API tools faq
paste
malware_traffic

2020-11-30 (Monday) TA551 (Shathak) Word docs with English template push IcedID

malware_traffic
Nov 30th, 2020 (edited)
8,923
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.65 KB | None | 0 0
raw download clone embed print report
  1. 2020-11-30 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH TEMPLATE PUSH ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 3b53987ddd38a4f90b65844e5ee0c81d989f4a91022e1fecd3087ef7a25bbe3d adjure.doc
  10. - 02f916508e994d17de70335b46e547af0bf809405a80a4ea732e5fc7153cfcb6 bid,11.20.doc
  11. - b8a5a443b741896e97bcdcfce919b4625399ae757b7daa7b36e529aa6a97b286 bid,11.20.doc
  12. - 5608aae1e78b3e7d0c5596dc02a93b3532244a38db5578e36ae800cd4f591bbc command,11.20.doc
  13. - 427b1af5ab5a8ecf6d182ea7c1bcf696700ea31358b88ca374fa82b4d0dc619d command.11.30.2020.doc
  14. - 322d78ed2f9a138dfec07b250b68382c990bb8591826b3faddac937d35c11bb7 commerce _11.30.20.doc
  15. - 3dd7d96b7c9f31bb08c6d2454d304dbbad097222cbd6f16fba6c72ca3c8da1d8 direct-11.20.doc
  16. - 68c8650b6fb677494afb0403752f15b92351fa9cf56fd7a9ac7686f63d7930fc docs.11.20.doc
  17. - da1fa1f310f0938eaccf5edb3321dc133c0b085fbd209b7547734da15dc1af0d documents 11.20.doc
  18. - 12a4de1346fa7e87d6fbcd813b0e8a2fa8c69d8c9c22c6a4fddc6639a8690e10 files_11.20.doc
  19. - 32396d24526f53981f4cd869f0c2cb89edc0ae4972f6492007ea89320accaad3 instruct.11.20.doc
  20. - 9b56c19e53c20775ef735e8e72025e28cb72c006d3ca62cee4c332bed188a090 intelligence-11.30.2020.doc
  21. - 3eb8e615f381c1c610ad80dddba765fcc54a048b1ab01007d70e6a75c3bf27e0 legal agreement-11.20.doc
  22. - 611e80332043d9a050383da839c46bdd8b456f955cdfdea90f8cdfe14277ae69 legislate,11.20.doc
  23. - dd2b140ceab48bcbac7f69aaa971d822c3bae3108b4c0712f3cdefa28c2e883e material,11.20.doc
  24. - 6e1558a4590a10a176663e0747a01fdebc128e69d763a1fd7a23f1f26a871402 question-11.30.2020.doc
  25. - d62a85f68f6936093213ffef4212e50d60c85a75690edf997b9c7ee3765c8ba5 question_11.30.2020.doc
  26. - 6d9127807993ad1167f4bdc5ec30e28a9d64d70dcbc6a41fb4ec8c29b9e97f57 tell-11.30.2020.doc
  27. - 05b8d446a09ad61a5f1f360a93279bb5f2600628320fd82f98c9b57fe5e892db tell.11.30.2020.doc
  28. - a3a4a09661bc7d34513f843582005e1389cbc44f7995b918968d0ef8af331f17 tell_11.20.doc
  29.  
  30. AT LEAST 10 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - bvm616staff[.]com - 185.62.103[.]52
  33. - ewrhh539reopen[.]com - 185.135.82[.]225
  34. - exrvv365weapon[.]com - 95.214.9[.]199
  35. - fhnz798comic[.]com - 185.219.42[.]225
  36. - fr920victory[.]com - 45.10.89[.]194
  37. - nipng629usage[.]com - 185.34.52[.]179
  38. - ppxw332object[.]com - 77.222.55[.]176
  39. - rbhz935type[.]com - 149.154.69[.]145
  40. - zivd990grow[.]com - 92.63.105[.]58
  41. - zf556energy[.]com - 80.85.159[.]242
  42.  
  43. EXAMPLES OF URLS FOR INSTALLER DLL:
  44.  
