2020-03-27 - PRICE_REQUEST_9830.DOC PUSHES ICEDID (BOKBOT)

ASSOCIATED FILES:

• 2020-03-27-IcedID-IOCs.txt.zip   1.5 kB (1,518 bytes)
• 2020-03-27-IcedID-infection-traffic.pcap.zip   5.1 MB (5,074,906 bytes)
• 2020-03-27-IcedID-malware-and-artifacts.zip   1.4 MB (1,400,601 bytes)

NOTES:

• This IcedID sample was VM-aware, so I had to run it on a physical host.
• This is my second IcedID sample since 2020-03-20 that doesn't generate any websocket traffic over HTTP (see my 2020-03-20 blog post for the first sample).

• All zip archives on this site are password-protected with the standard password.  If you don't know it, see the "about" page of this website.

 

IMAGES

Shown above:  Screenshot of price_request_9830.doc.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Certificate issuer data from the IcedID post-infection HTTPS traffic.

 

Shown above:  Artifacts that appeared after enabling macros.

 

Shown above:  IcedID persistent on the infected Windows host.

 

Shown above:  Scheduled task to keep IcedID persistent.

 

Click here to return to the main page.