Ledger Nano X - The secure hardware wallet
SHARE
TWEET

2020-05-01 - XLS file w/ macros pushes Loader EXE --> IcedID

malware_traffic May 1st, 2020 1,032 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-05-01 - XLS SPREADSHEET MACROS PUSH LOADER EXE --> ICEDID (BOKBOT)
  2.  
  3. ASSOCIATED MALWARE/ARTIFACTS:
  4.  
  5. - SHA256 hash: b19e739915fd2fac06946fcf236eddc5bfe745e656b26ef754fc47bf080b20c0
  6. - File size: 247,296 bytes
  7. - File name: 1May__1.xls
  8. - File description: XLS document with macro for loader EXE
  9.  
  10. - SHA256 hash: 4b40ee78a5f3c649b2e60fe91d1d016dc4e658b7737b17d3a2557996422b73fd
  11. - File size: 225,452 bytes
  12. - File location: https://piedmontrescue.org/sport/rockstar.php
  13. - File location: C:\ProgramData\GCqLBrG.exe
  14. - File description: Loader EXE
  15. - Analysis: https://app.any.run/tasks/3b1c95cb-543a-4233-af33-297dbacc58f1
  16.  
  17. - SHA256 hash: d4dc312842614647779b169f7bff1c90e578966e71c585c5aa9a26a662e2a7a8
  18. - File size: 1,981,767 bytes
  19. - File location: https://ghefgekil.club/background.png
  20. - File location: C:\Users\[username]\AppData\Local\Temp\~397568.tmp
  21. - File type: PNG image data, 391 x 301, 8-bit/color RGB, non-interlaced
  22. - File description: Image downloaded approx 1 minute before initial IcedID (Bokbot) EXE (data possibly used to create initial IcedID EXE)
  23. - Analysis: https://app.any.run/tasks/c2079bca-ccd1-4c1a-bff8-7db3cf39a474
  24.  
  25. - SHA256 hash: 8335a56e08378f726968bc65dcae9d560e4f2fc7b28448217ffdbcc582a86a26
  26. - File size: 1,977,344 bytes
  27. - File location: C:\Users\[username]\AppData\Local\Temp\~521792.exe
  28. - File description: Initial IcedID EXE that appeared approx 1 minute after above PNG file
  29. - Analysis: https://app.any.run/tasks/baf873a4-ea95-4557-ab81-4cb6b1476bf8
  30.  
  31. - SHA256 hash: ca4a23103a794f6f7a39eb8eab0ef1ebe4c0be28408290f640ff29eaca4b58dc
  32. - File size: 1,977,344 bytes
  33. - File location: C:\Users\[username]\AppData\Roaming\Qeapve2\{6FF010BC-156D-C3FC-2E9B-94ABA684F3AF}\Foxems.exe
  34. - File description: IcedID (Bokbot) persistent on the infected Windows host
  35. - Analysis: https://app.any.run/tasks/615c303e-8c81-4bf8-879f-f5c4653c57fa
  36.  
  37. - SHA256 hash: 45520a22cdf580f091ae46c45be318c3bb4d3e41d161ba8326a2e29f30c025d4
  38. - File size: 667,077 bytes
  39. - File location: https://smallhole.club/image/?id=0185044DC5B33D35060000000000FF40000001
  40. - File location: C:\Users\[username]\AppData\Local\luuhodac32\Cionimda1\xitawiac.png
  41. - File type: PNG image data, 391 x 301, 8-bit/color RGB, non-interlaced
  42. - File description: Image retrieved by IcedID (Bokbot)
  43.  
  44. TRAFFIC FROM AN INFECTED WINDOWS HOST:
  45.  
  46. - 107.154.146[.]154 port 443 - piedmontrescue[.]org - HTTPS traffic
  47. - 23.211.93[.]37 port 443 - support.oracle[.]com - HTTPS traffic
  48. - 23.7.82[.]159 port 443 - support.apple[.]com - HTTPS traffic
  49. - 104.73.164[.]140 port 443 - www.intel[.]com - HTTPS traffic
  50. - 161.35.38[.]118 port 443 - ghefgekil[.]club - HTTPS traffic
  51. - 104.244.42[.]131 port 443 - help.twitter[.]com - HTTPS traffic
  52. - 185.70.184[.]82 port 443 - smallhole[.]club - HTTPS traffic
  53. - 185.70.184[.]82 port 443 - severeconditions[.]xyz - HTTPS traffic
  54. - 185.70.184[.]82 port 443 - obratapres[.]pw - HTTPS traffic
  55.  
  56. SCHEDULED TASK TO KEEP ICEDID PERSISTENT:
  57.  
  58. <?xml version="1.0" encoding="UTF-16"?>
  59. <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  60.   <RegistrationInfo />
  61.   <Triggers>
  62.     <TimeTrigger id="TimeTrigger">
  63.       <Repetition>
  64.         <Interval>PT1H</Interval>
  65.         <StopAtDurationEnd>false</StopAtDurationEnd>
  66.       </Repetition>
  67.       <StartBoundary>2012-01-01T12:00:00</StartBoundary>
  68.       <Enabled>true</Enabled>
  69.     </TimeTrigger>
  70.     <LogonTrigger id="LogonTrigger">
  71.       <Enabled>true</Enabled>
  72.       <UserId>[username]</UserId>
  73.     </LogonTrigger>
  74.   </Triggers>
  75.   <Settings>
  76.     <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
  77.     <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
  78.     <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
  79.     <AllowHardTerminate>false</AllowHardTerminate>
  80.     <StartWhenAvailable>true</StartWhenAvailable>
  81.     <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
  82.     <IdleSettings>
  83.       <Duration>PT10M</Duration>
  84.       <WaitTimeout>PT1H</WaitTimeout>
  85.       <StopOnIdleEnd>true</StopOnIdleEnd>
  86.       <RestartOnIdle>false</RestartOnIdle>
  87.     </IdleSettings>
  88.     <AllowStartOnDemand>true</AllowStartOnDemand>
  89.     <Enabled>true</Enabled>
  90.     <Hidden>false</Hidden>
  91.     <RunOnlyIfIdle>false</RunOnlyIfIdle>
  92.     <WakeToRun>false</WakeToRun>
  93.     <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
  94.     <Priority>7</Priority>
  95.   </Settings>
  96.   <Actions Context="Author">
  97.     <Exec>
  98.       <Command>C:\Users\[username]\AppData\Roaming\Qeapve2\{6FF010BC-156D-C3FC-2E9B-94ABA684F3AF}\Foxems.exe</Command>
  99.     </Exec>
  100.   </Actions>
  101.   <Principals>
  102.     <Principal id="Author">
  103.       <UserId>[hostname]\[username]</UserId>
  104.       <LogonType>InteractiveToken</LogonType>
  105.       <RunLevel>LeastPrivilege</RunLevel>
  106.     </Principal>
  107.   </Principals>
  108. </Task>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top