  45. - GET /analytics/nhO3kqsYLcj0dw0P/QTaQ0rJcrh05iGK84CSFqQIMVJ33JHlS_1TI6xclMFo6qGFZE/urizk1?bz=liCgUkfJY_XvWsssw&mGW=OAgygcAbC&YnU=PeterRrOdbUgM&BpHSl=_hNvXiNprUPT
  46. - GET /analytics/fDLQPfcYGovvv9ghCoFTD3UH1LHYACm47WmNJyVED6/urizk3?kqgI=OnOIgfeIHTD&FxmJO=YScwCInR&Moql=EgLiAI_BCLNUgL&wqM=vgGBXEYXlRANRi&MR=CkbsrPGcYMhBB
  47. - GET /analytics/YectfRTOnUYoLT/MmdFgTrLoBPXs2MTexlXTOARnNjspWSbdFl_pN6Ocnd/IVlZRpW1_V2bLCgRdrUJpvUSOY/urizk3?cF=hlkXITTpV&_DNYm=WkxGRsldDwqFl&nON_=ICPn_AbcsJULXTKb
  48. - GET /analytics/KcSEXmBf0XKUHqxMI08qLqXU52QWOYK/2aRb6/cNdyIF7UQqGwA9betPFuS2qxKWpjKIJ35oX/urizk5?ATtTb=zJmBDqLyZFX&JGv=YPZJ_D&ktq=MQpmSWgEz
  49. - GET /analytics/OBfelcndnIU5IF2akWY71D3gRG0abaOgPybDGdv52Nt/wYKX3_ti4f0474AUmh4hwk/R_gT0jOpe/urizk6?hCN=jZqmvlwc&OSYY=KcGrhcOBtZcqMkWPP&we=TVwmBQDz&QoFu=HKYVBTqswihuMtQ&IKKqD=sdDbcICRdX&oz=VJ_ZcObgRZfwhUOim
  50. - GET /analytics/5v5qKRCIFnFV036OB8Zl1sXW6d1AliZKsw068hktST7qH/urizk7?kWY=tQqvDY_tWIflY&SZCeI=GEDkkUKYXTtI&hoDg=RiD__tnbF&vQB=cBxoWM&UupO=qAIrOAp
  51. - GET /analytics/pzh1ka0WcYLvmhBDVz6TfQmRx_wecJ12Dk/urizk8?VUHQY=GEMGAmK&ntNCO=PTHuMpYPKDrzJAdQn&AFEmF=gDLbSUvfwfwe&VpZr=OqwHFZ&VB=fwr_JbFg
  52. - GET /analytics/ZqVWsY6btE5vRqTp8qA5F_bMs489VRTAq56ecc/urizk9?LIZ=zHSBwUWUSsE&VzhEB=YyxlRpXInjiN&RhheB=MJCHmYh&FCix=MmgDUDXpWwR&noMEq=YsmWdEkEOM
  53. - GET /analytics/_6PAdlIpCqIcgRHiPPcF7/TXCLR81OzZRtMaZyr_jW_cDVpBfU5ct4F6YV3m1/urizk9?gZG=MITlRWLmQisrBUOJ&COTW=IVfIYYdtQKXofEhx&_w=bYCDjSw_NovnGBmx&ZlX=ciYmlaxqQqmuk
  54. - GET /analytics/YYTeKJQUYNrhP4MPMDSjIv6M1Mj8FJtGB_d/2M_PQVjckqYg87Yl6CcwDSh1I/6CVnRrBnX0c/urizk11?DtUUF=NePsHSqwMK&EoNL=YHPlEj_wV&BMMb=TvlWMI_MHWE&CZZFq=tyEbSFGpRrKkdw&ULUr=bIwAfgwy&Nr=QyNJKdZlmS
  55. - GET /analytics/E_HpS4k7UtUSDkjxTy4Th3qHkBGk7JlY3iz_TO0Rgax2ZVTS3CmK2oZUW89Vv5qV79XUrC23wm/aGt8/urizk11?qvf=EIJlSeWTjs&QV=wCYaCnSnSYCfqE&EL=cVhlGzzJhwq
  56. - GET /analytics/sL/cc5RG1G3_XOYXt332s3ATSCrcv385mWpIJKRjPRIBh/urizk12?kF=zZKfsf&WZpxB=BozVovnIkUzGz&JRgT=w_xLmJBVnns&h_=FJwVtgERLxWDJoE
  57. - GET /analytics/DM3Ar9YvfNXcFeb98fvdMY7tnOYC1ckwZUE2YD4ivLAoWjHSl9xpHZCa5LcWUJ/urizk13?IYOoY=WkcdCoBZFiV&Lowm=HlNDbbTRhFGOEwGQ&_JPww=hQOrAPUwPhkmFNXIc&_B=bJGxgtrwdsB&CV=RiLINgJjFBN&GBUy=fHnjRvtfyRNJMF&sEx=pyUjsxYbfv
  58. - GET /analytics/t7HEOEWuAmPZcFPVsnSwgHkwcAfwStr0M3pxxXAeTW3kLstlY8DRUYFnCYl6mlY__U6mSgOc/urizk13?AOJC=pWLUIWT_xg&DWOI=MnVrlID&lOV=VRKqsxEILZJuIwCI&gXEPv=lJXqnpzLYnvaFT_ff&Yq=PQJTInW
  59. - GET /analytics/Dm5WhW8z60RTnmHCPa5ZTrPYh7q37TmyEGC_0CWcXbWVvCcyU8l2p/urizk18?Lnjj=tz_ImoPUkGH&qoFF=nOMcMhV&xEUn=XIqMdZSY&gb=EcZApwVE&nqhm=VlAtc&tDO=SuIwJKzvIK
  60.  
