2020-07-17 (Friday) - Word docs with macros for IcedID

1. 2020-07-17 (FRIDAY) - WORD DOCS WITH MACROS PUSHING ICEDID (BOKBOT)
2.  
3. 10 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID INSTALLER:
4.  
5. - 3dbe6e3723999de42bf94efd854b6392b36ba5a987e45fe00889b24785d7717f dictate_07.17.2020.doc
6. - 5c1fcb5363b8fe8fc9e70b95dc952ead965404592e458857757c91cb197789bf prescribe ,07.17.2020.doc
7. - 5ebed2309ad405345d80c81316359472c0a78f86d19fac422581df957be0ac71 specifics_07.20.doc
8. - 627e2e7d5c8cd6f56a25fb978d8a23253c743669c54db7b838e11be9ab6f9438 rule 07.17.20.doc
9. - 6c33903aeb48acef41f52f852779b1b44e107199d07c2bc83bee1bb767e03aa8 figures 07.20.doc
10. - 857b942db6d1186cc40e36d0ad2dce128913528f27520fbc7b4c3cee6b15e540 order-07.17.2020.doc
11. - b344a76ab6ea04ee43679d17f7f1c5697004e9ce2e30866103da58fa62f81c95 input.07.20.doc
12. - d48b415a371a62d32efebb4c14a708f3dd868f5ae2347d0b15337d932772565e instruct.07.20.doc
13. - d570d3f928cb4d4786d534839b75c10a10d41562ae52c70ffd59fc165ac06d3e file-07.20.doc
14. - dd5f144cce9893b80d1d94d16b5e146cb62af6b097f38c887af50124df369d13 decree 07.17.2020.doc
15.  
16. DOMAINS HOSTING ICEDID INSTALLER DLL:
17.  
18. - 1rvi3p[.]com
19. - 19cxca[.]com
20. - 50joqg[.]com
21. - 5fbthd[.]com
22. - 6yqg9j[.]com
23. - hiha7n[.]com
24. - ij7541[.]com
25. - rax0qn[.]com
26.  
27. HTTP GET REQUESTS FOR THE ICEDID INSTALLER DLL:
28.  
29. - GET /hboneb/sol95.php?l=abe1.cab
30. - GET /hboneb/sol95.php?l=abe.cab
31. - GET /hboneb/sol95.php?l=abe.cab
32. - GET /hboneb/sol95.php?l=abe.cab
33. - GET /hboneb/sol95.php?l=abe.cab
34. - GET /hboneb/sol95.php?l=abe.cab
35. - GET /hboneb/sol95.php?l=abe.cab
36. - GET /hboneb/sol95.php?l=abe.cab
37. - GET /hboneb/sol95.php?l=abe.cab
38. - GET /hboneb/sol95.php?l=abe1.cab
39. - GET /hboneb/sol95.php?l=abe11.cab
40. - GET /hboneb/sol95.php?l=abe12.cab
41.  
42. HTTPS TRAFFIC GENERATED BY ICEDID
43.  
44. - 45.153.240[.]223 port 443 - loadwarsaw[.]casa - GET /background.png
45. - 51.195.35[.]6 port 443 - circleoccupy[.]best
46. - 51.195.35[.]6 port 443 - corporotto[.]top
47.  
48. MALWARE SAMPLES:
49.  
50. - SHA256 hash: d3d23225076370e0765113d978ec94de889fa15982e672fe82621a4d235f61b7
51. - File size: 257,024 bytes
52. - File location: hxxp://hiha7n[.]com/hboneb/sol95.php?l=abe1.cab
53. - File location: C:\Users\[username]\Documents\n.tmp
54. - File description: IcedID installer EXE retreived by Word macro (failed infection run on Virtual host)
55.  
56. - SHA256 hash: 82a24a752186293c1299b8f32940c1a62a0c5c039baaec3455d08b291df54122
57. - File size: 261,122 bytes
58. - File location: hxxp://50joqg[.]com/hboneb/sol95.php?l=abe10.cab
59. - File location: C:\ProgramData\6641.jpg
60. - File description: IcedID installer EXE retreived by Word macro (successful infection run on physical host)
61.  
62. - SHA256 hash: 98e0c53cadf9c32a4d3aeee207f925351c93a0ea452d1cb1bc6854186f44098f
63. - File size: 328,519 bytes
64. - File location: C:\Users\[username]\AppData\Local\Temp\~356062.tmp
65. - File type: PNG image data, 250 x 586, 8-bit/color RGB, non-interlaced
66. - File description: PNG image with encoded data used to create IcedID EXE
67.  
68. - SHA256 hash: dc5f93c16457334cda2f501756dcdb3318d2b8fcddb9f468f94ff374fe4acc27
69. - File size: 324,096 bytes
70. - File location: C:\Users\[username]\AppData\Local\Temp\~455062.exe
71. - File description: IcedID EXE created using data from the above PNG image
72.  
73. - SHA256 hash: 922ddfbc4139160d4ca02aaa5ffd506d512e0ad3ef9d20e8e20bd66669a20e0a
74. - File size: 324,096 bytes
75. - File location: C:\Users\[username]\AppData\Local\[username]\Winipouo.exe
76. - File description: IcedID EXE persistent on infected Windows host (same as the above file but with different file hash