-
Notifications
You must be signed in to change notification settings - Fork 11
/
2021-04-12-IOCs-for-IcedID-infection.txt
77 lines (56 loc) · 3.09 KB
/
2021-04-12-IOCs-for-IcedID-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
2021-04-12 (MONDAY) - ICEDID (BOKBOT) FROM ZIPPED JS FILE:
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1381978500891049989
NOTES:
- Reference: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/
- Based on the above report, we found a zip archive from today (Monday 2021-04-12) containing a malicious .js file associated with this campaign.
MALWARE:
- SHA256 hash: d4993d4433e5f847362591e3148009a071244e464c7b265affb6e6e07985610c
- File size: 8,119 bytes
- File name: StolenImages_Evidence.zip
- File description: ZIP archive retrieved from link in email pushing IcedID
- SHA256 hash: 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6
- File size: 28,195 bytes
- File name: StolenImages_Evidence.js
- File description: JS file extracted from the above ZIP archive
- SHA256 hash: 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c
- File size: 214,542 bytes
- File location: hxxp://banusdona[.]top/222g100/main.php
- File location: C:\Users\[username]\AppData\Local\Temp\JwWdx.dat
- File description: Installer DLL for IcedID
- Run method: rundll32.exe [filename],DllRegisterServer
- SHA256 hash: 3d1b525ec2ee887bbc387654f6ff6d88e41540b789ea124ce51fb5565e2b8830
- File size: 507,723 bytes
- File location: hxxp://momenturede[.]fun/
- File description: Fake gzip file called by installer DLL used to create IcedID DLL and license.dat files
- SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
- File size: 341,098 bytes
- File location: C:\Users\[username]\AppData\Roaming\GlancePlay\license.dat
- File description: binary data file used to run IcedID DLL files
- SHA256 hash: a0f92bc42ff69b63a34614f4795c40a2ca3884493949025b48d633dc2efa8ab6
- File size: 166,400 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\originalx32.dat
- File description: Initial DLL for IcedID infection
- Run method: rundll32.exe [filename],update /i:"GlancePlay\license.dat"
- SHA256 hash: e989aa952f71816e08a8587ba20f37f5d6f4c5196d368b6229183ac9542e2c85
- File size: 166,400 bytes
- File location: C:\Users\[username]\AppData\Roaming\[username]\Haimaw2.dll
- File description: Persistent DLL for IcedID infection
- Run method: rundll32.exe [filename],update /i:"GlancePlay\license.dat"
TRAFFIC GENERATED BY .JS FILE TO RETRIEVE INSTALLER DLL:
- 172.67.188[.]12 port 80 - banusdona[.]top - GET /222g100/index.php
- 172.67.188[.]12 port 80 - banusdona[.]top - GET /222g100/main.php
TRAFFIC GENERATED BY INSTALLER DLL TO RETRIVE FAKE GZIP FILE USED TO CREATE ICEDID FILES:
- port 443 - aws.amazon.com - HTTPS traffic
- 104.236.115[.]181 port 80 - momenturede[.]fun - GET /
C2 TRAFFIC GENERATED BY ICEDID:
- 83.97.20[.]176 port 443 - odichaly[.]space - HTTPS traffic
- 83.97.20[.]176 port 443 - ameripermanentno[.]website - HTTPS traffic
- 83.97.20[.]176 port 443 - mazzappa[.]fun - HTTPS traffic
- 83.97.20[.]176 port 443 - vaccnavalcod[.]website - HTTPS traffic
OTHER ICEDID C2 DOMAINS ON 83.97.20.176:
- daserwewlollipop[.]club
- chajkovsky[.]space
- ohbluebennihill[.]website
- seconwowa[.]cyou
- violonchelistto[.]space