-
Notifications
You must be signed in to change notification settings - Fork 11
/
2021-04-26-IOCs-for-IcedID-with-Cobalt-Strike.txt
85 lines (61 loc) · 3.59 KB
/
2021-04-26-IOCs-for-IcedID-with-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
2021-04-26 (MONDAY) - ZIP-ED JS FILE --> ICEDID (BOKBOT) --> COBALT STRIKE
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1387149833274810368
NOTES:
- Reference: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/
- Based on the above report, we found a zip archive from today (Monday 2021-04-26) containing a malicious .js file associated with this campaign.
MALWARE:
- SHA256 hash: e53d3d4a90d9761b62da2b626060a5934319e3e81d1901a666b8cee7c2ab4e6a
- File size: 6,693 bytes
- File name: StolenImages_Evidence.zip
- File description: ZIP archive retrieved from link in an email pushing IcedID
- SHA256 hash: 58544355fd1659814351b3931fa363b03115a2d1d0a8af72aeef8c48d4efa4f5
- File size: 18,761 bytes
- File name: StolenImages_Evidence.js
- File description: JS file extracted from the above ZIP archive
- SHA256 hash: 393082006d9106926220a3e40d95ef15c05fdeb5b45b0da3012d9b5b60ee90f8
- File size: 397,329 bytes
- File location: hxxp://stereozek[.]top/034g100/main.php
- File location: C:\Users\[username]\AppData\Local\Temp\dTJrU.dat
- File description: Installer DLL for IcedID
- Run method: rundll32.exe [filename],DllRegisterServer
- SHA256 hash: ae5ebe0388b228032f6fa0afe924910de13d824dca79b6b67d7dfdd651762cc4
- File size: 711,499 bytes
- File location: hxxp://quadrogorrila[.]casa/
- File description: Fake gzip file called by installer DLL used to create IcedID DLL and license.dat files
- SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
- File size: 341,098 bytes
- File location: C:\Users\[username]\AppData\Roaming\SimilarThree\license.dat
- File description: binary data file used to run IcedID DLL files
- SHA256 hash: 260e2a92e0fccddb6f930ce93c90fb54e91ffc892c2c554aba0e2ae43cd3af15
- File size: 370,176 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\sadness_64.dat
- File description: Initial DLL for IcedID infection
- Run method: rundll32.exe [filename],update /i:"SimilarThree\license.dat"
- SHA256 hash: 14fc5552d33dfe49aea4834c26d5f9aa85db2a065524aaa9c1e3b653c05aff0b
- File size: 370,176 bytes
- File location: C:\Users\[username]\AppData\Roaming\[username]\{2D7709C7-BCD4-92FE-99EC-2815EEDE7032}\Umkohoip32.dll
- File description: Persistent DLL for IcedID infection
- Run method: rundll32.exe [filename],update /i:"SimilarThree\license.dat"
- SHA256 hash: e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06
- File size: 800,768 bytes
- File location: hxxp://192.99.178[.]145/download/195145.exe
- File location: C:\Users\[username]\AppData\Local\Temp\Remo.exe
- File description: EXE for Cobalt Strike retrieved by IcedID-infected host
TRAFFIC GENERATED BY .JS FILE TO RETRIEVE INSTALLER DLL:
- 172.67.169[.]66 port 80 - stereozek[.]top - GET /034g100/index.php
- 172.67.169[.]66 port 80 - stereozek[.]top - GET /034g100/main.php
TRAFFIC GENERATED BY INSTALLER DLL TO RETRIVE FAKE GZIP FILE USED TO CREATE ICEDID FILES:
- port 443 - aws.amazon.com - HTTPS traffic
- 104.236.44[.]35 port 80 - quadrogorrila[.]casa - GET /
C2 TRAFFIC GENERATED BY ICEDID:
- 167.99.163[.]235 port 443 - classicfucup[.]top - HTTPS traffic
- 167.99.163[.]235 port 443 - rangstatepol[.]top - HTTPS traffic
- 38.135.122[.]194 port 8080 - TCP traffic
ADDITIONAL ICEDID C2 DOMAINS ON 167.99.163[.]235:
- 167.99.163[.]235 port 443 - ultimarulle[.]top
- 167.99.163[.]235 port 443 - hidethisfact[.]top
COBALT STRIKE ACTIVITY ON THE INFECTED HOST:
- 192.99.178[.]145 port 80 - 192.99.178[.]145 - GET /download/195145.exe
- 192.99.178[.]145 port 80 - dimentos[.]com - GET /bg
- 192.99.178[.]145 port 80 - dimentos[.]com - POST /btn_bg