malware_traffic

2020-11-30 (Monday) TA551 (Shathak) Word docs with English template push IcedID

Nov 30th, 2020 (edited)
2,270
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-11-30 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH TEMPLATE PUSH ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
  6.  
  7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - 3b53987ddd38a4f90b65844e5ee0c81d989f4a91022e1fecd3087ef7a25bbe3d adjure.doc
  10. - 02f916508e994d17de70335b46e547af0bf809405a80a4ea732e5fc7153cfcb6 bid,11.20.doc
  11. - b8a5a443b741896e97bcdcfce919b4625399ae757b7daa7b36e529aa6a97b286 bid,11.20.doc
  12. - 5608aae1e78b3e7d0c5596dc02a93b3532244a38db5578e36ae800cd4f591bbc command,11.20.doc
  13. - 427b1af5ab5a8ecf6d182ea7c1bcf696700ea31358b88ca374fa82b4d0dc619d command.11.30.2020.doc
  14. - 322d78ed2f9a138dfec07b250b68382c990bb8591826b3faddac937d35c11bb7 commerce _11.30.20.doc
  15. - 3dd7d96b7c9f31bb08c6d2454d304dbbad097222cbd6f16fba6c72ca3c8da1d8 direct-11.20.doc
  16. - 68c8650b6fb677494afb0403752f15b92351fa9cf56fd7a9ac7686f63d7930fc docs.11.20.doc
  17. - da1fa1f310f0938eaccf5edb3321dc133c0b085fbd209b7547734da15dc1af0d documents 11.20.doc
  18. - 12a4de1346fa7e87d6fbcd813b0e8a2fa8c69d8c9c22c6a4fddc6639a8690e10 files_11.20.doc
  19. - 32396d24526f53981f4cd869f0c2cb89edc0ae4972f6492007ea89320accaad3 instruct.11.20.doc
  20. - 9b56c19e53c20775ef735e8e72025e28cb72c006d3ca62cee4c332bed188a090 intelligence-11.30.2020.doc
  21. - 3eb8e615f381c1c610ad80dddba765fcc54a048b1ab01007d70e6a75c3bf27e0 legal agreement-11.20.doc
  22. - 611e80332043d9a050383da839c46bdd8b456f955cdfdea90f8cdfe14277ae69 legislate,11.20.doc
  23. - dd2b140ceab48bcbac7f69aaa971d822c3bae3108b4c0712f3cdefa28c2e883e material,11.20.doc
  24. - 6e1558a4590a10a176663e0747a01fdebc128e69d763a1fd7a23f1f26a871402 question-11.30.2020.doc
  25. - d62a85f68f6936093213ffef4212e50d60c85a75690edf997b9c7ee3765c8ba5 question_11.30.2020.doc
  26. - 6d9127807993ad1167f4bdc5ec30e28a9d64d70dcbc6a41fb4ec8c29b9e97f57 tell-11.30.2020.doc
  27. - 05b8d446a09ad61a5f1f360a93279bb5f2600628320fd82f98c9b57fe5e892db tell.11.30.2020.doc
  28. - a3a4a09661bc7d34513f843582005e1389cbc44f7995b918968d0ef8af331f17 tell_11.20.doc
  29.  
  30. AT LEAST 10 DOMAINS HOSTING THE INSTALLER DLL:
  31.  
  32. - bvm616staff[.]com - 185.62.103[.]52
  33. - ewrhh539reopen[.]com - 185.135.82[.]225
  34. - exrvv365weapon[.]com - 95.214.9[.]199
  35. - fhnz798comic[.]com - 185.219.42[.]225
  36. - fr920victory[.]com - 45.10.89[.]194
  37. - nipng629usage[.]com - 185.34.52[.]179
  38. - ppxw332object[.]com - 77.222.55[.]176
  39. - rbhz935type[.]com - 149.154.69[.]145
  40. - zivd990grow[.]com - 92.63.105[.]58
  41. - zf556energy[.]com - 80.85.159[.]242
  42.  
  43. EXAMPLES OF URLS FOR INSTALLER DLL:
  44.  
