# CERT-UA

**cert.gov.ua/article/39609**

## Updated 04/18/2022

 General information:

 The government team for responding to computer emergencies in Ukraine CERT-UA revealed the fact of mass distribution among citizens of Ukraine XLS-documents called "Mobilization Register.xls".

 It was found that if you open the document and activate the macro, the macro will download and run the executable file. The downloaded EXE file will decrypt and run the GzipLoader malware on your computer, which in turn will download, decrypt and run the IcedID malware. This malware (also known as BankBot) belongs to the class of "banking Trojans" and, among other things, provides theft of authentication data.

 The activity is targeted and is tracked by UAC-0098.

 Compromise indicators:

 Files:
```
bdfca142fc1408ab2028019775a95a8a
8f7e3471c1bb2b264d1b8f298e7b7648dac84ffd8fb2125f3b2566353128e127 Mobilization
Registry.xls
9f33887a8e76c246753e71b896a904b3
65b208943d8cf82af902c39400bdd7a26fdbc94c23f9d4494cf0a2ca51233213 Mobilization
Registry.xls
5b4deca6a14eb777fdd882a712006303
de7bcc556dde40d347b003d891f36c2a733131593ce2b9382f0bd9ade123d54a ggthvjhvjhb.xls
c52150ad226963a07cfc144d9cea73c7
ac1d19c5942946f9eee6bc748dee032b97eb3ec3e4bb64fead3e5ac101fb1bc8 spisok.exe (2022-0407)
afc2d797a39caf4765c0c24e1afb1967
2e721087daafbfe9b7d5618dfcdaf23e04344f4f72b2c59e175196bada1cc687 gziploader.exe
(2022-02-21)
e731e2f1a70b2dd13a4995f9c0106dc4
789992e24d118d7bd213593aa849449c624eb275e000bc406dab25035b99479b forest32.dat
986ce06308ca327e5c75877e5e15d6b8
89594dbae3956eb2bf599e85cd761e89c9d189944b0ddc18cc3973f0fd41c466 init_dll_64.dll
(2022-04-05)
e9ad8fae2dd8f9d12e709af20d9aefad
84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238 license.dat
7e6a117ba018be2867329bc5a33e481d
6734ae02e66924b3f071e7d8ea97d2482a2a2a5bac27b251f20d320b0d04a324 module.bin

```

-----

## Network:
```
rivertimad [.] com
winuvinnosluk [.] club
successilin [.] top
reteredelete [.] top
naffalno [.] site
ritionalvalueon [.] top
oceriesfornot [.] top
arelyevennot [.] top
dogiraftig [.] com
fikasterwer [.] top
jevejosader [.] top
ertimadifa [.] com
rresteraftin [.] com
ndlestomak [.] top
168 [.] 100.8.42
188 [.] 166,154,118
134 [.] 209.144.87
hXXp: // 168 [.] 100.8.42 / micro [.] exe
hXXp: // 168 [.] 100.8.42 / list [.] exe
hXXp: // rivertimad [.] com /
hXXp: // 168 [.] 100.8.42 / list [.] exe

 Hosts:
% APPDATA% \% rand% \% rand% .dll ", DllMain --iydu =" SustainDream \ license.dat "
% APPDATA% \ SustainDream \ license.dat
% APPDATA% \ runsx.exe
% TMP% \ forest32.dat

 Graphic images:

```

-----

-----