API tools faq
paste
malware_traffic

2020-10-29 (Thursday) - TA551 (Shathak) Japanese language Word docs with macros for IcedID

malware_traffic
Oct 29th, 2020
8,208
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.84 KB | None | 0 0
raw download clone embed print report
  1. 2020-10-29 (THURSDAY) - TA551 (SHATHAK) JAPANESE-LANGUAGE WORD DOCS WITH MACROS FOR ICEDID:
  2.  
  3. CHAIN OF EVENTS:
  4.  
  5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
  6.  
  7. 22 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
  8.  
  9. - a6d86526e76f2f3155056f2e76d651ad9f84f57d46defb21609d902c94ef0643 adjure_10.20.doc
  10. - ed25e2fb318b3068c3ecbfec1cc175b55b67bb9d0cc096f27464fb2e30db7876 certificate 10.20.doc
  11. - 4f9f298a2992e91ce6e89966b406d8ce39b51a57786dbfd35abd0432002c69cc commerce .10.20.doc
  12. - a011cb2e23fbc7516c28752b9b9d484324450c5efbda5fe05ff9675ffc434e95 commerce _10.29.2020.doc
  13. - 65ae20640f114ba7244e2ecf412ff836c2efb1697a9bc11ec50677817eb03efe deed contract.10.29.2020.doc
  14. - 84839d67c1612dfaf6c09331c9cfb6eee961114afba1e037c1ced13a3ca67793 direct_10.29.2020.doc
  15. - 287b33010d9509d78ac3f992c9424efba2a548c5d4f604423d47055b55621344 file.10.29.2020.doc
  16. - cff0bae2e6702d2da4c1600c1b42873016db94d39952eccf18a67bdee9f9916e files.10.20.doc
  17. - cf6b808afcc56fed6043b9222aede14cc2b9a6e972b0754efcc370eec9d7d89f input,10.29.20.doc
  18. - 1111afe500e7b32dcea139b8bc3324c964d0b77a0100464e88db404c2315428c inquiry_10.20.doc
  19. - 6e13f3061cc383e39ae83609f164896c89f155da4df3fff977eca50080ab2490 legislate.10.20.doc
  20. - 6d1fef8e835a4a7128fe4dd10edef98b52b55167c1bfc446a9e5cba1b7978b88 legislate.10.29.2020.doc
  21. - bfb60ac007c4b2548261ce2816ffa7dfa95b2c29a049c6c07f2c6797081eed63 material_10.20.doc
  22. - 626deb3820030d1172d10230f9a413c4a4ce19a290c05b701420d453e575f678 official paper.10.29.20.doc
  23. - 6e9067cb1bc9565a788228b8afaa100bea133a6af52a72a63df055a269f95cd7 ordain,10.20.doc
  24. - 3e926b20b8fb57f177f33eaf77e5a82d1106a797434621270be66e5a20de4702 particulars 10.20.doc
  25. - 20db13bc085651a014714ce80f27d01b5b5c1e3b6f2de5f3d0f93be26323de19 particulars.10.20.doc
  26. - ecf90738b32ab2b13831b1287e0acfc14c5510f33acaab75b77d64ca3b890f1c prescribe ,10.20.doc
  27. - 25eafa7e82793a17dc7333290bd63aa5b40e0784a0825f283a26cbb7e2174548 question-10.29.2020.doc
  28. - c93df1633d07c796ac031ad3a15171d013a7b845ed0c7daae257fe5e1bfcb6be specifics-10.20.doc
  29. - e5af674a3f8789fd5c05b1977137848db7f64b4af465b6bac7f01c30e4b7f41f statistics-10.20.doc
  30. - 0f851b78a4adbd10029376f2ebc6095b015825e6dd520007c6319988d3de3b0d tell-10.20.doc
  31.  
  32. AT LEAST 6 DOMAINS HOSTING THE INSTALLER DLL:
  33.  
  34. - apple6813[.]com - 83.166.240[.]177
  35. - bread3250[.]com - 185.219.43[.]26
  36. - diamond2948[.]com - 195.93.173[.]20
  37. - enrich3459[.]com - 185.62.103[.]125
  38. - news7264[.]com - 80.87.202[.]138
  39. - patch6838[.]com - 193.201.126[.]41
  40.  
  41. EXAMPLES OF URLS FOR INSTALLER DLL:
  42.  