  45. - GET /analytics/nhO3kqsYLcj0dw0P/QTaQ0rJcrh05iGK84CSFqQIMVJ33JHlS_1TI6xclMFo6qGFZE/urizk1?bz=liCgUkfJY_XvWsssw&mGW=OAgygcAbC&YnU=PeterRrOdbUgM&BpHSl=_hNvXiNprUPT
  46. - GET /analytics/fDLQPfcYGovvv9ghCoFTD3UH1LHYACm47WmNJyVED6/urizk3?kqgI=OnOIgfeIHTD&FxmJO=YScwCInR&Moql=EgLiAI_BCLNUgL&wqM=vgGBXEYXlRANRi&MR=CkbsrPGcYMhBB
  47. - GET /analytics/YectfRTOnUYoLT/MmdFgTrLoBPXs2MTexlXTOARnNjspWSbdFl_pN6Ocnd/IVlZRpW1_V2bLCgRdrUJpvUSOY/urizk3?cF=hlkXITTpV&_DNYm=WkxGRsldDwqFl&nON_=ICPn_AbcsJULXTKb
  48. - GET /analytics/KcSEXmBf0XKUHqxMI08qLqXU52QWOYK/2aRb6/cNdyIF7UQqGwA9betPFuS2qxKWpjKIJ35oX/urizk5?ATtTb=zJmBDqLyZFX&JGv=YPZJ_D&ktq=MQpmSWgEz
  49. - GET /analytics/OBfelcndnIU5IF2akWY71D3gRG0abaOgPybDGdv52Nt/wYKX3_ti4f0474AUmh4hwk/R_gT0jOpe/urizk6?hCN=jZqmvlwc&OSYY=KcGrhcOBtZcqMkWPP&we=TVwmBQDz&QoFu=HKYVBTqswihuMtQ&IKKqD=sdDbcICRdX&oz=VJ_ZcObgRZfwhUOim
  50. - GET /analytics/5v5qKRCIFnFV036OB8Zl1sXW6d1AliZKsw068hktST7qH/urizk7?kWY=tQqvDY_tWIflY&SZCeI=GEDkkUKYXTtI&hoDg=RiD__tnbF&vQB=cBxoWM&UupO=qAIrOAp
  51. - GET /analytics/pzh1ka0WcYLvmhBDVz6TfQmRx_wecJ12Dk/urizk8?VUHQY=GEMGAmK&ntNCO=PTHuMpYPKDrzJAdQn&AFEmF=gDLbSUvfwfwe&VpZr=OqwHFZ&VB=fwr_JbFg
  52. - GET /analytics/ZqVWsY6btE5vRqTp8qA5F_bMs489VRTAq56ecc/urizk9?LIZ=zHSBwUWUSsE&VzhEB=YyxlRpXInjiN&RhheB=MJCHmYh&FCix=MmgDUDXpWwR&noMEq=YsmWdEkEOM
  53. - GET /analytics/_6PAdlIpCqIcgRHiPPcF7/TXCLR81OzZRtMaZyr_jW_cDVpBfU5ct4F6YV3m1/urizk9?gZG=MITlRWLmQisrBUOJ&COTW=IVfIYYdtQKXofEhx&_w=bYCDjSw_NovnGBmx&ZlX=ciYmlaxqQqmuk
  54. - GET /analytics/YYTeKJQUYNrhP4MPMDSjIv6M1Mj8FJtGB_d/2M_PQVjckqYg87Yl6CcwDSh1I/6CVnRrBnX0c/urizk11?DtUUF=NePsHSqwMK&EoNL=YHPlEj_wV&BMMb=TvlWMI_MHWE&CZZFq=tyEbSFGpRrKkdw&ULUr=bIwAfgwy&Nr=QyNJKdZlmS
  55. - GET /analytics/E_HpS4k7UtUSDkjxTy4Th3qHkBGk7JlY3iz_TO0Rgax2ZVTS3CmK2oZUW89Vv5qV79XUrC23wm/aGt8/urizk11?qvf=EIJlSeWTjs&QV=wCYaCnSnSYCfqE&EL=cVhlGzzJhwq
  56. - GET /analytics/sL/cc5RG1G3_XOYXt332s3ATSCrcv385mWpIJKRjPRIBh/urizk12?kF=zZKfsf&WZpxB=BozVovnIkUzGz&JRgT=w_xLmJBVnns&h_=FJwVtgERLxWDJoE
  57. - GET /analytics/DM3Ar9YvfNXcFeb98fvdMY7tnOYC1ckwZUE2YD4ivLAoWjHSl9xpHZCa5LcWUJ/urizk13?IYOoY=WkcdCoBZFiV&Lowm=HlNDbbTRhFGOEwGQ&_JPww=hQOrAPUwPhkmFNXIc&_B=bJGxgtrwdsB&CV=RiLINgJjFBN&GBUy=fHnjRvtfyRNJMF&sEx=pyUjsxYbfv
  58. - GET /analytics/t7HEOEWuAmPZcFPVsnSwgHkwcAfwStr0M3pxxXAeTW3kLstlY8DRUYFnCYl6mlY__U6mSgOc/urizk13?AOJC=pWLUIWT_xg&DWOI=MnVrlID&lOV=VRKqsxEILZJuIwCI&gXEPv=lJXqnpzLYnvaFT_ff&Yq=PQJTInW
  59. - GET /analytics/Dm5WhW8z60RTnmHCPa5ZTrPYh7q37TmyEGC_0CWcXbWVvCcyU8l2p/urizk18?Lnjj=tz_ImoPUkGH&qoFF=nOMcMhV&xEUn=XIqMdZSY&gb=EcZApwVE&nqhm=VlAtc&tDO=SuIwJKzvIK
  60.  
