malware_traffic

2020-05-01 - XLS file w/ macros pushes Loader EXE --> IcedID

May 1st, 2020
1,163
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-05-01 - XLS SPREADSHEET MACROS PUSH LOADER EXE --> ICEDID (BOKBOT)
  2.  
  3. ASSOCIATED MALWARE/ARTIFACTS:
  4.  
  5. - SHA256 hash: b19e739915fd2fac06946fcf236eddc5bfe745e656b26ef754fc47bf080b20c0
  6. - File size: 247,296 bytes
  7. - File name: 1May__1.xls
  8. - File description: XLS document with macro for loader EXE
  9.  
  10. - SHA256 hash: 4b40ee78a5f3c649b2e60fe91d1d016dc4e658b7737b17d3a2557996422b73fd
  11. - File size: 225,452 bytes
  12. - File location: https://piedmontrescue.org/sport/rockstar.php
  13. - File location: C:\ProgramData\GCqLBrG.exe
  14. - File description: Loader EXE
  15. - Analysis: https://app.any.run/tasks/3b1c95cb-543a-4233-af33-297dbacc58f1
  16.  
  17. - SHA256 hash: d4dc312842614647779b169f7bff1c90e578966e71c585c5aa9a26a662e2a7a8
  18. - File size: 1,981,767 bytes
  19. - File location: https://ghefgekil.club/background.png
  20. - File location: C:\Users\[username]\AppData\Local\Temp\~397568.tmp
  21. - File type: PNG image data, 391 x 301, 8-bit/color RGB, non-interlaced
  22. - File description: Image downloaded approx 1 minute before initial IcedID (Bokbot) EXE (data possibly used to create initial IcedID EXE)
  23. - Analysis: https://app.any.run/tasks/c2079bca-ccd1-4c1a-bff8-7db3cf39a474
  24.  
  25. - SHA256 hash: 8335a56e08378f726968bc65dcae9d560e4f2fc7b28448217ffdbcc582a86a26
  26. - File size: 1,977,344 bytes
  27. - File location: C:\Users\[username]\AppData\Local\Temp\~521792.exe
  28. - File description: Initial IcedID EXE that appeared approx 1 minute after above PNG file
  29. - Analysis: https://app.any.run/tasks/baf873a4-ea95-4557-ab81-4cb6b1476bf8
  30.  
  31. - SHA256 hash: ca4a23103a794f6f7a39eb8eab0ef1ebe4c0be28408290f640ff29eaca4b58dc
  32. - File size: 1,977,344 bytes
  33. - File location: C:\Users\[username]\AppData\Roaming\Qeapve2\{6FF010BC-156D-C3FC-2E9B-94ABA684F3AF}\Foxems.exe
  34. - File description: IcedID (Bokbot) persistent on the infected Windows host
  35. - Analysis: https://app.any.run/tasks/615c303e-8c81-4bf8-879f-f5c4653c57fa
  36.  
  37. - SHA256 hash: 45520a22cdf580f091ae46c45be318c3bb4d3e41d161ba8326a2e29f30c025d4
  38. - File size: 667,077 bytes
  39. - File location: https://smallhole.club/image/?id=0185044DC5B33D35060000000000FF40000001
  40. - File location: C:\Users\[username]\AppData\Local\luuhodac32\Cionimda1\xitawiac.png
  41. - File type: PNG image data, 391 x 301, 8-bit/color RGB, non-interlaced
  42. - File description: Image retrieved by IcedID (Bokbot)
  43.  
  44. TRAFFIC FROM AN INFECTED WINDOWS HOST:
  45.  
  46. - 107.154.146[.]154 port 443 - piedmontrescue[.]org - HTTPS traffic
  47. - 23.211.93[.]37 port 443 - support.oracle[.]com - HTTPS traffic
  48. - 23.7.82[.]159 port 443 - support.apple[.]com - HTTPS traffic
  49. - 104.73.164[.]140 port 443 - www.intel[.]com - HTTPS traffic
  50. - 161.35.38[.]118 port 443 - ghefgekil[.]club - HTTPS traffic
  51. - 104.244.42[.]131 port 443 - help.twitter[.]com - HTTPS traffic
  52. - 185.70.184[.]82 port 443 - smallhole[.]club - HTTPS traffic
  53. - 185.70.184[.]82 port 443 - severeconditions[.]xyz - HTTPS traffic
  54. - 185.70.184[.]82 port 443 - obratapres[.]pw - HTTPS traffic
  55.  
  56. SCHEDULED TASK TO KEEP ICEDID PERSISTENT:
  57.  
  58. <?xml version="1.0" encoding="UTF-16"?>
  59. <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  60. <RegistrationInfo />
  61. <Triggers>
  62. <TimeTrigger id="TimeTrigger">
  63. <Repetition>
  64. <Interval>PT1H</Interval>
  65. <StopAtDurationEnd>false</StopAtDurationEnd>
  66. </Repetition>
  67. <StartBoundary>2012-01-01T12:00:00</StartBoundary>
  68. <Enabled>true</Enabled>
  69. </TimeTrigger>
  70. <LogonTrigger id="LogonTrigger">
  71. <Enabled>true</Enabled>
  72. <UserId>[username]</UserId>
  73. </LogonTrigger>
  74. </Triggers>
  75. <Settings>
  76. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
  77. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
  78. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
  79. <AllowHardTerminate>false</AllowHardTerminate>
  80. <StartWhenAvailable>true</StartWhenAvailable>
  81. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
  82. <IdleSettings>
  83. <Duration>PT10M</Duration>
  84. <WaitTimeout>PT1H</WaitTimeout>
  85. <StopOnIdleEnd>true</StopOnIdleEnd>
  86. <RestartOnIdle>false</RestartOnIdle>
  87. </IdleSettings>
  88. <AllowStartOnDemand>true</AllowStartOnDemand>
  89. <Enabled>true</Enabled>
  90. <Hidden>false</Hidden>
  91. <RunOnlyIfIdle>false</RunOnlyIfIdle>
  92. <WakeToRun>false</WakeToRun>
  93. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
  94. <Priority>7</Priority>
  95. </Settings>
  96. <Actions Context="Author">
  97. <Exec>
  98. <Command>C:\Users\[username]\AppData\Roaming\Qeapve2\{6FF010BC-156D-C3FC-2E9B-94ABA684F3AF}\Foxems.exe</Command>
  99. </Exec>
  100. </Actions>
  101. <Principals>
  102. <Principal id="Author">
  103. <UserId>[hostname]\[username]</UserId>
  104. <LogonType>InteractiveToken</LogonType>
  105. <RunLevel>LeastPrivilege</RunLevel>
  106. </Principal>
  107. </Principals>
  108. </Task>
RAW Paste Data