2023-03-24 (FRIDAY) - ICEDID (BOKBOT) WITH BACKCONNECT TRAFFIC AND COBALT STRIKE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
REFERENCE:
ASSOCIATED FILES:
- 2023-03-24-IOCs-for-IcedID-with-BackConnect-and-Cobalt-Strike.txt.zip 1.8 kB (1,758 bytes)
- 2023-03-24-IcedID-infection-with-BackConnect-and-Cobalt-Strike.pcap.zip 5.2 MB (5,160,637 bytes)
- 2023-03-24-IcedID-and-Cobalt-Strike-malware-and-artifacts.zip 2.2 MB (2,189,818 bytes)
2023-03-24 (FRIDAY): ICEDID (BOKBOT) INFECTION WITH BACKCONNECT TRAFFIC AND COBALT STRIKE REFERENCE: - https://urlscan.io/result/adc2c9cf-f214-43b8-b339-a2ce0bae6857 ASSOCIATED MALWARE - SHA256 hash: ef768753d6d4d26ba921a09be5b300b9f7bba070ef6847379490b4c1ec85ceb8 - File size: 339,995 bytes - File name: Docs_Unpaid_#233.zip - File location: hxxps://firebasestorage.googleapis[.]com/v0/b/mystical-rhino-377704.appspot.com/o/ ZROkvywQXK%2FDocs_Unpaid_%23233.zip?alt=media&token=0a1d38e2-0824-4632-99fc-d3447e5668c2 - File description: Zip archive containing 64-bit EXE for IcedID - SHA256 hash: 1b49da1d8b3ba5135030fd494033b30aa58393eeedf53ea0dd2ecf2715a8e6c8 - File size: 633,888 bytes - File name: Docs_Unpaid_#233.exe - File description: 64-bit EXE for IcedID extracted from the above zip archive - SHA256 hash: 84b8c51ee13c4a857c3b3f086a7b006d8f79e8ad08c515a6d53f47a1bb60a810 - File size: 713,117 bytes - File description: gzip binary from liguspotforsit[.]com used to create license.dat and persistent IcedID DLL - SHA256 hash: 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953 - File size: 354,474 bytes - File location: C:\Users\[username]\AppData\Roaming\BarrelCarry\license.dat - File description: data binary used to run persistent IcedID DLL - SHA256 hash: ead75f569dfb8e27c8f9f246172aab9d5481301a1d6e663287dc8b49fae68fd8 - File size: 357,888 bytes - File location: C:\Users\[username]\AppData\Roaming\tiuguq1\Ogwebd4.dll - File description: 64-bit DLL for persistent IcedID - Run method: rundll32.exe [filename],init --podu="[path to license.dat]" - SHA256 hash: 67f83398e4b96573dd999384827d0441f8b3face1e8395f5533c1d95e9c3cacd - File size: 231,476 bytes - File location: hxxp://voiceinfosys[.]net:80/forceupdate - File description: PowerShell script for Cobalt Strike - SHA256 hash: d97a8a887dd83de899957fc9e2a98b8ba1d4129899f95bf3a95b034e9dee2c26 - File size: 276,999 bytes - File description: shellcode for Cobalt Strike (decoded from the above PowerShell script) TRAFFIC FROM AN INFECTED WINDOWS HOST: - Infected host name and domain from my lab environment: NEIGHBORHOOD-DC.neighborhood.site - Note: Used a domain controller for this infection run URL FOR ZIP ARCHIVE CONTAINING ICEDID INSTALLER EXE: - hxxps://firebasestorage.googleapis[.]com/v0/b/mystical-rhino-377704.appspot.com/o/ ZROkvywQXK%2FDocs_Unpaid_%23233.zip?alt=media&token=0a1d38e2-0824-4632-99fc-d3447e5668c2 TRAFFIC CAUSED BY INSTALLER EXE FOR GZIP BINARY: - 206.166.251[.]62 port 80 - liguspotforsit[.]com - GET / HTTP/1.1 ICEDID C2: - 195.20.17[.]21 port 443 - gabrikxuira[.]com - HTTPS traffic - 195.20.17[.]21 port 443 - keyzishaptu[.]com - HTTPS traffic - 5.230.73[.]157 port 443 - qonavlecher[.]com - HTTPS traffic ICEDID BACKCONNECT TRAFFIC: - 193.239.85[.]16 port 8080 - TCP traffic for IcedID BackConnect COBALT STRIKE TRAFFIC: - 31.220.50[.]207 port 80 - voiceinfosys[.]net - GET /forceupdate HTTP/1.1 - 31.220.50[.]207 port 80 - voiceinfosys[.]net - GET /es HTTP/1.1 - 31.220.50[.]207 port 80 - voiceinfosys[.]net - POST /af HTTP/1.1 (text/plain)
Click here to return to the main page.