API tools faq
paste
malware_traffic

2020-09-23 (Wednesday) TA551 (Shathak) Word docs pushing IcedID

malware_traffic
Sep 23rd, 2020
8,577
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.89 KB | None | 0 0
raw download clone embed print report
  1. 2020-09-23 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
  8.  
  9. - 00983c154186244d3a9afd0a3fc17d7487307fe7722a655d5ce43fe8112a5896 bid-09.20.doc
  10. - 03aa2d352abd749cdf6c71b5ababc3aa5d233dd2b4925f0b42ed410c6476cb6b command,09.20.doc
  11. - a2efb34b0e95f24c4c23f31df9fb9dcb17cda017d57fde4892409c50a3d6c6f6 dictate 09.20.doc
  12. - a5f5b318e12250c3512dedc7dd3b3f505057b88c8c55964396ccea7a1b45cad4 dictate 09.23.2020.doc
  13. - 3b887d069a95788ff5c2504c54e8e00c69aab1504d323b87a8c92eaa08ec6e33 dictate.09.20.doc
  14. - 89674f074ae3fee497e434ac379ce157ec977c4eff810cd7c0719d0688759987 dictate.09.20.doc
  15. - 098b49c651033ea4248aa17ee3329b9f4acbbba65bcfc0fcdb73c1a26a3da48c docs.09.20.doc
  16. - 4cc0215de5c6e57cc6f655f23c6cf35dbceeeeeab9680d0b5abbaf16d49730da document,09.23.2020.doc
  17. - db4d6f9aaef4094edb5d5df3434272662b2ca09a0ae4ad1018d56228f522729c documents-09.23.2020.doc
  18. - e99cb7d37c204cf3ac859369fc50ccbc5eb02b1ba964485add9e47a4d973e2ce enjoin.09.20.doc
  19. - 28d5ce8422c63be8701b1e54d6ba88319f358bb9c258469614fd339e76365b70 legal paper,09.20.doc
  20. - 7530e111d0d632a1528584a383fe5e690d93cb8f115c52506cd6941d297f8079 legislate-09.20.doc
  21. - 0bd4229e28ab114432f4f2e1c7b3ffdee5b04c6549e362bda8a997cd9b51b9e8 material,09.20.doc
  22. - 22a183035451aa865e6064f248477080e4fb127a7cb87b7104ba7e1f06c1c318 report.09.20.doc
  23. - d92d7d6579c7d1467c0c6f74dc362aec294fad587ee7b6dbe8bd7f7c367214f6 report_09.23.2020.doc
  24. - 4764c318b31337935cbfdbf1b2b203288f510ebbf612bca0d6d201dd603dba2e specifics,09.20.doc
  25. - 2c39f56264978995ac6983996d960d4cd0abd4ba920773580a6bb31d89503615 specifics-09.20.doc
  26. - 5b2318acd6cbb143e1ee749558201f1708738bb2b6e0d80fc88906cd584a3060 specifics-09.20.doc
  27. - 6ac8720012905d8549799b213f82ec4812a321604593f19e3768f64361e4fe7c statistics-09.20.doc
  28. - 35199e044e6a22ec48a436dcc80d5ce1e3d2d6cc976275545a71a5954c6678cc statistics.09.20.doc
  29.  
  30. AT LEAST 8 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - b82uw6[.]com - 109.248.250[.]2
  33. - epgymd[.]com - 109.237.109[.]96
  34. - gswxig[.]com - 188.120.250[.]159
  35. - m7zfuu[.]com - 45.89.66[.]215
  36. - mddgdia[.]com - 185.228.233[.]115
  37. - qtudtro[.]com - 91.217.80[.]172
  38. - sqgdzi[.]com - 149.154.65[.]151
  39. - vxsi5p2[.]com - 82.146.61[.]8
  40.  
  41. URLS FOR ICEDID DLL:
  42.  
  43. - GET /xevot/gadip.php?l=xuluw1.cab
  44. - GET /xevot/gadip.php?l=xuluw2.cab
  45. - GET /xevot/gadip.php?l=xuluw3.cab
  46. - GET /xevot/gadip.php?l=xuluw4.cab
  47. - GET /xevot/gadip.php?l=xuluw5.cab
  48. - GET /xevot/gadip.php?l=xuluw6.cab
  49. - GET /xevot/gadip.php?l=xuluw7.cab
  50. - GET /xevot/gadip.php?l=xuluw8.cab
  51. - GET /xevot/gadip.php?l=xuluw9.cab
  52. - GET /xevot/gadip.php?l=xuluw10.cab
  53. - GET /xevot/gadip.php?l=xuluw11.cab
  54. - GET /xevot/gadip.php?l=xuluw12.cab
  55.  
  56. 24 EXAMPLES OF ICEDID INSTALLER DLLS:
  57.  
