malware_traffic

2020-07-17 (Friday) - Word docs with macros for IcedID

Jul 20th, 2020
3,945
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-17 (FRIDAY) - WORD DOCS WITH MACROS PUSHING ICEDID (BOKBOT)
  2.  
  3. 10 EXAMPLES OF WORD DOCS WITH MACROS FOR ICEDID INSTALLER:
  4.  
  5. - 3dbe6e3723999de42bf94efd854b6392b36ba5a987e45fe00889b24785d7717f dictate_07.17.2020.doc
  6. - 5c1fcb5363b8fe8fc9e70b95dc952ead965404592e458857757c91cb197789bf prescribe ,07.17.2020.doc
  7. - 5ebed2309ad405345d80c81316359472c0a78f86d19fac422581df957be0ac71 specifics_07.20.doc
  8. - 627e2e7d5c8cd6f56a25fb978d8a23253c743669c54db7b838e11be9ab6f9438 rule 07.17.20.doc
  9. - 6c33903aeb48acef41f52f852779b1b44e107199d07c2bc83bee1bb767e03aa8 figures 07.20.doc
  10. - 857b942db6d1186cc40e36d0ad2dce128913528f27520fbc7b4c3cee6b15e540 order-07.17.2020.doc
  11. - b344a76ab6ea04ee43679d17f7f1c5697004e9ce2e30866103da58fa62f81c95 input.07.20.doc
  12. - d48b415a371a62d32efebb4c14a708f3dd868f5ae2347d0b15337d932772565e instruct.07.20.doc
  13. - d570d3f928cb4d4786d534839b75c10a10d41562ae52c70ffd59fc165ac06d3e file-07.20.doc
  14. - dd5f144cce9893b80d1d94d16b5e146cb62af6b097f38c887af50124df369d13 decree 07.17.2020.doc
  15.  
  16. DOMAINS HOSTING ICEDID INSTALLER DLL:
  17.  
  18. - 1rvi3p[.]com
  19. - 19cxca[.]com
  20. - 50joqg[.]com
  21. - 5fbthd[.]com
  22. - 6yqg9j[.]com
  23. - hiha7n[.]com
  24. - ij7541[.]com
  25. - rax0qn[.]com
  26.  
  27. HTTP GET REQUESTS FOR THE ICEDID INSTALLER DLL:
  28.  
  29. - GET /hboneb/sol95.php?l=abe1.cab
  30. - GET /hboneb/sol95.php?l=abe.cab
  31. - GET /hboneb/sol95.php?l=abe.cab
  32. - GET /hboneb/sol95.php?l=abe.cab
  33. - GET /hboneb/sol95.php?l=abe.cab
  34. - GET /hboneb/sol95.php?l=abe.cab
  35. - GET /hboneb/sol95.php?l=abe.cab
  36. - GET /hboneb/sol95.php?l=abe.cab
  37. - GET /hboneb/sol95.php?l=abe.cab
  38. - GET /hboneb/sol95.php?l=abe1.cab
  39. - GET /hboneb/sol95.php?l=abe11.cab
  40. - GET /hboneb/sol95.php?l=abe12.cab
  41.  
  42. HTTPS TRAFFIC GENERATED BY ICEDID
  43.  
  44. - 45.153.240[.]223 port 443 - loadwarsaw[.]casa - GET /background.png
  45. - 51.195.35[.]6 port 443 - circleoccupy[.]best
  46. - 51.195.35[.]6 port 443 - corporotto[.]top
  47.  
  48. MALWARE SAMPLES:
  49.  
  50. - SHA256 hash: d3d23225076370e0765113d978ec94de889fa15982e672fe82621a4d235f61b7
  51. - File size: 257,024 bytes
  52. - File location: hxxp://hiha7n[.]com/hboneb/sol95.php?l=abe1.cab
  53. - File location: C:\Users\[username]\Documents\n.tmp
  54. - File description: IcedID installer EXE retreived by Word macro (failed infection run on Virtual host)
  55.  
  56. - SHA256 hash: 82a24a752186293c1299b8f32940c1a62a0c5c039baaec3455d08b291df54122
  57. - File size: 261,122 bytes
  58. - File location: hxxp://50joqg[.]com/hboneb/sol95.php?l=abe10.cab
  59. - File location: C:\ProgramData\6641.jpg
  60. - File description: IcedID installer EXE retreived by Word macro (successful infection run on physical host)
  61.  
  62. - SHA256 hash: 98e0c53cadf9c32a4d3aeee207f925351c93a0ea452d1cb1bc6854186f44098f
  63. - File size: 328,519 bytes
  64. - File location: C:\Users\[username]\AppData\Local\Temp\~356062.tmp
  65. - File type: PNG image data, 250 x 586, 8-bit/color RGB, non-interlaced
  66. - File description: PNG image with encoded data used to create IcedID EXE
  67.  
  68. - SHA256 hash: dc5f93c16457334cda2f501756dcdb3318d2b8fcddb9f468f94ff374fe4acc27
  69. - File size: 324,096 bytes
  70. - File location: C:\Users\[username]\AppData\Local\Temp\~455062.exe
  71. - File description: IcedID EXE created using data from the above PNG image
  72.  
  73. - SHA256 hash: 922ddfbc4139160d4ca02aaa5ffd506d512e0ad3ef9d20e8e20bd66669a20e0a
  74. - File size: 324,096 bytes
  75. - File location: C:\Users\[username]\AppData\Local\[username]\Winipouo.exe
  76. - File description: IcedID EXE persistent on infected Windows host (same as the above file but with different file hash
RAW Paste Data