  43. - GET /update/ViFqCUttwbbkcbVQXKQmzzMDRmksbGKUzUCuAQ_UwTpwQdNdsxTmBshEtM/chti1
  44. - GET /update/J/nIFjJjcrdt/UYnfTEqTDPvgRwgXPLCEZxqhRgdPgDSZeLnjxdfLDBiLM/chti2
  45. - GET /update/_xZHlYFyAWZKbcKbAgLgc/qoNdvPtbvNSBMfgGL/DpzPkWhisGRjjAlVnGKyzuB/chti2
  46. - GET /update/lasdkfjsldfj/chti3
  47. - GET /update/hXfvmElX_lTqjjLbwgYjCyGNAiZxBJkOkyWlnGAWRUXZg/chti3
  48. - GET /update/fgRbIjjIYk/fTvznzyVWgDUuWEYoGVkgjqwBdKpvPlzqGqYKThAuCbxcA/chti3
  49. - GET /update/hprlLISgHjlQlbvFnbXuqgnsMX_xHLPjEmxKhghqUZt/zKTeh/chti4
  50. - GET /update/LFSUcVKKbVjkWVOBqGd/YqkDQqhZVwvvgD/chti5
  51. - GET /update/gwGGQSnNrdJAJQpUSzpQNKnMhbV/LtOhWKv/KOtHsgfOPIVULjwb_N/chti5
  52. - GET /update/XTZrbyvClXzcfZcJGZSmDWBthSBXjRKw/chti6
  53. - GET /update/lNmLRNHEPRrXMfAIAPEenXnvItTWZSscqQQlYVgRXQTdWLVvwkZYDCjzUMkl_dSV/chti7
  54. - GET /update/VMDpPLJkdcOugqcs/HXNkDOulYVBGjFXBjmmRQ_hXkJi/dEpcFLnjg_tbOByBKTJPDs/chti7
  55. - GET /update/DKACnTtCBEUysSOMQhSIZdsLUcvuGNmAsUQnpVtThQjGpCCphEbzrnMmFJvNlyfMfZC_ltXQjoQzqkG/chti8
  56.  
  57.  
  58. 11 EXAMPLES OF INSTALLER DLLS:
  59.  
  60. - 1ab36b4575d9a6afcf08d7ffb68de6db183864f5142550ec66c991b773fbec66
  61. - 1ffddaf83d82d0c6665cef0d9693e7d37f5f10c45afb71568f26d780321ec2be
  62. - 3565230594e9e762af226b68d74e47bd342d0d8b816bed4a33f8a119361433a2
  63. - 3df9748662dbcb9db09d1353b2c0db2016bb39597c888ab731816353e52ec146
  64. - 4f7bbd2ea950296df9a754b5a6ef1b73b5660c55d3dec1e74730d43876efa179
  65. - 61c7b18cb163279e003c585702df47f1ad8f99909f507bfae1c9d9ef9d754fb8
  66. - 86f09ef05798927f80dfd314969dc0b47cfb01e1124bc1babd6fd8eaaeab2f66
  67. - 91c37cc2194f53dfb818f6655bd608a43df1047e5791bb3097851bfe31c5ef71
  68. - 9dcffd886644a2c4071c3828a86d7a85a30b80f95c419ec0af0adf7ed7478149
  69. - 9e6e3e7c605547601964990bda7c213c62b9ad22c1c95119053e947fb97df5ac
  70. - b2c289be94c22e37b2835a7f532cc3995459892fa7fe865175f69b1bc0e1a20b
  71.  
  72. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
  73.  
  74. - C:\Users\[username]\AppData\Local\Temp\AjZHP.pdf
  75. - C:\Users\[username]\AppData\Local\Temp\bZxBs.pdf
  76. - C:\Users\[username]\AppData\Local\Temp\gHpOg.pdf
  77. - C:\Users\[username]\AppData\Local\Temp\ibfDC.pdf
  78. - C:\Users\[username]\AppData\Local\Temp\OGkYi.pdf
  79. - C:\Users\[username]\AppData\Local\Temp\RYloo.pdf
  80. - C:\Users\[username]\AppData\Local\Temp\TaHUm.pdf
  81. - C:\Users\[username]\AppData\Local\Temp\Wkvmz.pdf
  82. - C:\Users\[username]\AppData\Local\Temp\wzMyP.pdf
  83. - C:\Users\[username]\AppData\Local\Temp\ZuzYY.pdf
  84.  
  85. DLL RUN METHOD:
  86.  
  87. - regsvr32.exe [filename]
  88.  
  89. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
  90.  
  91. - port 443 - www.intel.com
  92. - port 443 - support.oracle.com
  93. - port 443 - www.oracle.com
  94. - port 443 - support.apple.com
  95. - port 443 - help.twitter.com
  96.  
  97. AT LEAST x DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
  98.  
  99. - 167.99.248[.]130 port 443 - redicilious[.]online - GET /background.png
  100.  
  101. x EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
  102.  
  103. - c3058f443dffdff7b855a29d76c33bf1aaf295a37892fcc942d59ef9e2ed38fb (initial)
  104. - c0ebb6d2b3647426b5b712c0ab956f8f852edc9dd524082f88b035d009597c2d (persistent)
  105.  
  106. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
  107.  
  108. - 79.110.52[.]253 port 443 - maseratipirosh[.]top
  109. - 165.22.216[.]113 port 443 - tyrek87[.]cyou
  110. - 165.22.216[.]113 port 443 - fodsijjire[.]cyou
  111. - 79.110.52[.]253 port 443 - rivercoockinh[.]cyou
  112. - 79.110.52[.]253 port 443 - hdfouter[.]pw
  113.  
  114. NOTE: These are the same domains as samples from the previous two days, but different IP addresses.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!