Skip to content
This repository was archived by the owner on Oct 13, 2025. It is now read-only.

Update 2020-09-21-TA551-IOCs-for-IcedID.txt #12

Open
MikhailKasimov wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update 2020-09-21-TA551-IOCs-for-IcedID.txt #12

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
224 changes: 112 additions & 112 deletions TA551/2020-09-21-TA551-IOCs-for-IcedID.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,60 +1,60 @@
2020-09-21 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:

CHAIN OF EVENTS:

- malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE

12 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:

- 9f240737183f8b52fc33daa475e11a3fc0655538728e56edc71ff49626549ada certificate 09.20.doc
- 2d2f0a3e263c64c98457a3d4bce8a22d53d1c7f9c2326dcdd1578cb5037587fe commerce -09.21.2020.doc
- 3e12c287478608aafc8ef1abeba25c526863e9e47d78d314cfc20077d73ae653 commerce ,09.20.doc
- 562956706eb0b658fcad5f23d11c4a8670dda18666b04bf7127f9b1ac1be8907 docs.09.21.20.doc
- 2925f852e2fc04c4849b5e47306373837305d9bf003e79ceb08762b505759259 document,09.20.doc
- 0f9ae46bd910f799fd11c5cc46f7c3ffbc0a2f7280cc3fe867b763a5f5f64258 inquiry_09.20.doc
- c37dd0bbd07f3acedf516c07c3fdc023b0ba5082c3959ddda9498fa6c52df09f instrument_indenture,09.20.doc
- ad33adc035c689f4ab8f1d3cd49027b9ef804bb60c9a44bff2be585c02e794b3 legal agreement 09.21.2020.doc
- 749140091ae47c29826a9f92a19381e060eff987299c2eb521f9ce833b2954f2 material_09.20.doc
- c388475c08bcac2336e8b1efdf524d12a6194818e3c8194516b953fba654ac8f prescribe 09.20.doc
- 8e9e0af52ff82cdc71e27bf27b157ef3adc00d3078a949d4deeb16a5e4225874 require 09.21.2020.doc
- c3da3134de3b14d168e4e0f29c7c893ff3920b9d5ed6e566e0e15c4348ad9659 statistics,09.20.doc

AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL:

- csxciyt[.]com - 83.166.214[.]17
- dsb5vd[.]com - 185.159.129[.]44
- f9pv81[.]com - 185.219.40[.]246
- hq1m7wt[.]com - 37.230.117[.]49
- ldzcb4[.]com - 185.135.81[.]234
- lkcij4k[.]com - 185.87.51[.]204
- k21ddmo[.]com - 212.109.221[.]95
- mwd3sq[.]com - 194.31.237[.]38
- q9d2ya[.]com - 80.87.197[.]19
- rb16q6a[.]com - 89.223.100[.]173

URLS FOR ICEDID DLL:

- GET /foqa/kucow.php?l=kofo1.cab
- GET /foqa/kucow.php?l=kofo2.cab
- GET /foqa/kucow.php?l=kofo3.cab
- GET /foqa/kucow.php?l=kofo4.cab
- GET /foqa/kucow.php?l=kofo5.cab
- GET /foqa/kucow.php?l=kofo6.cab
- GET /foqa/kucow.php?l=kofo7.cab
- GET /foqa/kucow.php?l=kofo8.cab
- GET /foqa/kucow.php?l=kofo9.cab
- GET /foqa/kucow.php?l=kofo10.cab
- GET /foqa/kucow.php?l=kofo11.cab
- GET /foqa/kucow.php?l=kofo12.cab
- GET /foqa/kucow.php?l=kofo13.cab
- GET /foqa/kucow.php?l=kofo14.cab
- GET /foqa/kucow.php?l=kofo15.cab
- GET /foqa/kucow.php?l=kofo16.cab
- GET /foqa/kucow.php?l=kofo17.cab
- GET /foqa/kucow.php?l=kofo18.cab