  61. 14 EXAMPLES OF INSTALLER DLLS:
  62.  
  63. - 02055320bbe1ef2d0fae4e38af054b2d6b96ece974d9641b165dbd9dad6f5a16
  64. - 146d20ec6cfa1df8ae9d0544f3c847bf5dc6d55bd2568517b820761690730387
  65. - 1f48bd51b131fb3a35c43343a047e37cd830567b43250d5369930be91ee00080
  66. - 46ab9514f73a18d5634ba7bc5fa53fba812c91bdb3e9b7837740f26a8ab94efe
  67. - 5ae050f901a0e976cdc19a08f6623138d024b84d700ae2650bb247bf2c7964f3
  68. - 75a55cc7c014e09a9d0ef42ec00fac295f380c933cb9c2ee18ed1d584d2c64a8
  69. - 87f63627eeb82274a1fcc29a0009555221faccc9ea9d18784aadb4e0485eafc6
  70. - a1455fd3f20bff76042befd7f881830147aacdb4ded75ba3507c9b7a8108f238
  71. - d289d95b804cc3fc00894586e06a40026c4a3499391c2f01b205459b1138525d
  72. - dd8b3eb6819ae24937d645431b6865b9e6355ec7e77d55d89c0f4052cbe19876
  73. - e084547248fa0dff79e2187cc90aeac379aaa22c7bedcc65c43d0e63d4867b0a
  74. - e6aa51593afeee8e7f80a623dbf83d398cddabb2d463ee8f916906a504f89a45
  75. - f5b0a1a41ee9205e37e3323890277bdda772aa8c5c0d01f7a99f5001c5ab9b01
  76. - fd03251ac200b55685a961fefe0ca893c749f785c4347ab0f2f168866011e510
  77.  
  78. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  79.  
  80. - C:\ProgramData\ctZiq.pdf
  81. - C:\ProgramData\flsYG.pdf
  82. - C:\ProgramData\gvYUU.pdf
  83. - C:\ProgramData\GSSlL.pdf
  84. - C:\ProgramData\LegKX.pdf
  85. - C:\ProgramData\nyEdi.pdf
  86. - C:\ProgramData\OCCMr.pdf
  87. - C:\ProgramData\Pgroh.pdf
  88. - C:\ProgramData\rDPRg.pdf
  89. - C:\ProgramData\RpLBT.pdf
  90. - C:\ProgramData\uaSGj.pdf
  91. - C:\ProgramData\uIChy.pdf
  92. - C:\ProgramData\vQGvf.pdf
  93. - C:\ProgramData\yRSuk.pdf
  94. - C:\ProgramData\zbSOl.pdf
  95.  
  96. DLL RUN METHOD:
  97.  
  98. - rundll32.exe [filename],ShowDialogA -r
  99.  
  100. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  101.  
  102. - port 443 - www.tumblr.com
  103. - port 443 - instagram.com
  104. - port 443 - www.instagram.com
  105. - port 443 - twitter.com
  106. - port 443 - facebook.com
  107. - port 443 - www.facebook.com
  108.  
  109. AT LEAST 3 DIFFERENT DOMAINS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  110.  
  111. - 167.71.138[.]137 port 443 - m41tank[.]best
  112. - 185.135.82[.]225 port 443 - fislatriller[.]best
  113. - 167.71.138[.]137 port 443 - t34tank[.]club
  114.  
  115. 5 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  116.  
  117. - b17b6ada47cabb61e9540d0a1e997dc5175f71efc793fb613e5a99baf53baa2a (1st & 3rd runs - initial)
  118. - 56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2 (2nd run - initial)
  119. - f090d746fb4f1990900fccf67d8a0ad2f07f8efc83ee076af20aa3fd01195b51 (1st run - persistent)
  120. - e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a (2nd run - persistent)
  121. - dbd7b8dd9ed30275c53d8669e023cd086b8d79b985e5f64d97b3b022552d02af (3rd run - persistent)
  122.  
  123. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY ICEDID DLL FILES - 1ST AND 3RD RUNS:
  124.  
  125. - 206.189.56[.]140 port 443 - rockercastle[.]best
  126. - 206.189.56[.]140 port 443 - moviecastle[.]club
  127. - 206.189.56[.]140 port 443 - philadelphiagirl[.]top
  128.  
  129. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY ICEDID DLL FILES - 2ND RUN:
  130.  
  131. - 68.183.89[.]248 port 443 - ujkiol45[.]cyou
  132. - 68.183.89[.]248 port 443 - aslopoer45[.]cyou
  133.  
  134. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST - 1ST RUN:
  135.  
