forked from PaloAltoNetworks/Unit42-timely-threat-intel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
2021-03-15-IOCs-from-IcedID-infection.txt
69 lines (50 loc) · 2.77 KB
/
2021-03-15-IOCs-from-IcedID-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
2021-03-15 (MONDAY) ICEDID (BOKBOT) FROM EXCEL SPREADSHEET MACROS
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1371592816510578689
INFECTION CHAIN:
- malicious spam --> ZIP attachment --> extract Excel file --> enable macros --> Installer DLL --> gziploader process --> IcedID
REFERENCE:
- https://www.binarydefense.com/icedid-gziploader-analysis/
ASSOCIATED MALWARE:
- SHA256 hash: 0b31911de524410fef3725f6fe5b565c6cb3e3b2ea5b7267bebc097f9fb57eb3
- File size: 156,675 bytes
- File name: CompensationClaim_605614143_03152021.zip
- File description: ZIP archive attached to malicious spam pushing IcedID
- SHA256 hash: 1852801558498c3bbc67b028b592ba9444a4e687a7f67737a393ce3f756d8c87
- File size: 239,104 bytes
- File name: CompensationClaim_605614143_03152021.xls
- File description: Extracted from the above ZIP archive, an Excel file with macro for IcedID
- SHA256 hash: f175d5883a0958f8ce10c387fef6c6750d26089e7413bf7b9a3767b655e61417
- File size: 44,544 bytes
- File location: hxxp://188.127.254[.]114/44270.7145450231.dat
- File location: hxxp://185.82.219[.]160/44270.7145450231.dat
- File location: hxxp://45.140.146[.]34/44270.7145450231.dat
- File location: C:\Users\[username]\SOT.GOT
- File location: C:\Users\[username]\SOT.GOT1
- File location: C:\Users\[username]\SOT.GOT2
- File description: Installer DLL for IcedID
- Run method: rundll32.exe [filename],DllRegisterServer
- SHA256 hash: 54d7277a2637bd8b410419f06a189b902243e91eb683435b931ae013d5a576f0
- File size: 36,352 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\raise_x64.tmp
- File description: Initial IcedID DLL
- Run method: rundll32.exe [filename],update /i:[filepath]\license.dat
- SHA256 hash: 7b329e340343bcdf1a70d1b487093bb3a4579f603a97214ecdcf78b339a6a1fc
- File size: 36,352 bytes
- File location: C:\Users\[username]\AppData\Roaming\{00F0279B-1BB6-6935-485C-566FF0BA28FC}\[username]\ruoyan.dll
- File description: Persistent IcedID DLL
- Run method: rundll32.exe [filename],update /i:[filepath]\license.dat
- SHA256 hash: 45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865
- File size: 341,002 bytes
- File location: C:\Users\[username]\AppData\Roaming\SpringGoat\license.dat
- File description: Data file used by the above two IcedID DLL files
TRAFFIC TO RETRIEVE INSTALLER DLL FOR ICEDID:
- 188.127.254[.]114 port 80 - 188.127.254[.]114 - GET /44270.7145450231.dat
- 185.82.219[.]160 port 80 - 185.82.219[.]160 - GET /44270.7145450231.dat
- 45.140.146[.]34 port 80 - 45.140.146[.]34 - GET /44270.7145450231.dat
TRAFFIC GENERATED BY INSTALLER DLL:
- port 443 - aws.amazon.com - HTTPS traffic
- 178.128.243[.]14 port 80 - apoxiolazio55[.]space GET /
ICEDID C2 TRAFFIC:
- 165.227.28[.]47 port 443 - twotoiletsr[.]space - HTTPS traffic
- 165.227.28[.]47 port 443 - iporumuski[.]fun - HTTPS traffic