12 EXAMPLES OF ICEDID INSTALLER DLLS:

2020-09-21 (MONDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
CHAIN OF EVENTS:
- malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
12 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
- 9f240737183f8b52fc33daa475e11a3fc0655538728e56edc71ff49626549ada certificate 09.20.doc
- 2d2f0a3e263c64c98457a3d4bce8a22d53d1c7f9c2326dcdd1578cb5037587fe commerce -09.21.2020.doc
- 3e12c287478608aafc8ef1abeba25c526863e9e47d78d314cfc20077d73ae653 commerce ,09.20.doc
- 562956706eb0b658fcad5f23d11c4a8670dda18666b04bf7127f9b1ac1be8907 docs.09.21.20.doc
- 2925f852e2fc04c4849b5e47306373837305d9bf003e79ceb08762b505759259 document,09.20.doc
- 0f9ae46bd910f799fd11c5cc46f7c3ffbc0a2f7280cc3fe867b763a5f5f64258 inquiry_09.20.doc
- c37dd0bbd07f3acedf516c07c3fdc023b0ba5082c3959ddda9498fa6c52df09f instrument_indenture,09.20.doc
- ad33adc035c689f4ab8f1d3cd49027b9ef804bb60c9a44bff2be585c02e794b3 legal agreement 09.21.2020.doc
- 749140091ae47c29826a9f92a19381e060eff987299c2eb521f9ce833b2954f2 material_09.20.doc
- c388475c08bcac2336e8b1efdf524d12a6194818e3c8194516b953fba654ac8f prescribe 09.20.doc
- 8e9e0af52ff82cdc71e27bf27b157ef3adc00d3078a949d4deeb16a5e4225874 require 09.21.2020.doc
- c3da3134de3b14d168e4e0f29c7c893ff3920b9d5ed6e566e0e15c4348ad9659 statistics,09.20.doc
AT LEAST 10 DOMAINS HOSTING THE ICEDID DLL:
- csxciyt[.]com - 83.166.214[.]17
- dsb5vd[.]com - 185.159.129[.]44
- f9pv81[.]com - 185.219.40[.]246
- hq1m7wt[.]com - 37.230.117[.]49
- ldzcb4[.]com - 185.135.81[.]234
- lkcij4k[.]com - 185.87.51[.]204
- k21ddmo[.]com - 212.109.221[.]95
- mwd3sq[.]com - 194.31.237[.]38
- q9d2ya[.]com - 80.87.197[.]19
- rb16q6a[.]com - 89.223.100[.]173
URLS FOR ICEDID DLL:
- GET /foqa/kucow.php?l=kofo1.cab
- GET /foqa/kucow.php?l=kofo2.cab
- GET /foqa/kucow.php?l=kofo3.cab
- GET /foqa/kucow.php?l=kofo4.cab
- GET /foqa/kucow.php?l=kofo5.cab
- GET /foqa/kucow.php?l=kofo6.cab
- GET /foqa/kucow.php?l=kofo7.cab
- GET /foqa/kucow.php?l=kofo8.cab
- GET /foqa/kucow.php?l=kofo9.cab
- GET /foqa/kucow.php?l=kofo10.cab
- GET /foqa/kucow.php?l=kofo11.cab
- GET /foqa/kucow.php?l=kofo12.cab
- GET /foqa/kucow.php?l=kofo13.cab
- GET /foqa/kucow.php?l=kofo14.cab
- GET /foqa/kucow.php?l=kofo15.cab
- GET /foqa/kucow.php?l=kofo16.cab
- GET /foqa/kucow.php?l=kofo17.cab
- GET /foqa/kucow.php?l=kofo18.cab
12 EXAMPLES OF ICEDID INSTALLER DLLS:
- 1d916a05e07aa61bb84504cd7cf70e920549dde98a3eafebfde3e13d3137df24
- 2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236
- 30ac7415f1cdd5984cdfe15961eb46211c444786c453cfe8525dacd7c76c28b6
Expand All @@ -66,58 +66,58 @@ URLS FOR ICEDID DLL:
- c24e8099dffe2d9ddebc10b44b6d992043a7a88f0c24bdd7b462e750813dd92e
- c53e0f2ba4d0ff61ed41d31cb5671c96ba8a98afbf32f1e76cd88e5061c20370
- d4daab6448cab62e16091169f451e9b455a3607df6ceabccdd0610473d419a6c
- ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d

EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILE:

- C:\ProgramData\b467e.pdf
- C:\ProgramData\cbd30.pdf
- C:\ProgramData\dbf1f.pdf
- C:\ProgramData\e325b.pdf
- C:\ProgramData\ff2ac.pdf
- C:\ProgramData\ffadc.pdf