  136. - SHA256 hash: 630e884c9953ca69cfe7ec114cb341933e13d918f3dbd71e396afaf460e81541
  137. - File size: 208,463 bytes
  138. - File location: C:\Users\[username]\AppData\Local\Temp\0007d1d4.png
  139. - File type: PNG image data, 216 x 561, 8-bit/color RGB, non-interlaced
  140. - File description: PNG image with encoded data used to create initial IcedID DLL
  141.  
  142. - SHA256 hash: b17b6ada47cabb61e9540d0a1e997dc5175f71efc793fb613e5a99baf53baa2a
  143. - File size: 203,984 bytes
  144. - File location: C:\Users\[username]\AppData\Local\Visitreflect.dat
  145. - File description: Initial IcedID DLL
  146. - Run method: regsvr32.exe /s [filename]
  147.  
  148. - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
  149. - File size: 677,968 bytes
  150. - File location: C:\Users\[username]\AppData\Local\oxbujaac64\feosac4.png
  151. - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
  152. - File description: PNG file with encoded data created after running initial IcedID DLL
  153.  
  154. - SHA256 hash: f090d746fb4f1990900fccf67d8a0ad2f07f8efc83ee076af20aa3fd01195b51
  155. - File size: 203,984 bytes
  156. - File location: C:\Users\[username]\AppData\Local\Saze64\Lijocn.dll
  157. - File description: Persistent IcedID DLL (persistent through scheduled task)
  158. - Run method: regsvr32.exe /s [filename]
  159.  
  160. MALWARE RETRIEVED FROM INFECTED WINDOWS HOST - 2ND RUN:
  161.  
  162. - SHA256 hash: 50aa846abb65d250b004f89e624b669a89a11fe9a992f4487a6ab0beb8db794f
  163. - File size: 291,919 bytes
  164. - File location: C:\Users\[username]\AppData\Local\Temp\0020b068.png
  165. - File type: PNG image data, 229 x 488, 8-bit/color RGB, non-interlaced
  166. - File description: PNG image with encoded data used to create initial IcedID DLL
  167.  
  168. - SHA256 hash: 56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2
  169. - File size: 287,440 bytes
  170. - File location: C:\Users\[username]\AppData\Local\Donorcasino.dat
  171. - File description: Initial IcedID DLL
  172. - Run method: regsvr32.exe /s [filename]
  173.  
  174. - SHA256 hash: f6ea81aaf9a07e24a82b07254a8ed4fcf63d5a8e6ea7b57062f4c5baf9ef8bf2
  175. - File size: 678,288 bytes
  176. - File location: C:\Users\[username]\AppData\Local\[username]\[username]\Extaofac1.png
  177. - File type: PNG image data, 605 x 399, 8-bit/color RGB, non-interlaced
  178. - File description: PNG file with encoded data created after running initial IcedID DLL
  179.  
  180. - SHA256 hash: f090d746fb4f1990900fccf67d8a0ad2f07f8efc83ee076af20aa3fd01195b51
  181. - File size: (287,440 bytes
  182. - File location: C:\Users\[username]\AppData\Local\Piozar\otaxujuc64.dll
  183. - File description: Persistent IcedID DLL (persistent through scheduled task)
  184. - Run method: regsvr32.exe /s [filename]
  185.  
  186. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST - 3RD RUN:
  187.  
  188. - SHA256 hash: 760b04205d52f1c31a1211a40cf6ca9bd7d31c2e0dbaf119475fada11ddfb2a6
  189. - File size: 208,463 bytes
  190. - File location: C:\Users\[username]\AppData\Local\Temp\00a097d1.png
  191. - File type: PNG image data, 608 x 222, 8-bit/color RGB, non-interlaced
  192. - File description: PNG image with encoded data used to create initial IcedID DLL
  193.  
  194. - SHA256 hash: b17b6ada47cabb61e9540d0a1e997dc5175f71efc793fb613e5a99baf53baa2a
  195. - File size: 203,984 bytes
  196. - File location: C:\Users\[username]\AppData\Local\Visitreflect.dat
  197. - File description: Initial IcedID DLL
  198. - Run method: regsvr32.exe /s [filename]
  199.  
  200. - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
  201. - File size: 677,968 bytes
  202. - File location: C:\Users\[username]\AppData\Local\oxbujaac64\feosac4.png
  203. - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
  204. - File description: PNG file with encoded data created after running initial IcedID DLL
  205.  
  206. - SHA256 hash: dbd7b8dd9ed30275c53d8669e023cd086b8d79b985e5f64d97b3b022552d02af
  207. - File size: 203,984 bytes
  208. - File location: C:\Users\[username]\AppData\Local\[username]\bixe\Eptinaub3.dll
  209. - File description: Persistent IcedID DLL (persistent through scheduled task)
  210. - Run method: regsvr32.exe /s [filename]
  211.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!