-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2022-10-04-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt
188 lines (144 loc) · 13.6 KB
/
2022-10-04-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
2022-10-04 (TUESDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1577773890012594177
INFECTION CHAIN:
- email --> HTML attachment --> password-protected zip --> ISO image --> Windows shortcut runs installer DLL --> IcedID C2 --> Cobalt Strike
16 EXAMPLES OF HTML ATTACHMENTS:
- 8ddb832907c67d27e15bd8cde80809dcf5fa61eb60dc7033395ff186eb90e125 aipare+doc+10.04.22.html
- 7b609483bdaf3191f334860750ed8a74993d006119447471e0c1a8e0168ae863 ajhsolutions+invoice+10.04.html
- 82a32d326b3ae21d3c716cd7c2e3969fa2ab9e7c144a6ef3dfc8f65fb63a6a28 albinali-document-10.04.2022.html
- 2c22ad0604052a2ed42e12ccfc9691b324daf08489de14991b4e562745e7ab77 allsoulsmb-invoice-10.04.2022.html
- 55ace25fda086db024b45a0cb4ed0adea4da42791165ba05b992dc17625790c7 almoez_invoice_10.04.22.html
- f7b68d6981a6e94070c74844ed5ba3634dfbbc1a3f0ceb346a2d828114efe68a alohatruss.file.10.04.2022.html
- fcffd720bf5da856048902aae3f6a98a87ea48175a3c47efc11d002a5b6961b3 aramsolar+document+10.04.html
- a582ce5578830a87ea0b6c2198638dc0a3391ce2d901d79bb40d48d616d638ac atlanticbbn,document,10.04.2022.html
- cfef49cc83dee304e30d6ce7079627e4262d93ee65472e0d098351e4b30a3fe4 autotechnologiesinc-document-10.04.2022.html
- 4195fffc60cf68f3542119c0fa48fb2903f82c97404c328d4b2a65d367c2935f bdcanarias.document.10.04.2022.html
- b2bfbf4ebee23a12425d38e65482a578add6109f9feb1a3fad92a8e00a465aef beautybasicsupply-document-10.04.2022.html
- 6715c8587a70b9133d15bf8a5e8433ddd24651e71ba90c1c8cdf00f838848f0a beljan-file-10.04.html
- d06c287885ff24b34f866831e49186f824b4c9452b7e0f7af317dffdcaf954de bewleysweeper-file-10.04.html
- 5cd8ae0ddf6b9f504944a738d87b219e46a91d8c12e95a61281da4fb8ca3210d demoscan-207.html
- 83b7a677cadfb491e159cdb474a30ffa33a06dbeec42b01e51da59124151fd7c list_of_documents-376.html
- cb8157a92b54bf4c2268c59ac856788ef2db8de7489ef5c027fc7c173a12cb32 scandocument-364.html
16 EXAMPLES OF ZIP ARCHIVES PRESENTED BY THE ABOVE HTML FILES:
- 13679d8ff8d5523ded69dc483884b35cec62f6ce0fafaba2cc98d9b5eb9f66dc attachment.zip (password: 5cI_MLrW)
- 185aea757706058bb4f3d99004c7106b27e9fd44f8a7cd93dd7566215ad65061 attachment.zip (password: 9Y0YFgp6)
- 4a6db88f99be6de39dd348990e1a78576b6754c850ee32ba1d264df712e0f56b attachment.zip (password: 9t-T8ZWp)
- e71409734912c99ad77c5f57d3267f6ca88b335ae779e9c96c843ac37b693339 attachment.zip (password: Cie7WffR)
- 6b7c44a29d6af9ade5b602d6d5c34abafe88e756cac3b944c6fba349faee833a attachment.zip (password: JOkx1rgz)
- 291615c2693df5230dbc32562863e0797fbe212907c3b8820ddfa9fc7e167c9d attachment.zip (password: OrUpAZeJ)
