2022-08-31 (WEDNESDAY) – ICEDID (BOKBOT) WITH COBALT STRIKE
NOTES:
- Started the infection on Wednesday 2022-08-31 and saw Cobalt Strike the next day, more than 17 hours later, on Thursday 2022-09-01.
- Zip files are password-protected. If you don’t know the password, see the “about” page of this website.
ASSOCIATED FILES:
- 1.7 MB (1,713,677 bytes)
- 1.5 MB (1,538,604 bytes)
IMAGES
Shown above: Traffic from the infection filtered in Wireshark, part 1 of 2.
Shown above: Traffic from the infection filtered in Wireshark, part 2 of 2.
INDICATORS
INFECTION TRAFFIC:
HTTP TRAFFIC FOR GZIP BINARY:
- 207.154.202.192 port 80 – lionafuyesas.com – GET / HTTP/1.1
ICEDID C2:
- 45.147.229.196 port 443 – empladeefly.wiki – HTTPS traffic
- 212.46.38.48 port 443 – colorsuckbeh.com – HTTPS traffic
- 128.199.120.41 port 443 – dromfiregreti.com – HTTPS traffic
- 5.252.177.233 port 443 – autobrag.cloud – HTTPS traffic
- 5.199.173.27 port 443 – ferdianbanga.com – HTTPS traffic
COBALT STRIKE C2:
- 45.147.230.242 port 443 – yoretebi.com – HTTPS traffic
MALWARE AND ARTIFACTS:
PASSWORD PROTECTED ZIP AND EXTRACTED ISO:
- SHA256 hash: 9977013ff25deb2c9162232b3f0a82136b4d10d63161e1ddc8696c26bfdf0025
- File size: 114,431 bytes
- File name: Invoice_unpaid_08-31_documents_265.zip
- File description: Password-protected zip archive
- Password: 35942
- SHA256 hash: 272221763511b6eb09d62e9b18b48b682eb7940cdc7206c2bee472b46f4a6943
- File size: 1,900,544 bytes
- File name: Invoice_unpaid_08-31_documents_265.iso
- File description: ISO image extracted from password-protected zip archive
CONTENTS OF ISO IMAGE:
- SHA256 hash: 2c4c46deadeee55e74cbdf788485b418397c3bbfc599c0126beb2d211f538ce1
- File size: 1,218 bytes
- File location in ISO image: Document.lnk
- File description: Windows shortcut, only visible file in ISO image
- SHA256 hash: 604fb39be96c1d28c3b0d8e34c270059e2a4452782fa7f211a825e1761ea8497
- File size: 1,167 bytes
- File location in ISO image: sad\lexicon.bat
- File description: Batch file run by above Windows shortcut
- SHA256 hash: 38fa1fc2a23d94e17784eb807d98bb836713aec7db1c28aad0ab4b6e5764bf7e
- File size: 421,376 bytes
- File location in ISO image: sad\dumbfoundering.dll
- File description: 64-bit DLL installer for IcedID run by the above batch file
- Run method: rundll32.exe [filename],#1
FILES SEEN FOR THIS INFECTION:
- SHA256 hash: 338065f662d4096f2d6abc94e93c1d706404aad4ce4b192b4f295437c6f42b38
- File size: 754,107 bytes
- File location: hxxp://lionafuyesas.com/
- File description: Gzip file retrieved by IcedID DLL installer, used to create licence.dat & persistent IcedID DLL
- SHA256 hash: 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7
- File size: 342,218 bytes
- File location: C:\Users\[username]\AppData\Roaming\ErodeWeb\license.dat
- File description: data binary used to run persistent IcedID DLL
- Note: First submitted to VirusTotal on 2022-07-15
- Note: Different directory name under AppData\Roaming\ for each infection
- SHA256 hash: 3e8db60887adfbf7af20f7611b527f11620785e9eaeac188b0758c7ba82d3cf3
- File size: 411,136 bytes
- File location: C:\Users\[username]\AppData\Local\acucri\[username]\Epukcb1.dll
- File description: Persistent 64-bit DLL for IcedID
- Run method: rundll32.exe [filename],#1 –feul=”[path to license.dat]“
- Note: Different file hash for each infection
- Note: Different filename and directory path under AppData\Local\ or AppData\Roaming\ for each infection
to return to the main page.