API tools faq
paste
malware_traffic

2020-05-01 - XLS file w/ macros pushes Loader EXE --> IcedID

malware_traffic
May 1st, 2020
10,420
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.71 KB | None | 0 0
raw download clone embed print report
  1. 2020-05-01 - XLS SPREADSHEET MACROS PUSH LOADER EXE --> ICEDID (BOKBOT)
  2.  
  3. ASSOCIATED MALWARE/ARTIFACTS:
  4.  
  5. - SHA256 hash: b19e739915fd2fac06946fcf236eddc5bfe745e656b26ef754fc47bf080b20c0
  6. - File size: 247,296 bytes
  7. - File name: 1May__1.xls
  8. - File description: XLS document with macro for loader EXE
  9.  
  10. - SHA256 hash: 4b40ee78a5f3c649b2e60fe91d1d016dc4e658b7737b17d3a2557996422b73fd
  11. - File size: 225,452 bytes
  12. - File location: https://piedmontrescue.org/sport/rockstar.php
  13. - File location: C:\ProgramData\GCqLBrG.exe
  14. - File description: Loader EXE
  15. - Analysis: https://app.any.run/tasks/3b1c95cb-543a-4233-af33-297dbacc58f1
  16.  
  17. - SHA256 hash: d4dc312842614647779b169f7bff1c90e578966e71c585c5aa9a26a662e2a7a8
  18. - File size: 1,981,767 bytes
  19. - File location: https://ghefgekil.club/background.png
  20. - File location: C:\Users\[username]\AppData\Local\Temp\~397568.tmp
  21. - File type: PNG image data, 391 x 301, 8-bit/color RGB, non-interlaced
  22. - File description: Image downloaded approx 1 minute before initial IcedID (Bokbot) EXE (data possibly used to create initial IcedID EXE)
  23. - Analysis: https://app.any.run/tasks/c2079bca-ccd1-4c1a-bff8-7db3cf39a474
  24.  
  25. - SHA256 hash: 8335a56e08378f726968bc65dcae9d560e4f2fc7b28448217ffdbcc582a86a26
  26. - File size: 1,977,344 bytes
  27. - File location: C:\Users\[username]\AppData\Local\Temp\~521792.exe
  28. - File description: Initial IcedID EXE that appeared approx 1 minute after above PNG file
  29. - Analysis: https://app.any.run/tasks/baf873a4-ea95-4557-ab81-4cb6b1476bf8
  30.  
  31. - SHA256 hash: ca4a23103a794f6f7a39eb8eab0ef1ebe4c0be28408290f640ff29eaca4b58dc
  32. - File size: 1,977,344 bytes
  33. - File location: C:\Users\[username]\AppData\Roaming\Qeapve2\{6FF010BC-156D-C3FC-2E9B-94ABA684F3AF}\Foxems.exe
  34. - File description: IcedID (Bokbot) persistent on the infected Windows host
  35. - Analysis: https://app.any.run/tasks/615c303e-8c81-4bf8-879f-f5c4653c57fa
  36.  
  37. - SHA256 hash: 45520a22cdf580f091ae46c45be318c3bb4d3e41d161ba8326a2e29f30c025d4
  38. - File size: 667,077 bytes
  39. - File location: https://smallhole.club/image/?id=0185044DC5B33D35060000000000FF40000001
  40. - File location: C:\Users\[username]\AppData\Local\luuhodac32\Cionimda1\xitawiac.png
  41. - File type: PNG image data, 391 x 301, 8-bit/color RGB, non-interlaced
  42. - File description: Image retrieved by IcedID (Bokbot)
  43.  
  44. TRAFFIC FROM AN INFECTED WINDOWS HOST:
  45.  
  46. - 107.154.146[.]154 port 443 - piedmontrescue[.]org - HTTPS traffic
  47. - 23.211.93[.]37 port 443 - support.oracle[.]com - HTTPS traffic
  48. - 23.7.82[.]159 port 443 - support.apple[.]com - HTTPS traffic
  49. - 104.73.164[.]140 port 443 - www.intel[.]com - HTTPS traffic
  50. - 161.35.38[.]118 port 443 - ghefgekil[.]club - HTTPS traffic
  51. - 104.244.42[.]131 port 443 - help.twitter[.]com - HTTPS traffic
  52. - 185.70.184[.]82 port 443 - smallhole[.]club - HTTPS traffic
  53. - 185.70.184[.]82 port 443 - severeconditions[.]xyz - HTTPS traffic
  54. - 185.70.184[.]82 port 443 - obratapres[.]pw - HTTPS traffic
  55.  
  56. SCHEDULED TASK TO KEEP ICEDID PERSISTENT:
  57.  
  58. <?xml version="1.0" encoding="UTF-16"?>
  59. <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  60. <RegistrationInfo />
  61. <Triggers>
  62. <TimeTrigger id="TimeTrigger">
  63. <Repetition>
  64. <Interval>PT1H</Interval>
  65. <StopAtDurationEnd>false</StopAtDurationEnd>
  66. </Repetition>
  67. <StartBoundary>2012-01-01T12:00:00</StartBoundary>
  68. <Enabled>true</Enabled>
  69. </TimeTrigger>
  70. <LogonTrigger id="LogonTrigger">
  71. <Enabled>true</Enabled>
  72. <UserId>[username]</UserId>
  73. </LogonTrigger>
  74. </Triggers>
  75. <Settings>
  76. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
  77. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
  78. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
  79. <AllowHardTerminate>false</AllowHardTerminate>
  80. <StartWhenAvailable>true</StartWhenAvailable>
  81. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
  82. <IdleSettings>
  83. <Duration>PT10M</Duration>
  84. <WaitTimeout>PT1H</WaitTimeout>
  85. <StopOnIdleEnd>true</StopOnIdleEnd>
  86. <RestartOnIdle>false</RestartOnIdle>
  87. </IdleSettings>
  88. <AllowStartOnDemand>true</AllowStartOnDemand>
  89. <Enabled>true</Enabled>
  90. <Hidden>false</Hidden>
  91. <RunOnlyIfIdle>false</RunOnlyIfIdle>
  92. <WakeToRun>false</WakeToRun>
  93. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
  94. <Priority>7</Priority>
  95. </Settings>
  96. <Actions Context="Author">
  97. <Exec>
  98. <Command>C:\Users\[username]\AppData\Roaming\Qeapve2\{6FF010BC-156D-C3FC-2E9B-94ABA684F3AF}\Foxems.exe</Command>
  99. </Exec>
  100. </Actions>
  101. <Principals>
  102. <Principal id="Author">
  103. <UserId>[hostname]\[username]</UserId>
  104. <LogonType>InteractiveToken</LogonType>
  105. <RunLevel>LeastPrivilege</RunLevel>
  106. </Principal>
  107. </Principals>
  108. </Task>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!