2021-05-28 IcedID IOCs

1. THREAT IDENTIFICATION: ICEDID
2.  
3. FORM CONTENTS
4. Hi!
5.  
6. My name is Tommy.
7.  
8. Your website or a website that your company hosts is infringing on a copyrighted images owned by me personally.
9.  
10. Check out this official document with the hyperlinks to my images you utilized at www.<yourdomainname>.com and my earlier publication to find the evidence of my copyrights.
11.  
12. Download it now and check this out for yourself:
13.  
14. https://sites.google.com/view/b93uhfgdfj38fdh-3ifdshi3dhj/d/shared/0/download/file?f=412487269847230846
15.  
16. In my opinion you have deliberately violated my rights under 17 USC Section 101 et seq. and could possibly be liable for statutory damages as high as $150,000 as set-forth in Section 504 (c)(2) of the Digital millennium copyright act (DMCA) therein.
17.  
18. This letter is official notification. I demand the elimination of the infringing materials mentioned above. Take note as a service provider, the Digital Millennium Copyright Act requires you, to remove or/and deactivate access to the infringing content upon receipt of this particular notification letter. In case you do not stop the utilization of the above mentioned copyrighted content a legal action will be initiated against you.
19.  
20. I do have a good belief that use of the copyrighted materials mentioned above as allegedly violating is not permitted by the copyright owner, its legal agent, or the laws.
21.  
22. I swear, under consequence of perjury, that the information in this message is accurate and that I am currently the legal copyright proprietor or am authorized to act on behalf of the proprietor of an exclusive right that is allegedly infringed.
23.  
24. Regards,
25. Tommy Cohen
26.  
27. 05/28/2021
28.  
29. MALDOC DOWNLOAD URL
30. https://sites.google.com/view/b93uhfgdfj38fdh-3ifdshi3dhj/d/shared/0/download/file?f=412487269847230846
31.  
32. MALDOC FILE HASHES
33. Stolen Images Evidence.zip
34. 5b1eb1248d06343a79c592bec9faa4e8
35.  
36. Stolen Images Evidence.js
37. c17a93ce071880665ee8ba926dec6804
38.  
39. ICEDID PAYLOAD DOWNLOAD URLS
40. http://manusart.top/034g100/index.php
41. http://manusart.top/034g100/main.php
42.  
43. ICEDID PAYLOAD FILE HASHES
44. main.php
45. 48f2f59ffbcb987055b7d04f9a0cce5c
46.  
47. ICEDID C2
48. http://lascakatheather.shop/
49. 172.67.192.197
50.  
51. C2 TRAFFIC
52. GET / HTTP/1.1
53. Connection: Keep-Alive
54. Cookie: __gads=1810231353:1:931:125; _gat=10.0.17134.64; _ga=1.329303.2020557398.150; _u=4D534544474557494E3130:494555736572:41433442433845314533423344454637; __io=21_1058341133_2092417715_4019509128; _gid=40084938E048
55. Host: lascakatheather.shop
56.  
57. HTTP/1.1 404 Not Found
58. Date: Fri, 28 May 2021 15:51:26 GMT
59. Content-Type: text/html; charset=UTF-8
60. Transfer-Encoding: chunked
61. Connection: keep-alive
62. CF-Cache-Status: DYNAMIC
63. cf-request-id: 0a55456c0e0000e6ccac186000000001
64. Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=qEVzvSLnSGLcmr5EiFakDpRbviDKt76DMM%2F%2B5BsvL7hJv7IHeTnpKvbMph%2Bujd5%2Bq7Gk1Y%2FxPXZhmFgHezyHrZYCoqCuDyd3CpZvMksUkq2Gq5SH9UvYmUomXngs7AoUxpg%3D"}],"group":"cf-nel","max_age":604800}
65. NEL: {"report_to":"cf-nel","max_age":604800}
66. Server: cloudflare
67. CF-RAY: 6568a4f34b1ce6cc-EWR
68. alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
69.  
70. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
71. <html><head>
72. <title>404 Not Found</title>
73. </head><body>
74. <h1>Not Found</h1>
75. <p>The requested URL was not found on this server.</p>
76. <hr>
77. <address>Apache Server at lascakatheather.shop Port 80</address>
78. </body></html>
79.  
80. SUPPORTING EVIDENCE
81. https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/