API tools faq
paste
malware_traffic

2020-11-03 (Tuesday) - TA551 (Shathak) Japanese-template Word docs pushing IcedID

malware_traffic
Nov 3rd, 2020
7,971
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.78 KB | None | 0 0
raw download clone embed print report
  1. 2020-11-03 (TUESDAY) - TA551 (SHATHAK) JAPANESE-LANGUAGE WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 11 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 155b7e7abe252b7b1ae348bdd0445b5461397f29c56c82bb1e7afc87e0fcd305 charge 11.20.doc
  10. - c71d8532b03a99af0ede0f3bb268f3b3f53435ffbc46596b38aae548f1bf9f50 charge_11.20.doc
  11. - 3e09491e2e4267597694d09e65f6208ab63d63e878edfaa0653d8e88f9caa03a command_11.20.doc
  12. - 5737ebf8fc8bc8a2a4e8e4d1ae05d95207a391a19edcd8fb97d8020ece4a2ada details.11.20.doc
  13. - 7a8cc0e27461b621e6f748fa5cd03d3cf4c8049b4dffb3acbad8ef8cf6fc041a dictate 11.20.doc
  14. - e1ab2e8622760545ce5bee78c6bb427ea2ce1ae76d585246444001a02aa1e819 document.11.20.doc
  15. - b829c4e425398ea86f6e4e7603e6d334e0e18fdc5af381c9a77533ecbd77c59c legal agreement,11.03.2020.doc
  16. - e10717a822ff3aa6a85d3b369a5b6628558bc2e04b314d55211bc8f0aca2cdba material_11.20.doc
  17. - b6ed0a10e1808012902c1a911cf1e1b6aa4ad1965e535aebcb95643ef231e214 prescribe _11.20.doc
  18. - 95e97fe5407e7df18d8ac0ebaafd94b2f11e8bbb35e05ed5aeb94d9078d617c3 report.11.03.2020.doc
  19. - c7805a2ea7b27433a505c46efdd24625e93da84935c8fed12ce596040590173e tell.11.03.2020.doc
  20.  
  21. AT LEAST 6 DOMAINS HOSTING THE INSTALLER DLL:
  22.  
  23. - fame5810[.]com - 185.195.24[.]153
  24. - flag1571[.]com - 95.181.178[.]141
  25. - garden1219[.]com - 193.201.126[.]59
  26. - profit3486[.]com - 193.187.175[.]31
  27. - recycle9393[.]com - 54.38.59[.]238
  28. - suffer2379[.]com - 185.118.167[.]183
  29.  
  30. EXAMPLES OF URLS FOR INSTALLER DLL:
  31.  
  32. - GET /update/VCGSPgrZnC/FdxMZPIplNBZlcEISXAgzMWGzCOQiJtBRX/gzlov1
  33. - GET /update/sOsKqYBTzNrvmaPkqOFoHTIYMNhyRGqg/aQVIySEmxzG/gzlov2
  34. - GET /update/VvZWoYOIotoWV_KUywQtEUVUPjvNYMYYnLnvWWOLA/fZcXYRwGyzMRZcvzHZrDe/gzlov4
  35. - GET /update/woN/rQbOvqvihHIXKLBlYCNqBgAHSe/w_XL/gzlov5
  36. - GET /update/mJEMKClFIzwEKPDusNHKHOOAnXzPOFPCPfn/YpDIDi_ROm/gzlov6
  37. - GET /update/wrgiVAdbRUYvtSYFHRYIhNHBfkJkYpCNZsG_DUmSN/kiIr/gzlov8
  38. - GET /update/VopJhitKqZWNItBZtQvPqMlnpQbnrxZdthxeYrsMYQOm/FzOCmzMXKRVKYDO/gzlov8
  39. - GET /update/IGOezCcZBkVvvqQlJecdAWYaXkjFbtBb/hNDqngLNGNrbRTArRwYnbqihQsVAEEFnmNif/gzlov9
  40. - GET /update/Jr/cLNVxK/YU/idFFohHNBzrphXDNSYyvPEkSCzb/gzlov11
  41. - GET /update/KdvoVcxOBQKSDpZZxjTihcpVThGEJiKHHNdAVigZUiwpFhO_OnmTFzPvdvRUODZZSyNDtwBddOWqb/gzlov12
  42.  
  43. 6 EXAMPLES OF INSTALLER DLLS:
  44.  
  45. - 1214f7ff35d8926ae33ea1ea5a596b518b28081ed34d131168b6c53109dc6837
  46. - 3a43d3e6fdf25b7bb004dbedb91ad2bee13a23b7e9b7962a49ba804672196c66
  47. - ad0fbe340bf6448e7f8d4179a2eb5774e0f4a1757262b659214903cdf2f6dfb8
  48. - c128c3d76e488c0b77510a81cfc0d16f9c39dfeba398323338b9d33ab3b11ef8
  49. - c6472bae69e266ae072de28f0ce49161edc6bf041fbfcc59dd7ee4a18a51a283
  50. - da13e8ebda5a45d595aa7dcecb21f9ed8a9202316b081c6e4547febe17b77977
  51.  
  52. LOCATION FOR THE INSTALLER DLL FILES:
  53.  
  54. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
  55.  
  56. DLL RUN METHOD:
  57.  
  58. - regsvr32.exe [filename]
  59.  
  60. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  61.  
  62. - port 443 - help.twitter.com
  63. - port 443 - www.intel.com
  64. - port 443 - www.oracle.com
  65. - port 443 - support.oracle.com
  66. - port 443 - support.apple.com
  67. - port 443 - support.microsoft.com
  68.  
  69. URL FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  70.  
  71. - 167.99.248[.]130 port 443 - voairtaxetion[.]xyz - GET /background.png
  72.  
  73. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  74.  
  75. - c3c78f071dd03d76bd6d6b353e8eca54068971653519e8106fb171db8923f871 (initial)
  76. - 4c782e4a2b49fdb166aa6a906a502b319388e45e8e4a9f3a523eacb0ce1834cd (persistent)
  77.  
  78. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
  79.  
  80. - 104.248.90[.]150 port 443 - blokaddio[.]top
  81. - 104.248.90[.]150 port 443 - defeodallio[.]cyou
  82. - 104.248.90[.]150 port 443 - grekilioliplane[.]best
  83. - 104.248.90[.]150 port 443 - nawserty8[.]club
  84. - 104.248.90[.]150 port 443 - quaddroporrte4[.]top
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!