  58. - 01c9f99bfec9b672a6cbe2bd465345e7b28ebbe32bae53f675b6ee2746e20335
  59. - 0de87bcd83237b564ed508b574d0195c7c51220571c22b44f0f188af1369e558
  60. - 13c850f0419cd63e6eda74d134d468edf9f2d9d13cbbc655fbd36e89c6b1e46f
  61. - 1fc02c2bbb954f1fbfee85140618025b23c6d3a8a793b28909139a43e68e6adb
  62. - 436564b5e0223e8a953b527c86ca9184af8f2d97a8ef0e51193e8d343ae77c21
  63. - 43f6440819114c71e2312a956672c8b2a4aa82e4c9ca230c3cf6b456b5b46d51
  64. - 50627d0516944503312951774b8b7586f9409f312b7742347697996c10ead658
  65. - 5c06b00830e828ac09b88c7afcd94dc5a28b238333400d51af06fda58d99b81d
  66. - 756f91d003c22eec8e478f20b124fef3c8e18fd550df645c0148a6ddd91a973d
  67. - 78e9ecbe1ad43a3e55286c52bebc0fd3fd51fca0ec8f48caceef60b612ecb4b6
  68. - 7ff6e0e68e741fe2050a7cfaee0f790a6b0544105d5bdd4ea5ba0646835036da
  69. - 850970e2dfb4f52b461b6daf8bed02469a391ec1d4c1d9251ab427e06a282225
  70. - 887a73dd182c064135d8451dc7a1c04b9dd19c89e1ec012b5dd22bac52116e6a
  71. - a84da88d30017633824c0731d6637a80c1fe97c40f9d6421b39c94b367b35a2f
  72. - a99e22965dd129f70ffacdf4548faa9cf07929bf8cf455af870984ae0d85d11e
  73. - b85a0e5ff75ad8ccb59ea7214e9d76f2f70b17d4ba09eb210ce9e1f0d0f66677
  74. - bfcf04008a57918b9e08e5489fa0a8193f0bee747686d1105e560f366fba5189
  75. - c8123e802b108c2385b8ba42a7f34eb2eb6bc2fb09bc677ba5397018820c4771
  76. - caaffbb1e04082773558571e95bbc5cb302614406292710e6104ab85fcf3927e
  77. - e2d3e9a7819a89cffc3f614f62d44a8312eccea750e9fb0adac154ff5ea0f5f7
  78. - e8b24d7c8dd0898bf688705afa305bab577fbd5a83bd260f2d07ed29bbc80dff
  79. - ea2d23a8c4bc9ad4c34b8a20823f8b4db812fb1a7ed96b2cd4a7d67daa2bf2fa
  80. - ed7b8d4af7983c4517a6b582a3b385056db8d0a7d9c46194947a5ebaead2b1ac
  81. - f591e473859ad8efcc6390732aca39899fe5910101618bfcff8b4c062c3c5fe0
  82.  
  83. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  84.  
  85. - C:\ProgramData\a5ffb.pdf
  86. - C:\ProgramData\aac59.pdf
  87. - C:\ProgramData\ad0fd.pdf
  88. - C:\ProgramData\af8ce.pdf
  89. - C:\ProgramData\bda43.pdf
  90. - C:\ProgramData\bdf55.pdf
  91. - C:\ProgramData\c8c18.pdf
  92. - C:\ProgramData\cf007.pdf
  93. - C:\ProgramData\d9cc4.pdf
  94. - C:\ProgramData\f50a1.pdf
  95. - C:\ProgramData\fc738.pdf
  96.  
  97. DLL RUN METHOD:
  98.  
  99. - regsvr32.exe [filename]
  100.  
  101. AT LEAST 3 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  102.  
  103. - 142.93.218[.]110 port 443 - astedolo[.]asia - GET /background.png
  104. - 142.93.218[.]110 port 443 - vragafraga[.]beer - GET /background.png
  105. - 142.93.218[.]110 port 443 - wertigohol[.]click - GET /background.png
  106.  
  107. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER:
  108.  
  109. - a49499eecf0330f3ece7c75bcb04989d2d62d31ed2a7a14e5e6da98a869a520a (initial)
  110. - 433916382658909eddfca653bb6e6b951a7fec66020b205590a88883ad04d65e (persistent)
  111.  
  112. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID EXE FILES:
  113.  
  114. - 46.101.10[.]119 port 443 - smavellpolia[.]cyou
  115. - 206.81.11[.]50 port 443 - droidattac[.]cyou
  116. - 46.101.10[.]119 port 443 - headtroller[.]pw
  117. - 46.101.10[.]119 port 443 - antologymaster[.]pw
  118. - 46.101.10[.]119 port 443 - lokopotio[.]pw
  119.  
  120. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  121.  
  122. - port 443 - www.intel.com
  123. - port 443 - support.oracle.com
  124. - port 443 - www.oracle.com
  125. - port 443 - support.apple.com
  126. - port 443 - support.microsoft.com
  127. - port 443 - help.twitter.com
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!