- 73e34ea3cf4ad6dfb6d1ad2c36660a55367a842121abfaa9b0f883886155c9c3 attachment.zip (password: Q6jgYLPU)
- 2c0b8b47613dc982aad3a6c0ae6fe67b78726d6d3ab162695acde215a98a4e69 attachment.zip (password: TrJenpcF)
- 5f6b19b1cfce7e9d9dbdc2054dfa4d43855c2973242e42a60ca7feb50cfc0bde attachment.zip (password: VlRSR61X)
- 22e943fac6a4480eb30f9727f715b1548a13576bef57b11f9599333a2a16a26c attachment.zip (password: W8q52ogX)
- 530c2edea3aed8bcbca6f378449ce0a529b8cbbc8a7d53e497bfe0b99e1d39d5 attachment.zip (password: XyURBqI0)
- 1ad879708daf00e6895e6e93a0b3399427e4c464bc0209477bc2bcce9a087d21 attachment.zip (password: bNRdqoQR)
- 8c25c9790402b32cce514dee4b86e0c43b5b70f3c19e054189088e77d713df7d attachment.zip (password: j6rsbEul)
- 81f2377007550edcca42bbb5c573289bbfa1c95f5d2b9a0b2696516149761946 attachment.zip (password: oaQfw1HZ)
- c2034152de46d85ad05903096613aaa38e86cf9ddd2e33185f4ee92ebe5d7dcb attachment.zip (password: xX_9X886)
- 657ef26c2e62b6d5598f6edd4a54f857e3acf951c2b36e49ef6a28c0f92d2ac6 attachment.zip (password: yR34TWSB)
16 EXAMPLES OF ISO IMAGES EXTRACTED FROM THE ABOVE ZIP ARCHIVES:
- 9bce1cc26f6f5676615758551ba352f961448a8955cf587e6724579be7dbc818 demoscan-4c8ad5f0-49d5-43fd-89c3-b9da57f0a126.iso
- cb391142773651eba72b81a5fdd1c78c846358b059a264f20172d29ba092918f demoscan-4f25ba30-bbd0-4415-a109-a4e2d2d97e01.iso
- c67fea5212880c10bca58279286435422462fe73e75a87d8f5a1760064b65184 demoscan-d7ae2907-12e7-4fac-8402-0f2617da6da8.iso
- 12c12e12b7bd05f3bcf4851633986af8da487146018933454c19fc9050ff0686 demoscan-eab936f0-7a72-4dc9-8c5a-5469e8ba7c98.iso
- 396490eeb6160fa07014a84e04e2feabc93e2f4fa8237549b2273a9248768bd0 document-06b4e33e-eb6b-4e73-bba7-0fd6bd0beeb7.iso
- f53828673e05ab9ada9d2660d4a378423e129b31fc2bcb0cb9efdbd074ffa1ec document-1764f645-6895-4a43-bbc7-0b56fe607a9b.iso
- 76aaa740e7521c0b1c986c8eec9d0327bd67206f142910564a041825d8dcfee6 document-892d04df-b197-4a95-8bf7-c8f0b817872e.iso
- 1cb931a7539d1e340975b0b2a95cb37a784ed5f0f910e5bc9050bd73469073e3 for_you_presentation-1724680a-9d89-40b7-8567-6c8e5dba127b.iso
- b8d1b55d3b9222e05cdce0325f0b2f989a915dc76e103598ee0190aee85e5f52 for_you_presentation-1d98827c-258b-4773-a7b9-b9a9baf47879.iso
- 3f547399135cc54d2bb54217cc85815e093d9bbecb471e5a9a43547a4a3357ae list_of_documents-55191b44-0b6e-4c0f-bb2a-fbf291030301.iso
- 7ee247713e47f172dbf93e61283d15c5e2598feeb361b2a06b99f6dace78c296 list_of_documents-b6c1c2b9-49c9-4ab7-9481-54a765f8a48a.iso
- ce26998a51863a04861e110e3a5514c89cd4198fe3074fe159b53bad56ffa086 notice-e37b9874-2b64-4b16-9c81-e16e28918eec.iso
- 9707eda89b032e6bfd9b7be4218c8ce8452a947ad078af1ed5047ea454f9a499 order-aff124a3-31d8-4ad4-a130-d941172d4eb2.iso
- 2ec7242456801cd2864191f96ea876cf1053b54b8e36781fe6526d6f91646e36 order-c306a429-aea0-4fdd-a9ea-31ece2ab531e.iso
