Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: ICEDID / BOKBOT
- SUBJECTS OBSERVED
- Docusign - You documents are ready
- Docusign has been completed
- FWD: Documents follow up 7/08/21
- FWD: Docusign has been completed 07-08-2021
- Invoice 394NH IRS
- Please Docusign - Document - 7/8/21
- RE: Adopt Your Signature
- RE: Documents follow up 07/8
- RE: Docusign - You documents are ready
- Tsheets 39550-TLZ92j
- SENDERS OBSERVED
- client@docusign-message.com
- client@docusign-support.com
- client@docusignservices.com
- info@docusign-message.com
- office@docusign-message.com
- office@docusign-notice.com
- office@docusignservices.com
- support@docusign-message.com
- support@docusignservices.com
- MALDOC FILE NAMES
- ew19598.xlsb
- ew4257.xlsb
- ew21999.xlsb
- ew25355.xlsb
- ew21563.xlsb
- MALDOC FILE HASHES
- 18e913202f8d4af799ee565f29c58864
- 4865f82d1dc3a18dbf22189898f14147
- a441609e07523bfa2fb671fd6376089f
- da4d2687b1fc5b27b5bd42cfba9db96b
- e39b4d9cdeb44d584a3c1937ee8fe2d8
- ICEDID PAYLOAD DOWNLOAD URLS
- https://docusignsecpro.com/data/int64/sup/crv.dll
- ICEDID PAYLOAD FILE HASHES
- crv.dll
- 3ddeea156606b2e5d19c86cedf3dec30
- Renamed and downloaded to:
- C:\Users\Public\Libraries\AMD64glory.sys
- 3ddeea156606b2e5d19c86cedf3dec30
- ICEDID C2/STAGING SERVER
- http://revedanstvy.bid/
- SUPPORTING EVIDENCE
- https://app.any.run/tasks/338e0e56-e4f8-4ef1-a271-562e041091f4/
- https://tria.ge/210707-2dqxl3l9vx
Add Comment
Please, Sign In to add comment