e8688db40fd1872985a9e45edce84d431c7ce357b5bf8f5
  61. - 9b0078b82b81f25c971db8e1c9304cde7c4e283a3c05d4cd63b8268db1d24f49
  62. - a01bf264eb49cdb6b0183efa50273edf73f7550670a2e8d3c6eb3f082f81e7e1
  63. - b978e28636b8a01e959330b06e7ab362c6a4228131a0598b17ee3fe6a5e75332
  64. - c59d5da3bff62c6fc414f424c066cef398873365debbbbb2b9c893ece632cbb4
  65. - cb046873b3f030de0d766f937da4c80774804c4f14ffbaa087e710ebfbcd22f7
  66. - e07ff447643a533928a78d98fef9bdde00b65fe06b05166404e3e9c607721384
  67. - d67086e4432757bf18da61a66519056e6031f36989b53a3661d24a26d6927929
  68. - f2cfcd36f36c0a6fe66e63d9f274329e59c060d942a5d2d6eb24d936a1d3acd3
  69.  
  70. - Run method: Regsvr32.exe [filename]
  71.  
  72. LOCATIONS OF ICEDID INSTALLER DLL FILES:
  73.  
  74. - Same directory path as Word doc, named mp.pdf
  75. - C:\Users\[username]\AppData\Local\Temp\index.jpg
  76.  
  77. ICEDID MALWARE:
  78.  
  79. - SHA256 hash: f9e63320c3a3c14847155de9abdbbf38e44866500402d8985312d92f149df23b
  80. - File size: 257,024 bytes
  81. - File location: C:\Users\[username]\AppData\Local\Temp\~5174078.exe
  82. - File description: Initial IcedID EXE
  83.  
  84. - SHA256 hash: fd9ed4c7107c4fb86d348d13f7e6c3b6c23e6c12084adc45ddfef4bc2ef2fbaf
  85. - File size: 257,024 bytes
  86. - File location: C:\Users\[username]\AppData\Roaming\{EECB8901-0304-6FD5-8C6D-A353ACF116A9}\{E6EBA939-5CF0-9AF5-3E9A-914F0177D383}\Obmuebps64.exe
  87. - File description: IcedID EXE persistent on the infected Windows host
  88.  
  89. DOMAINS USED BY ICEDID:
  90.  
  91. - 45.66.250[.]229 - loaderprototype[.]casa
  92. - 45.66.250[.]16 - helicopterstarted[.]top
  93. - 45.66.250[.]16 - blmfuck[.]top
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!