  61. 14 EXAMPLES OF INSTALLER DLLS:
  62.  
  63. - 02055320bbe1ef2d0fae4e38af054b2d6b96ece974d9641b165dbd9dad6f5a16
  64. - 146d20ec6cfa1df8ae9d0544f3c847bf5dc6d55bd2568517b820761690730387
  65. - 1f48bd51b131fb3a35c43343a047e37cd830567b43250d5369930be91ee00080
  66. - 46ab9514f73a18d5634ba7bc5fa53fba812c91bdb3e9b7837740f26a8ab94efe
  67. - 5ae050f901a0e976cdc19a08f6623138d024b84d700ae2650bb247bf2c7964f3
  68. - 75a55cc7c014e09a9d0ef42ec00fac295f380c933cb9c2ee18ed1d584d2c64a8
  69. - 87f63627eeb82274a1fcc29a0009555221faccc9ea9d18784aadb4e0485eafc6
  70. - a1455fd3f20bff76042befd7f881830147aacdb4ded75ba3507c9b7a8108f238
  71. - d289d95b804cc3fc00894586e06a40026c4a3499391c2f01b205459b1138525d
  72. - dd8b3eb6819ae24937d645431b6865b9e6355ec7e77d55d89c0f4052cbe19876
  73. - e084547248fa0dff79e2187cc90aeac379aaa22c7bedcc65c43d0e63d4867b0a
  74. - e6aa51593afeee8e7f80a623dbf83d398cddabb2d463ee8f916906a504f89a45
  75. - f5b0a1a41ee9205e37e3323890277bdda772aa8c5c0d01f7a99f5001c5ab9b01
  76. - fd03251ac200b55685a961fefe0ca893c749f785c4347ab0f2f168866011e510
  77.  
  78. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  79.  
  80. - C:\ProgramData\ctZiq.pdf
  81. - C:\ProgramData\flsYG.pdf
  82. - C:\ProgramData\gvYUU.pdf
  83. - C:\ProgramData\GSSlL.pdf
  84. - C:\ProgramData\LegKX.pdf
  85. - C:\ProgramData\nyEdi.pdf
  86. - C:\ProgramData\OCCMr.pdf
  87. - C:\ProgramData\Pgroh.pdf
  88. - C:\ProgramData\rDPRg.pdf
  89. - C:\ProgramData\RpLBT.pdf
  90. - C:\ProgramData\uaSGj.pdf
  91. - C:\ProgramData\uIChy.pdf
  92. - C:\ProgramData\vQGvf.pdf
  93. - C:\ProgramData\yRSuk.pdf
  94. - C:\ProgramData\zbSOl.pdf
  95.  
  96. DLL RUN METHOD:
  97.  
  98. - rundll32.exe [filename],ShowDialogA -r
  99.  
  100. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  101.  
  102. - port 443 - www.tumblr.com
  103. - port 443 - instagram.com
  104. - port 443 - www.instagram.com
  105. - port 443 - twitter.com
  106. - port 443 - facebook.com
  107. - port 443 - www.facebook.com
  108.  
  109. AT LEAST 3 DIFFERENT DOMAINS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  110.  
  111. - 167.71.138[.]137 port 443 - m41tank[.]best
  112. - 185.135.82[.]225 port 443 - fislatriller[.]best
  113. - 167.71.138[.]137 port 443 - t34tank[.]club
  114.  
  115. 5 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  116.  
  117. - b17b6ada47cabb61e9540d0a1e997dc5175f71efc793fb613e5a99baf53baa2a (1st & 3rd runs - initial)
  118. - 56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2 (2nd run - initial)
  119. - f090d746fb4f1990900fccf67d8a0ad2f07f8efc83ee076af20aa3fd01195b51 (1st run - persistent)
  120. - e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a (2nd run - persistent)
  121. - dbd7b8dd9ed30275c53d8669e023cd086b8d79b985e5f64d97b3b022552d02af (3rd run - persistent)
  122.  
  123. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY ICEDID DLL FILES - 1ST AND 3RD RUNS:
  124.  
  125. - 206.189.56[.]140 port 443 - rockercastle[.]best
  126. - 206.189.56[.]140 port 443 - moviecastle[.]club
  127. - 206.189.56[.]140 port 443 - philadelphiagirl[.]top
  128.  
  129. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY ICEDID DLL FILES - 2ND RUN:
  130.  
  131. - 68.183.89[.]248 port 443 - ujkiol45[.]cyou
  132. - 68.183.89[.]248 port 443 - aslopoer45[.]cyou
  133.  
  134. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST - 1ST RUN:
  135.  
