-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Created 2021-03-15-IOCs-from-IcedID-infection.txt
- Loading branch information
1 parent
aed69cd
commit 317ae68
Showing
1 changed file
with
69 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| 2021-03-15 (MONDAY) ICEDID (BOKBOT) FROM EXCEL SPREADSHEET MACROS | ||
|
|
||
| REFERENCE: | ||
|
|
||
| - https://twitter.com/Unit42_Intel/status/1371592816510578689 | ||
|
|
||
| INFECTION CHAIN: | ||
|
|
||
| - malicious spam --> ZIP attachment --> extract Excel file --> enable macros --> Installer DLL --> gziploader process --> IcedID | ||
|
|
||
| REFERENCE: | ||
|
|
||
| - https://www.binarydefense.com/icedid-gziploader-analysis/ | ||
|
|
||
| ASSOCIATED MALWARE: | ||
|
|
||
| - SHA256 hash: 0b31911de524410fef3725f6fe5b565c6cb3e3b2ea5b7267bebc097f9fb57eb3 | ||
| - File size: 156,675 bytes | ||
| - File name: CompensationClaim_605614143_03152021.zip | ||
| - File description: ZIP archive attached to malicious spam pushing IcedID | ||
|
|
||
| - SHA256 hash: 1852801558498c3bbc67b028b592ba9444a4e687a7f67737a393ce3f756d8c87 | ||
| - File size: 239,104 bytes | ||
| - File name: CompensationClaim_605614143_03152021.xls | ||
| - File description: Extracted from the above ZIP archive, an Excel file with macro for IcedID | ||
|
|
||
| - SHA256 hash: f175d5883a0958f8ce10c387fef6c6750d26089e7413bf7b9a3767b655e61417 | ||
| - File size: 44,544 bytes | ||
| - File location: hxxp://188.127.254[.]114/44270.7145450231.dat | ||
| - File location: hxxp://185.82.219[.]160/44270.7145450231.dat | ||
| - File location: hxxp://45.140.146[.]34/44270.7145450231.dat | ||
| - File location: C:\Users\[username]\SOT.GOT | ||
| - File location: C:\Users\[username]\SOT.GOT1 | ||
| - File location: C:\Users\[username]\SOT.GOT2 | ||
| - File description: Installer DLL for IcedID | ||
| - Run method: rundll32.exe [filename],DllRegisterServer | ||
|
|
||
| - SHA256 hash: 54d7277a2637bd8b410419f06a189b902243e91eb683435b931ae013d5a576f0 | ||
| - File size: 36,352 bytes | ||
| - File location: C:\Users\[username]\AppData\Local\Temp\raise_x64.tmp | ||
| - File description: Initial IcedID DLL | ||
| - Run method: rundll32.exe [filename],update /i:[filepath]\license.dat | ||
|
|
||
| - SHA256 hash: 7b329e340343bcdf1a70d1b487093bb3a4579f603a97214ecdcf78b339a6a1fc | ||
| - File size: 36,352 bytes | ||
| - File location: C:\Users\[username]\AppData\Roaming\{00F0279B-1BB6-6935-485C-566FF0BA28FC}\[username]\ruoyan.dll | ||
| - File description: Persistent IcedID DLL | ||
| - Run method: rundll32.exe [filename],update /i:[filepath]\license.dat | ||
|
|
||
| - SHA256 hash: 45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865 | ||
| - File size: 341,002 bytes | ||
| - File location: C:\Users\[username]\AppData\Roaming\SpringGoat\license.dat | ||
| - File description: Data file used by the above two IcedID DLL files | ||
|
|
||
| TRAFFIC TO RETRIEVE INSTALLER DLL FOR ICEDID: | ||
|
|
||
| - 188.127.254[.]114 port 80 - 188.127.254[.]114 - GET /44270.7145450231.dat | ||
| - 185.82.219[.]160 port 80 - 185.82.219[.]160 - GET /44270.7145450231.dat | ||
| - 45.140.146[.]34 port 80 - 45.140.146[.]34 - GET /44270.7145450231.dat | ||
|
|
||
| TRAFFIC GENERATED BY INSTALLER DLL: | ||
|
|
||
| - port 443 - aws.amazon.com - HTTPS traffic | ||
| - 178.128.243[.]14 port 80 - apoxiolazio55[.]space GET / | ||
|
|
||
| ICEDID C2 TRAFFIC: | ||
|
|
||
| - 165.227.28[.]47 port 443 - twotoiletsr[.]space - HTTPS traffic | ||
| - 165.227.28[.]47 port 443 - iporumuski[.]fun - HTTPS traffic |