- e7730128331d995d26bf580381875075f9fb5e098e3fbad3908477fce35c87b3 order-fef9c700-1855-4f2d-807b-080897d8cc2e.iso
- a79f0e93771c588a09bee6774d64c1451128cc018cef99fb25e765dfcef4e319 scandocument-29f4f28d-2e8e-446b-8801-5860be22074a.iso
CONTENTS OF THE ABOVE ISO IMAGES (.LNK FILE RUNS ICEDID DLL):
- 9e7ab27b89884175a2520cf92d3fae2ae082799cf3109d2d45bde3fd360f1adb af06a6f8-ce22-4529-876e-e5f64cdfb78d.OYB (IcedID DLL)
- 3251494f94f61bfa69b2abdc7eb7e174c1c16cd93bdb74c7f198acc9814178b9 bedfcf0e-068f-4fe1-b70f-80ddd132a913.png
- 7e6c26eabf89bff4856ab5e3a459381aa7feae06e59c7b8123c8947c4e3d0158 demoscan-4c8ad5f0-49d5-43fd-89c3-b9da57f0a126.lnk
- 9f37a667a91246bd4b8113345169ceb2740c378f774760b829c0984e7a179838 b6cd96e3-0d74-4e5e-8c25-7c86b41e268b.png
- f7f41a1f1438ee7b5a670997b921dfd0c1f12781bb6bf8a1aba72fe5de0e7ddd demoscan-4f25ba30-bbd0-4415-a109-a4e2d2d97e01.lnk
- 61752de0ccc4dfcd0ac1f39bdee088337c1a9bb32bc149f3fc4447ea79ac04a6 efbff6fd-1bfc-46bc-a4a4-cd43ef8d1ff8.gWX (IcedID DLL)
- 02a907cb134b1aa4c5a3f7f7c2639fc19bf718b1d6d6c28b25099a0d5d4c1aab 65df3cd1-7af9-4194-adfa-6007726bf274.y4z (IcedID DLL)
- 80f213db61e9ab36a59a21060f22bf28770d1e8bd2d97a5569447ae89d3e8cba 790f2ef0-cd20-4a75-8a18-9bdce53cfeb1.png
- 2c186dde2446ee238f26c79faf132488b0e80488615f81dc1f1e319f10e99fcd demoscan-d7ae2907-12e7-4fac-8402-0f2617da6da8.lnk
- e6d41a5b58a0516a3a1ba4715ca1ab9dc893622db99856a8289cb74e8b16a2f2 560649bd-2adf-446c-aa73-9abb0d03cd2f.sdt (IcedID DLL)
- 89151fa96b1c822f745a42b34ef0565203348a72ee0f00ee39a949cddd4d5d98 c0da5855-ddd9-4351-a88a-8af64637984e.png
- 509da85f9293ad96aa9b2208723d844c7dc6a70cb38d64878730cf1405562912 demoscan-eab936f0-7a72-4dc9-8c5a-5469e8ba7c98.lnk
- fee948c063f0967aa2935b0bcecc60f04d571156140798e0085db23ded4dc304 12020edc-3d5c-4e1a-9fbf-13cb66bbd3a7.B4K (IcedID DLL)
- 29309d14f480741e3026d83913a6c29731ca3c00f95c27ed485907a7ba6df37d b56df379-0c8c-4794-97a6-33a0409f3ba7.png
- b63236070bed29ae29db09534d225978b775e00325dc874651ccacb6ceef0eb7 document-06b4e33e-eb6b-4e73-bba7-0fd6bd0beeb7.lnk
- 991e11cc33dc6c96fad498d6e8d816303b7e8655c89d9964624cfcd05fd55bad 185bb8d7-238f-4e4d-92c0-dfe7e4e07002.png
- 850757b5b223c6780940b8877802dbe41e43547d449ab2fc877ceecb1e08dd7d 33c655b6-3d8c-448e-8a6c-cc5d63fa2d58.ZG2 (IcedID DLL)
- 44ca8191d83a40fea6ba6dc800da46d2cf224a53b9aec96501acd18b30058025 document-1764f645-6895-4a43-bbc7-0b56fe607a9b.lnk
- 6850ab00ab488232856ad16aa43c8ea9be56af0428792a33966dd74e4ef65bda 2795beb5-83ea-4855-96da-3764522b48b7.png
- 7fd809f8a1f0bea701a4e39d36474c90aa5636071cdc5061a773e8f2c7339955 7966a690-48da-4f17-94e0-4f890d4e7c96.nKv (IcedID DLL)
- 6ee3aac8bc0b4f96c8e6751e021f12e52dadc07c2dd487ff61ee1ff7b8f92592 document-892d04df-b197-4a95-8bf7-c8f0b817872e.lnk
- e5eae9c99ca7abd7bb028084d986c2c240ee0c781fd0ce2dbf29887a0a8de3bf 8a290699-bad2-42d6-940c-8d61de06774c.VF4 (IcedID DLL)