DLL RUN METHOD:

- regsvr32.exe [filename]

AT LEAST x DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:

- 142.93.218[.]110 port 443 - ldrphound[.]casa - GET /background.png
- 142.93.218[.]110 port 443 - ldrpeso[.]casa - GET /background.png
- 134.122.55[.]164 port 443 - ldrruble[.]casa - GET /background.png

SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1 OF 2):

- 4aa11721ca11223bc5dd7d756c7fe5cc9d2d05d7e20f1e0b66c68fd0d59fb172 (initial)
- 4ab7976b062def0c7c1231e2a8d663c8a2e0c14f305b573dbc0b8ff49d10f3ba (persistent)

HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:

- 134.122.101[.]157 port 443 - likofedo[.]club
- 134.122.101[.]157 port 443 - doremifasol[.]online
- 134.122.101[.]157 port 443 - 10hesadety[.]pw
- 134.122.101[.]157 port 443 - bcertyou[.]cyou
- 134.122.101[.]157 port 443 - 85.vumbut[.]best

SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2 OF 2):

- 5892f7ad0218286a2e52a5eedbea62c80532a70fa51b2d202b38ad2fcf61cedb (initial)
- aa1c66821155d2d77cdc8e114c2b9cdf5bcc5ea35ecfd7d3681e254882080cca (persistent)

HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:

- 161.35.33[.]38 port 443 - gaagachelo[.]cyou
- 161.35.33[.]38 port 443 - odnovoennbundes[.]cyou
- 161.35.33[.]38 port 443 - obnaprimezert[.]cyou
- 161.35.33[.]38 port 443 - sprbumazna[.]club
- 161.35.33[.]38 port 443 - uragapediculez[.]top

HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:

- port 443 - www.intel.com
- port 443 - support.oracle.com
- port 443 - www.oracle.com
- port 443 - support.apple.com
- port 443 - support.microsoft.com
- port 443 - help.twitter.com
- ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d
EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILE:
- C:\ProgramData\b467e.pdf
- C:\ProgramData\cbd30.pdf
- C:\ProgramData\dbf1f.pdf
- C:\ProgramData\e325b.pdf
- C:\ProgramData\ff2ac.pdf
- C:\ProgramData\ffadc.pdf
DLL RUN METHOD:
- regsvr32.exe [filename]
AT LEAST x DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
- 142.93.218[.]110 port 443 - ldrphound[.]casa - GET /background.png
- 142.93.218[.]110 port 443 - ldrpeso[.]casa - GET /background.png
- 134.122.55[.]164 port 443 - ldrruble[.]casa - GET /background.png
SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 1 OF 2):
- 4aa11721ca11223bc5dd7d756c7fe5cc9d2d05d7e20f1e0b66c68fd0d59fb172 (initial)
- 4ab7976b062def0c7c1231e2a8d663c8a2e0c14f305b573dbc0b8ff49d10f3ba (persistent)
HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
- 134.122.101[.]157 port 443 - likofedo[.]club
- 134.122.101[.]157 port 443 - doremifasol[.]online
- 134.122.101[.]157 port 443 - 10hesadety[.]pw
- 134.122.101[.]157 port 443 - bcertyou[.]cyou
- 134.122.101[.]157 port 443 - 85vumbut[.]best
SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER (EXAMPLE 2 OF 2):
- 5892f7ad0218286a2e52a5eedbea62c80532a70fa51b2d202b38ad2fcf61cedb (initial)
- aa1c66821155d2d77cdc8e114c2b9cdf5bcc5ea35ecfd7d3681e254882080cca (persistent)
HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ABOVE ICEDID EXE FILES:
- 161.35.33[.]38 port 443 - gaagachelo[.]cyou
- 161.35.33[.]38 port 443 - odnovoennbundes[.]cyou
- 161.35.33[.]38 port 443 - obnaprimezert[.]cyou
- 161.35.33[.]38 port 443 - sprbumazna[.]club
- 161.35.33[.]38 port 443 - uragapediculez[.]top
HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:
- port 443 - www.intel.com
- port 443 - support.oracle.com
- port 443 - www.oracle.com
- port 443 - support.apple.com
- port 443 - support.microsoft.com
- port 443 - help.twitter.com