Malware-Traffic-Analysis.net - 2023-07-13 - IcedID (Bokbot) from malspam

2023-07-13 (THURSDAY) - ICEDID (BOKBOT) FROM MALSPAM

NOTICE:
Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
2023-07-13-IcedID-notes.txt.zip 2.9 kB (2,881 bytes)
2023-07-13-IcedID-pcaps.zip 6.2 MB (6,154,555 bytes)
2023-07-13-IcedID-malware-and-artifacts.zip 7.2 MB (7,156,856 bytes)
2023-07-13 (THURSDAY): ICEDID FROM MALSPAM

INFECTION CHAIN:

- Email --> PDF attachment --> Link from PDF --> TDS redirect for URL to download zip --> zip file --> extracted EXE -->
  installs IcedID

EXAMPLE OF HEADER LINES FROM ONE OF THE EMAILS:

- Received: from bmail.linkdatacenter[.]net (bmail.linkdatacenter[.]net [41.178.15[.]240]); 2023-07-13 19:19:35 UTC
- Received: from linksmtp.hosting.link.net ([5.230.66.44]) by bmail.linkdatacenter[.]net; Thu, 2023-07-13 19:19:28 UTC
- From: "Bailey Wallace" 
- Subject: Inv LCC Scan
- Date: Thu, 13 Jul 2023 14:19:29 -0500
- Attachment: Inv_LCC_Scan_494.pdf
- Note: This email uses a DocuSign message template, but "see the invoice" only links to DocuSign home page.

11 EXAMPLES OF PDF ATTACHMENTS:

- 1f23df80642f3f2cdd6f1b6a792a4e32525181cc39463f32fa7ab2b9cf224a17 - 188,976 bytes - unknown file name
- 25b60196ec7bce79308be8c92e47cd119692e83aac8480e98422a5f81ef07eb2 - 161,514 bytes - unknown file name
- 280107d2512aa0076a7df3cb79a2ef12cfc4fa9432fa1cd7864a4bdcdc78aa66 - 190,659 bytes - unknown file name
- 38f41c95074d99480eb539d977b2a385d56f05aafec6d4ff47f2b7cd9754e8c7 - 165,709 bytes - Inv_LCC_Scan_329.pdf
- 45b1746bf8fb4568be53c19fc68c68f7035e232fab2534fdca01c0c2a3b1859d - 196,461 bytes - Inv_LCC_Scan_494.pdf
- 8467a9a188a4eef371bfd679a023c5700730c9e17bb9abe9cddb8a1be9f75441 - 190,074 bytes - unknown file name
- b2015f00f0e890b82b98cb605f1b843575d5e1a449e010b90405d46672fe9390 - 161,762 bytes - unknown file name
- dc48642a50272223c29f03821985c796b3499af2f640731a6b23cd26c8d1be53 - 190,747 bytes - Inv_LCC_Scan_56.pdf
- e4150e01e2641f95b7827fc40fa3df932db61d4b6eef23d50b18abbb80059fbc - 170,468 bytes - Inv_LCC_Scan_309.pdf
- f89c279c104f78ed1a1b17ccca0a627acb665e44acf3323fd32391f14076db9b - 200,342 bytes - Inv_LCC_Scan_365.pdf
- fd3e4cc812ec9d68c74538f95c375b42c92c3edbdbcb8b65479ef1c18b9b7f30 - 209,020 bytes - unknown file name

6 LINKS FROM THE ABOVE PDF FILES:

- hxxp[:]//45.11.182[.]61
- hxxp[:]//45.11.182[.]115
- hxxp[:]//45.11.182[.]117
- hxxp[:]//45.11.182[.]119
- hxxp[:]//45.11.182[.]120
- hxxp[:]//45.11.182[.]121

