Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-07-21 (TUESDAY) - WORD DOCS PUSHING ICEDID (BOKBOT)
- NOTES:
- - All of the docs/DLLs/EXEs listed below have been uploaded to bazaar.abuse.ch
- - All of the URLs for IcedID installer DLLs have been submitted to urlhaus.abuse.ch
- 12 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID:
- - 8d218e741cdb92926e8dd416837bdbc4f47e59c3b8fae9d855998c428ec4e654 charge_07.20 2.doc
- - 0a3b4eafcfe8686eb400862cfd59aa2ee5258ef6834c873efca7a17edae12586 commerce ,07.20.doc
- - 5c080eb57e3ea26223742b1411a6c6e6d7c2abfe5b8b46ae1329101c0fd9a4b6 commerce_ 07.21.20.doc
- - d14e72cd5330cc44a19396c48fc669f531f079b8b9806402d080f679af9c7de2 details,07.20.doc
- - 22b51dd1d452b515d73da1ebf5fd9b238c5ab5718b52c7cff76e3cc2c2297a77 details.07.20.doc
- - bf4a85f6b9a0cb4cdfa42636b32c02d2d49fe7efa299b1607d776314de5dfca6 figures-07.20.doc
- - aed425aa20d8567069aeeb3f6ef2da2d474e3ce98cd5c1fec5379583bff81f90 instruct.07.20.doc
- - 3872646ea1074f8e640a3eb962b0204404f05faf5c1810807aef66c6222939f5 instrument indenture.07.21.2020.doc
- - a4f444ea73901fda907160f53e90656176d9afca987da328bd49724f8a564f43 legal agreement 07.20.doc
- - 2bcab5487facca5e777469181503d4b25e8040390988d4be812db6025bd5a0d8 ordain,07.20.doc
- - ed8b56e107a2a66b612cfc34eda5e454c55ecbba01d7b3ce6d3d398a36a2bce1 prescribe -07.20.doc
- - 3fd048d0ffbbc318a482976da2982d1daf6b1113ea047469d0dcd7bd37e6f3f0 question-07.21.20.doc
- DOMAINS HOSTING ICEDID INSTALLER DLL:
- - 9ryhmsk[.]com - 51.75.56[.]30
- - na6j8eg[.]com - 77.87.212[.]133
- - pd2iyml[.]com - 45.12.4[.]132
- - qxe3uaq[.]com - 79.174.12[.]34
- - vx9c3ku[.]com - 185.43.4[.]205
- - xei319b[.]com - 185.144.29[.]183
- - xo4z0sl[.]com - 79.174.12[.]36
- - y0wssdb[.]com - 194.31.236[.]205
- - zpx0okh[.]com - 79.174.12[.]26
- HTTP GET REQUESTS FOR ICEDID INSTALLER DLL:
- - GET /4adr/lotv.php?l=zug1.cab
- - GET /4adr/lotv.php?l=zug2.cab
- - GET /4adr/lotv.php?l=zug3.cab
- - GET /4adr/lotv.php?l=zug4.cab
- - GET /4adr/lotv.php?l=zug5.cab
- - GET /4adr/lotv.php?l=zug6.cab
- - GET /4adr/lotv.php?l=zug7.cab
- - GET /4adr/lotv.php?l=zug8.cab
- - GET /4adr/lotv.php?l=zug9.cab
- - GET /4adr/lotv.php?l=zug1.cab
- - GET /4adr/lotv.php?l=zug10.cab
- - GET /4adr/lotv.php?l=zug11.cab
- - GET /4adr/lotv.php?l=zug12.cab
- - GET /4adr/lotv.php?l=zug13.cab
- - GET /4adr/lotv.php?l=zug14.cab
- - GET /4adr/lotv.php?l=zug15.cab
- 13 EXAMPLES OF ICEDID INSTALLER DLL FILES:
- - 03ca4c1202c3c86a29ad28ea3dfafafc7e85eeffc9b7ffb0ca42b5d72b17d431
- - 10cc78e17139d3cc2ec90c88806f85d3a660bf445eda3814650200448df846d7
- - 2f0b5a8ab3fe7aa986b274bea8ec987b5d91ab6e0cdf0dc12f90963a503287b5
- - 730b0df2831f288def59337087cbf2ced2cc952fa56ffb6ca1fce39af283534b
- - 99e6a600342a88285e8688db40fd1872985a9e45edce84d431c7ce357b5bf8f5
- - 9b0078b82b81f25c971db8e1c9304cde7c4e283a3c05d4cd63b8268db1d24f49
- - a01bf264eb49cdb6b0183efa50273edf73f7550670a2e8d3c6eb3f082f81e7e1
- - b978e28636b8a01e959330b06e7ab362c6a4228131a0598b17ee3fe6a5e75332
- - c59d5da3bff62c6fc414f424c066cef398873365debbbbb2b9c893ece632cbb4
- - cb046873b3f030de0d766f937da4c80774804c4f14ffbaa087e710ebfbcd22f7
- - e07ff447643a533928a78d98fef9bdde00b65fe06b05166404e3e9c607721384
- - d67086e4432757bf18da61a66519056e6031f36989b53a3661d24a26d6927929
- - f2cfcd36f36c0a6fe66e63d9f274329e59c060d942a5d2d6eb24d936a1d3acd3
- - Run method: Regsvr32.exe [filename]
- LOCATIONS OF ICEDID INSTALLER DLL FILES:
- - Same directory path as Word doc, named mp.pdf
- - C:\Users\[username]\AppData\Local\Temp\index.jpg
- ICEDID MALWARE:
- - SHA256 hash: f9e63320c3a3c14847155de9abdbbf38e44866500402d8985312d92f149df23b
- - File size: 257,024 bytes
- - File location: C:\Users\[username]\AppData\Local\Temp\~5174078.exe
- - File description: Initial IcedID EXE
- - SHA256 hash: fd9ed4c7107c4fb86d348d13f7e6c3b6c23e6c12084adc45ddfef4bc2ef2fbaf
- - File size: 257,024 bytes
- - File location: C:\Users\[username]\AppData\Roaming\{EECB8901-0304-6FD5-8C6D-A353ACF116A9}\{E6EBA939-5CF0-9AF5-3E9A-914F0177D383}\Obmuebps64.exe
- - File description: IcedID EXE persistent on the infected Windows host
- DOMAINS USED BY ICEDID:
- - 45.66.250[.]229 - loaderprototype[.]casa
- - 45.66.250[.]16 - helicopterstarted[.]top
- - 45.66.250[.]16 - blmfuck[.]top
Add Comment
Please, Sign In to add comment