- 7a67786a31aab92049cbc6abf5f852446acff970970b53961ceb496c2d8336a9 c1d5a960-e1ca-4722-bc48-2892378f13f0.png
- d1b1e998906a646d6fed13a7cd45846b07c4e417f0cc5d0e7c76c51f5b2a50ac for_you_presentation-1724680a-9d89-40b7-8567-6c8e5dba127b.lnk
- 7cc8b12aaa169c687e702370a657a74fda51e4a324a937c4a2f429ffad4624b7 e9896022-3597-4be8-b62f-7cd641973c49.png
- f80a853f20ed5091d7e671cbede916902e8ab351ff1051edc7949878777de348 fc6ad989-43ef-41da-ad83-5921c7100130.Aba (IcedID DLL)
- 313fcc6fb04a0a86047f29fb7e292178d6b60a291ea0af1506daddc2eda59b72 for_you_presentation-1d98827c-258b-4773-a7b9-b9a9baf47879.lnk
- 99e3bd6d5f282529a4e28c271987e0dd1113767523584b2aaef238a9a40c4166 22f0b923-f9d8-49d1-bcca-300322e2d464.png
- 68d3837df389c6640e83efa01c7ce1862ce1339741a7cb980392d78719205e18 4886a08f-62f3-4df2-9ce5-64db3c47573c.Lio (IcedID DLL)
- d842371853563e480062e16482dab3db11e6231f3480342a7dd7b6cf42949a5b list_of_documents-55191b44-0b6e-4c0f-bb2a-fbf291030301.lnk
- dbaa27251a35b040bc48a85fffe71ae2a6cf138aa3e978b3740e9493f824bf96 d9dd19ed-3f72-436c-b46f-4a3b04e18192.png
- 1135b2724cc7b45e56d0d2e7b5d0978e673fd770439b250de68ef9db720df742 e3375650-edf0-4776-9e7e-b1733fc62158.EQ_ (IcedID DLL)
- ab9358b6cfe70b7fff5e3f2ffdad135abc2f1b2325313b4fff858375dbc5d613 list_of_documents-b6c1c2b9-49c9-4ab7-9481-54a765f8a48a.lnk
- f93bdc7c06494b2e0eead9d0d998026947932d965e46fb9999f11461a7b5d2b5 b5adf369-0d6a-4ffb-bb09-0d837a0d81b8.png
- a6acbb0cab41a65b98d843312653da6ac5191a488fc001fcb2c724a596744a73 d09ac4c8-ff18-408b-98cb-6bcc8ba20040.dVm (IcedID DLL)
- 62bd09df283dbf156c24f2bf7c61160e9a7c8ec4d4c19f48fbe9924f6b32d349 notice-e37b9874-2b64-4b16-9c81-e16e28918eec.lnk
- 5ff013e47571256d9432c04126dc249f71292b50317d01c6a1c0b6902e3661a8 c3695013-085a-4d1d-9136-6ff8b077092d.1VO (IcedID DLL)
- c70a91772b8f179ec9d02ed1afefc48fca1c9b454cdbed2d365fb99263ce11ed d9d7dbee-801d-4218-aa93-dde646fd3ce0.png
- aad08720c0dac224876041c721f8e71f8b07288cacf4e756b0a39df8e2646e4d order-aff124a3-31d8-4ad4-a130-d941172d4eb2.lnk
- 1857cafdd35c8ab32109ae6555675754f06994983f48e645c62c704830ed25fe b596de04-2cf6-4a35-bb17-64d42a13b8ad.png
- af5a4aab3cef86de6aed5741c2d53da6f9da1dc73ea996d201ee02c9e88ac653 ce9ea4ae-4083-4431-9cc7-320ace51060c.eNj (IcedID DLL)
- b73b423fc6d7e63e667ba86e008452dbd14b3874e41d86d448cb9e14850806bb order-c306a429-aea0-4fdd-a9ea-31ece2ab531e.lnk
- 68f1a7d1ce4b321b4cf05d57347ef96cce86ed305dc73420a30002387011764d ba57b5ab-dea9-461d-9c05-fc2f8067ba2b.8mi (IcedID DLL)
- 23d8482414b2af047067b842cdd9002fe257b4614d313896c0c40bef7a10673c ff2e1af4-8885-46b3-86f3-03a30b8dfc76.png
- fcacace3cf73a92a8713cfd6314d0dd58a2d33e6429a3b3e7e7046b8e7bf49db order-fef9c700-1855-4f2d-807b-080897d8cc2e.lnk
- 7ba314831052cdc904e585e7dc5f8434a0a614f19b44d2ee398a317aaa1ba48b 274a8450-1ab5-4c71-9485-40b33f537fd3.j6S (IcedID DLL)