7 EXAMPLES OF TDS REDIRECTS FOR THE ZIP DOWNLOAD:

- hxxps[:]//codewoxy[.]com/melt/
- hxxps[:]//hinokiworld[.]com/wp-content/themes/sketch/salty/
- hxxps[:]//inmobiliariahco[.]com/aright/
- hxxps[:]//inoverse[.]com/turkred/wp-content/themes/sketch/inappropriate/
- hxxp[:]//masteriwestheighs[.]com/polemic/
- hxxps[:]//siintec[.]com/guidepost/
- hxxps[:]//theshopperbuy[.]com/preventor/

4 EXAMPLES OF DOWNLOADED ZIP ARCHIVES:

- 8fa289abec0ad6929a63d16cb1adff1f6c08b8b8581c4bc2fc795c0bcb7f7c6a - 529,909 bytes - Inv_LCC_Scan_1.zip
- 4b8bb08fc82e0295367238008dfab3cc3e966f485f87221547e9f561f7fe0f4d - 529,112 bytes - Inv_LCC_Scan_2.zip
- b7341277469a33aa90a289b6f666f3f2100242daa29d28206d541588eb4c2356 - 529,122 bytes - Inv_LCC_Scan_4.zip
- 31bfcfdc870094eba707293581a9fe943abdafb835c2bbeba3250c7d6012344d - 529,657 bytes - Inv_LCC_Scan_6.zip

4 EXE INSTALLERS FOR ICEDID EXTRACTED FROM THE ABOVE ZIP ARCHIVES:

- d054bf0c6bc45dc141a24153d7d80144d7ef08d347e1c2b38605321eb50169b4 - 912,872 bytes - Inv_LCC_Scan_1.exe
- fcb53d1ce11ea3ccefc9c7efd21d4d29c59dad797536b5a14feb7c85562c1f66 - 908,600 bytes - Inv_LCC_Scan_2.exe
- d7394ece4ab3dc614805ceab5e5686e0e401cf992b2770e4cc2bada501243281 - 908,040 bytes - Inv_LCC_Scan_4.exe
- aa8138d2fd97003e534e36c9961e1a105b13ea24ccf7db1059ea4026b28b5247 - 916,432 bytes - Inv_LCC_Scan_6.exe

INITIAL C2 DOMAIN CALLED BY THE ABOVE ICEDID INSTALLERS:

- 64.225.70[.]62 port 80 - skofilldrom[.]com - GET /

FILES FROM AN INFECTED WINDOWS HOST:

- SHA256 hash: 8e68f7fe7e23a1ebe52e3df4f9fd9b1c0607e553f77988cd1b0c575516090598
- File size: 580411 bytes
- File type: gzip compressed data, was "Duty.txt", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1053077
- File location: hxxp[:]//skofilldrom[.]com/
- File description: gzip binary retrieved by IcedID installer, used to create license.data and persistent IcedID DLL

- SHA256 hash: 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953
- File size: 354,474 bytes
- File type: data
- File location: C:\Users\[username]\AppData\Roaming\LatinQuestion\license.dat
- File description: data binary used to run persistent IcedID DLL

- SHA256 hash: fc59d3ab7608ef100fce80af65b9e2322b5236f97b6da10ba5698628709bc92f
- File size: 225,184 bytes
- File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- File location: C:\Users\[username]\AppData\Roaming\Hupa32\sayupuub.dll
- File description: 64-bit Windows DLL for persistent IcedID infection
- Run method: rundll32.exe [filename],init --qa="[path to license.dat]"

POST-INFECTION ICEDID C2 TRAFFIC:

- 192.3.76[.]146 port 443 - appkasnofert[.]com - HTTPS traffic, TLSv1.0

CERTIFICATE DATA FOR HTTPS TRAFFIC TO 192.3.76[.]146:443

- issuer:
  -- id-at-commonName=localhost
  -- id-at-countryName=AU
  -- id-at-stateOrProvinceName=Some-State
  -- id-at-organizationName=Internet Widgits Pty Ltd
- subject: same as issuer
- validity:
  -- notBefore: 2023-06-27 04:00:02 (UTC)
  -- notAfter: 2024-06-26 04:00:02 (UTC)
Click here to return to the main page.