Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-07-17 (FRIDAY) - WORD DOCS WITH MACROS PUSHING ICEDID (BOKBOT)
- 10 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID INSTALLER:
- - 3dbe6e3723999de42bf94efd854b6392b36ba5a987e45fe00889b24785d7717f dictate_07.17.2020.doc
- - 5c1fcb5363b8fe8fc9e70b95dc952ead965404592e458857757c91cb197789bf prescribe ,07.17.2020.doc
- - 5ebed2309ad405345d80c81316359472c0a78f86d19fac422581df957be0ac71 specifics_07.20.doc
- - 627e2e7d5c8cd6f56a25fb978d8a23253c743669c54db7b838e11be9ab6f9438 rule 07.17.20.doc
- - 6c33903aeb48acef41f52f852779b1b44e107199d07c2bc83bee1bb767e03aa8 figures 07.20.doc
- - 857b942db6d1186cc40e36d0ad2dce128913528f27520fbc7b4c3cee6b15e540 order-07.17.2020.doc
- - b344a76ab6ea04ee43679d17f7f1c5697004e9ce2e30866103da58fa62f81c95 input.07.20.doc
- - d48b415a371a62d32efebb4c14a708f3dd868f5ae2347d0b15337d932772565e instruct.07.20.doc
- - d570d3f928cb4d4786d534839b75c10a10d41562ae52c70ffd59fc165ac06d3e file-07.20.doc
- - dd5f144cce9893b80d1d94d16b5e146cb62af6b097f38c887af50124df369d13 decree 07.17.2020.doc
- DOMAINS HOSTING ICEDID INSTALLER DLL:
- - 1rvi3p[.]com
- - 19cxca[.]com
- - 50joqg[.]com
- - 5fbthd[.]com
- - 6yqg9j[.]com
- - hiha7n[.]com
- - ij7541[.]com
- - rax0qn[.]com
- HTTP GET REQUESTS FOR THE ICEDID INSTALLER DLL:
- - GET /hboneb/sol95.php?l=abe1.cab
- - GET /hboneb/sol95.php?l=abe.cab
- - GET /hboneb/sol95.php?l=abe.cab
- - GET /hboneb/sol95.php?l=abe.cab
- - GET /hboneb/sol95.php?l=abe.cab
- - GET /hboneb/sol95.php?l=abe.cab
- - GET /hboneb/sol95.php?l=abe.cab
- - GET /hboneb/sol95.php?l=abe.cab
- - GET /hboneb/sol95.php?l=abe.cab
- - GET /hboneb/sol95.php?l=abe1.cab
- - GET /hboneb/sol95.php?l=abe11.cab
- - GET /hboneb/sol95.php?l=abe12.cab
- HTTPS TRAFFIC GENERATED BY ICEDID
- - 45.153.240[.]223 port 443 - loadwarsaw[.]casa - GET /background.png
- - 51.195.35[.]6 port 443 - circleoccupy[.]best
- - 51.195.35[.]6 port 443 - corporotto[.]top
- MALWARE SAMPLES:
- - SHA256 hash: d3d23225076370e0765113d978ec94de889fa15982e672fe82621a4d235f61b7
- - File size: 257,024 bytes
- - File location: hxxp://hiha7n[.]com/hboneb/sol95.php?l=abe1.cab
- - File location: C:\Users\[username]\Documents\n.tmp
- - File description: IcedID installer EXE retreived by Word macro (failed infection run on Virtual host)
- - SHA256 hash: 82a24a752186293c1299b8f32940c1a62a0c5c039baaec3455d08b291df54122
- - File size: 261,122 bytes
- - File location: hxxp://50joqg[.]com/hboneb/sol95.php?l=abe10.cab
- - File location: C:\ProgramData\6641.jpg
- - File description: IcedID installer EXE retreived by Word macro (successful infection run on physical host)
- - SHA256 hash: 98e0c53cadf9c32a4d3aeee207f925351c93a0ea452d1cb1bc6854186f44098f
- - File size: 328,519 bytes
- - File location: C:\Users\[username]\AppData\Local\Temp\~356062.tmp
- - File type: PNG image data, 250 x 586, 8-bit/color RGB, non-interlaced
- - File description: PNG image with encoded data used to create IcedID EXE
- - SHA256 hash: dc5f93c16457334cda2f501756dcdb3318d2b8fcddb9f468f94ff374fe4acc27
- - File size: 324,096 bytes
- - File location: C:\Users\[username]\AppData\Local\Temp\~455062.exe
- - File description: IcedID EXE created using data from the above PNG image
- - SHA256 hash: 922ddfbc4139160d4ca02aaa5ffd506d512e0ad3ef9d20e8e20bd66669a20e0a
- - File size: 324,096 bytes
- - File location: C:\Users\[username]\AppData\Local\[username]\Winipouo.exe
- - File description: IcedID EXE persistent on infected Windows host (same as the above file but with different file hash
Add Comment
Please, Sign In to add comment