Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-05-01 - XLS SPREADSHEET MACROS PUSH LOADER EXE --> ICEDID (BOKBOT)
- ASSOCIATED MALWARE/ARTIFACTS:
- - SHA256 hash: b19e739915fd2fac06946fcf236eddc5bfe745e656b26ef754fc47bf080b20c0
- - File size: 247,296 bytes
- - File name: 1May__1.xls
- - File description: XLS document with macro for loader EXE
- - SHA256 hash: 4b40ee78a5f3c649b2e60fe91d1d016dc4e658b7737b17d3a2557996422b73fd
- - File size: 225,452 bytes
- - File location: https://piedmontrescue.org/sport/rockstar.php
- - File location: C:\ProgramData\GCqLBrG.exe
- - File description: Loader EXE
- - Analysis: https://app.any.run/tasks/3b1c95cb-543a-4233-af33-297dbacc58f1
- - SHA256 hash: d4dc312842614647779b169f7bff1c90e578966e71c585c5aa9a26a662e2a7a8
- - File size: 1,981,767 bytes
- - File location: https://ghefgekil.club/background.png
- - File location: C:\Users\[username]\AppData\Local\Temp\~397568.tmp
- - File type: PNG image data, 391 x 301, 8-bit/color RGB, non-interlaced
- - File description: Image downloaded approx 1 minute before initial IcedID (Bokbot) EXE (data possibly used to create initial IcedID EXE)
- - Analysis: https://app.any.run/tasks/c2079bca-ccd1-4c1a-bff8-7db3cf39a474
- - SHA256 hash: 8335a56e08378f726968bc65dcae9d560e4f2fc7b28448217ffdbcc582a86a26
- - File size: 1,977,344 bytes
- - File location: C:\Users\[username]\AppData\Local\Temp\~521792.exe
- - File description: Initial IcedID EXE that appeared approx 1 minute after above PNG file
- - Analysis: https://app.any.run/tasks/baf873a4-ea95-4557-ab81-4cb6b1476bf8
- - SHA256 hash: ca4a23103a794f6f7a39eb8eab0ef1ebe4c0be28408290f640ff29eaca4b58dc
- - File size: 1,977,344 bytes
- - File location: C:\Users\[username]\AppData\Roaming\Qeapve2\{6FF010BC-156D-C3FC-2E9B-94ABA684F3AF}\Foxems.exe
- - File description: IcedID (Bokbot) persistent on the infected Windows host
- - Analysis: https://app.any.run/tasks/615c303e-8c81-4bf8-879f-f5c4653c57fa
- - SHA256 hash: 45520a22cdf580f091ae46c45be318c3bb4d3e41d161ba8326a2e29f30c025d4
- - File size: 667,077 bytes
- - File location: https://smallhole.club/image/?id=0185044DC5B33D35060000000000FF40000001
- - File location: C:\Users\[username]\AppData\Local\luuhodac32\Cionimda1\xitawiac.png
- - File type: PNG image data, 391 x 301, 8-bit/color RGB, non-interlaced
- - File description: Image retrieved by IcedID (Bokbot)
- TRAFFIC FROM AN INFECTED WINDOWS HOST:
- - 107.154.146[.]154 port 443 - piedmontrescue[.]org - HTTPS traffic
- - 23.211.93[.]37 port 443 - support.oracle[.]com - HTTPS traffic
- - 23.7.82[.]159 port 443 - support.apple[.]com - HTTPS traffic
- - 104.73.164[.]140 port 443 - www.intel[.]com - HTTPS traffic
- - 161.35.38[.]118 port 443 - ghefgekil[.]club - HTTPS traffic
- - 104.244.42[.]131 port 443 - help.twitter[.]com - HTTPS traffic
- - 185.70.184[.]82 port 443 - smallhole[.]club - HTTPS traffic
- - 185.70.184[.]82 port 443 - severeconditions[.]xyz - HTTPS traffic
- - 185.70.184[.]82 port 443 - obratapres[.]pw - HTTPS traffic
- SCHEDULED TASK TO KEEP ICEDID PERSISTENT:
- <?xml version="1.0" encoding="UTF-16"?>
- <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
- <RegistrationInfo />
- <Triggers>
- <TimeTrigger id="TimeTrigger">
- <Repetition>
- <Interval>PT1H</Interval>
- <StopAtDurationEnd>false</StopAtDurationEnd>
- </Repetition>
- <StartBoundary>2012-01-01T12:00:00</StartBoundary>
- <Enabled>true</Enabled>
- </TimeTrigger>
- <LogonTrigger id="LogonTrigger">
- <Enabled>true</Enabled>
- <UserId>[username]</UserId>
- </LogonTrigger>
- </Triggers>
- <Settings>
- <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
- <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
- <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
- <AllowHardTerminate>false</AllowHardTerminate>
- <StartWhenAvailable>true</StartWhenAvailable>
- <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
- <IdleSettings>
- <Duration>PT10M</Duration>
- <WaitTimeout>PT1H</WaitTimeout>
- <StopOnIdleEnd>true</StopOnIdleEnd>
- <RestartOnIdle>false</RestartOnIdle>
- </IdleSettings>
- <AllowStartOnDemand>true</AllowStartOnDemand>
- <Enabled>true</Enabled>
- <Hidden>false</Hidden>
- <RunOnlyIfIdle>false</RunOnlyIfIdle>
- <WakeToRun>false</WakeToRun>
- <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
- <Priority>7</Priority>
- </Settings>
- <Actions Context="Author">
- <Exec>
- <Command>C:\Users\[username]\AppData\Roaming\Qeapve2\{6FF010BC-156D-C3FC-2E9B-94ABA684F3AF}\Foxems.exe</Command>
- </Exec>
- </Actions>
- <Principals>
- <Principal id="Author">
- <UserId>[hostname]\[username]</UserId>
- <LogonType>InteractiveToken</LogonType>
- <RunLevel>LeastPrivilege</RunLevel>
- </Principal>
- </Principals>
- </Task>
Add Comment
Please, Sign In to add comment