  136. - SHA256 hash: 630e884c9953ca69cfe7ec114cb341933e13d918f3dbd71e396afaf460e81541
  137. - File size: 208,463 bytes
  138. - File location: C:\Users\[username]\AppData\Local\Temp\0007d1d4.png
  139. - File type: PNG image data, 216 x 561, 8-bit/color RGB, non-interlaced
  140. - File description: PNG image with encoded data used to create initial IcedID DLL
  141.  
  142. - SHA256 hash: b17b6ada47cabb61e9540d0a1e997dc5175f71efc793fb613e5a99baf53baa2a
  143. - File size: 203,984 bytes
  144. - File location: C:\Users\[username]\AppData\Local\Visitreflect.dat
  145. - File description: Initial IcedID DLL
  146. - Run method: regsvr32.exe /s [filename]
  147.  
  148. - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
  149. - File size: 677,968 bytes
  150. - File location: C:\Users\[username]\AppData\Local\oxbujaac64\feosac4.png
  151. - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
  152. - File description: PNG file with encoded data created after running initial IcedID DLL
  153.  
  154. - SHA256 hash: f090d746fb4f1990900fccf67d8a0ad2f07f8efc83ee076af20aa3fd01195b51
  155. - File size: 203,984 bytes
  156. - File location: C:\Users\[username]\AppData\Local\Saze64\Lijocn.dll
  157. - File description: Persistent IcedID DLL (persistent through scheduled task)
  158. - Run method: regsvr32.exe /s [filename]
  159.  
  160. MALWARE RETRIEVED FROM INFECTED WINDOWS HOST - 2ND RUN:
  161.  
  162. - SHA256 hash: 50aa846abb65d250b004f89e624b669a89a11fe9a992f4487a6ab0beb8db794f
  163. - File size: 291,919 bytes
  164. - File location: C:\Users\[username]\AppData\Local\Temp\0020b068.png
  165. - File type: PNG image data, 229 x 488, 8-bit/color RGB, non-interlaced
  166. - File description: PNG image with encoded data used to create initial IcedID DLL
  167.  
  168. - SHA256 hash: 56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2
  169. - File size: 287,440 bytes
  170. - File location: C:\Users\[username]\AppData\Local\Donorcasino.dat
  171. - File description: Initial IcedID DLL
  172. - Run method: regsvr32.exe /s [filename]
  173.  
  174. - SHA256 hash: f6ea81aaf9a07e24a82b07254a8ed4fcf63d5a8e6ea7b57062f4c5baf9ef8bf2
  175. - File size: 678,288 bytes
  176. - File location: C:\Users\[username]\AppData\Local\[username]\[username]\Extaofac1.png
  177. - File type: PNG image data, 605 x 399, 8-bit/color RGB, non-interlaced
  178. - File description: PNG file with encoded data created after running initial IcedID DLL
  179.  
  180. - SHA256 hash: f090d746fb4f1990900fccf67d8a0ad2f07f8efc83ee076af20aa3fd01195b51
  181. - File size: (287,440 bytes
  182. - File location: C:\Users\[username]\AppData\Local\Piozar\otaxujuc64.dll
  183. - File description: Persistent IcedID DLL (persistent through scheduled task)
  184. - Run method: regsvr32.exe /s [filename]
  185.  
  186. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST - 3RD RUN:
  187.  
  188. - SHA256 hash: 760b04205d52f1c31a1211a40cf6ca9bd7d31c2e0dbaf119475fada11ddfb2a6
  189. - File size: 208,463 bytes
  190. - File location: C:\Users\[username]\AppData\Local\Temp\00a097d1.png
  191. - File type: PNG image data, 608 x 222, 8-bit/color RGB, non-interlaced
  192. - File description: PNG image with encoded data used to create initial IcedID DLL
  193.  
  194. - SHA256 hash: b17b6ada47cabb61e9540d0a1e997dc5175f71efc793fb613e5a99baf53baa2a
  195. - File size: 203,984 bytes
  196. - File location: C:\Users\[username]\AppData\Local\Visitreflect.dat
  197. - File description: Initial IcedID DLL
  198. - Run method: regsvr32.exe /s [filename]
  199.  
  200. - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
  201. - File size: 677,968 bytes
  202. - File location: C:\Users\[username]\AppData\Local\oxbujaac64\feosac4.png
  203. - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
  204. - File description: PNG file with encoded data created after running initial IcedID DLL
  205.  
  206. - SHA256 hash: dbd7b8dd9ed30275c53d8669e023cd086b8d79b985e5f64d97b3b022552d02af
  207. - File size: 203,984 bytes
  208. - File location: C:\Users\[username]\AppData\Local\[username]\bixe\Eptinaub3.dll
  209. - File description: Persistent IcedID DLL (persistent through scheduled task)
  210. - Run method: regsvr32.exe /s [filename]
  211.  
RAW Paste Data