- 7a1ae23a8bad08c2184131b5c7616fbe473bf8b2f22df7b99cca0770f2220626 ba8ff36c-4e28-4efb-878d-ba73b6f623ef.png
- ee4c0715a8a05173d03a424a6c3601a7a94263141a39ac30e69cb5cab7ca8668 scandocument-29f4f28d-2e8e-446b-8801-5860be22074a.lnk
NOTE:
- Run method for any of the above IcedID DLL files is: rundll32.exe [filename],PluginInit
ICEDID FILES FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: 7c2a9e3c791222f3f9b44e979e55132780ee04f979118e2e46d1a49f53f02af3
- File size: 844,862 bytes
- File location: hxxp://fireskupigar[.]com/
- File description: gzip binary from fireskupigar[.]com retrieved by IcedID DLL from an ISO, used to create persistent IcedID DLL with license.dat
- SHA256 hash: 55be890947d021fcc8c29af3c7aaf70d8132f222e944719c43a6e819e84a8f8b
- File size: 363,338 bytes
- File location: C:\Users\[username]\AppData\Roaming\HabitAmused\license.dat
- File description: data binary used to run persistent IcedID DLL
- Note: First submitted to VirusTotal on 2022-09-23
- SHA256 hash: 171bb576d2f5aadffae14a768a227d292eb4211118547eba6d876f819f26a37f
- File size: 480,768 bytes
- File location: C:\Users\[username]\AppData\Local\{8FBE9BB4-F5BA-8A17-1299-6E7E9A031FE6}\unvoeqst32.dll
- File description: 64-bit DLL for IcedID persistent on the infected host
- Run method: rundll32.exe [filename],#1 --obsu="[path to license.dat]"
ICEDID TRAFFIC FOR GZIP BINARY:
- 68.183.184[.]0 port 80 - fireskupigar[.]com - GET / HTTP/1.1
ICEDID POST-INFECTION TRAFFIC:
- 165.232.142[.]62 port 443 - trainbondarexil[.]com - HTTPS traffic
- 103.208.85[.]95 port 443 - frabigwin[.]info - HTTPS traffic
- 5.2.77[.]232 port 443 - dietappli[.]shop - HTTPS traffic
- 103.208.85[.]95 port 443 - gropcropila[.]com - HTTPS traffic (repeats)
- 51.89.201[.]236 port 8080 - TCP traffic that includes instructions to retrieve powershell script for Cobalt Strike
FILES FOR COBALT STRIKE (RUN FROM SYSTEM MEMORY, NOT SAVED TO DISK):
- SHA256 hash: eb88412c9a0f78dfd515e3c602548aea1aee4e91847289eb58214841350aa12f
- File size: 226,341 bytes
- File location: hxxps://aicsoftware[.]com:757/coin
- File description: Initial Powershell script used to start Cobalt Strike infection
- SHA256 hash: 967e4afe80e8e0f005ffca8baaf18e4eb7b997709d9d40e6aeca1b8189f5be90
- File size: 351,211 bytes
- File description: second-stage Powershell script for Cobalt Strike created by the above Powershell script
- SHA256 hash: fe143d2a4e74094c076bd72bd144ee1cfb4764bb62545a252113bff470011123
- File size: 261,636 bytes
- File description: Shellcode for Cobalt Strike created by the second-stage Powershell script
COBALT STRIKE HTTPS TRAFFIC:
- 23.29.115[.]152 port 757 (HTTPS) - aicsoftware[.]com - GET /coin
- 23.29.115[.]152 port 757 (HTTPS) - aicsoftware[.]com - GET /templates?mark=true