2020-03-27 - PRICE_REQUEST_9830.DOC PUSHES ICEDID (BOKBOT)
ASSOCIATED FILES:
- 2020-03-27-IcedID-IOCs.txt.zip 1.5 kB (1,518 bytes)
- 2020-03-27-IcedID-infection-traffic.pcap.zip 5.1 MB (5,074,906 bytes)
- 2020-03-27-IcedID-malware-and-artifacts.zip 1.4 MB (1,400,601 bytes)
NOTES:
- This IcedID sample was VM-aware, so I had to run it on a physical host.
- This is my second IcedID sample since 2020-03-20 that doesn't generate any websocket traffic over HTTP (see my 2020-03-20 blog post for the first sample).
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
IMAGES
Shown above: Screenshot of price_request_9830.doc.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Certificate issuer data from the IcedID post-infection HTTPS traffic.
Shown above: Artifacts that appeared after enabling macros.
Shown above: IcedID persistent on the infected Windows host.
Shown above: Scheduled task to keep IcedID persistent.
Click here to return to the main page.