SYMBOLCOMMON_NAMEaka. SYNONYMS
win.icedid (Back to overview)

IcedID

aka: BokBot, IceID

Actor(s): GOLD CABIN, Lunar Spider

VTCollection     URLhaus        

According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.

As previously published, historically there has been just one version of IcedID that has remained constant since 2017.
* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.
* The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.
* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.

References
2024-07-02SekoiaQuentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar
2024-05-30EuropolEuropol
Largest ever operation against botnets hits dropper malware ecosystem
BumbleBee IcedID SmokeLoader SystemBC TrickBot
2024-05-16ElasticDaniel Stepanic, Samir Bousseaden
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
IcedID Latrodectus
2024-04-29The DFIR ReportThe DFIR Report
From IcedID to Dagon Locker Ransomware in 29 Days
IcedID Mount Locker
2024-04-080x0d4y0x0d4y
IcedID – Technical Analysis of an IcedID Lightweight x64 DLL
IcedID
2024-04-04ProofpointProofpoint Threat Research Team, Team Cymru, TEAM CYMRU S2 THREAT RESEARCH
Latrodectus: This Spider Bytes Like Ice
IcedID Latrodectus
2024-04-01The DFIR ReportThe DFIR Report
From OneNote to RansomNote: An Ice Cold Intrusion
Cobalt Strike IcedID Nokoyawa Ransomware PhotoLoader
2024-03-17Technical EvolutionSimon
Carving the IcedId - Part 3
IcedID
2024-02-28Security IntelligenceGolo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos
2024-02-15Department of JusticeOffice of Public Affairs
Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses
Egregor IcedID Maze Zeus
2024-02-15Bleeping ComputerSergiu Gatlan
Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison
Egregor IcedID Maze Zeus
2024-01-16Medium walmartglobaltechJason Reaves, Jonathan Mccay, Joshua Platt
Keyhole Analysis
IcedID Keyhole
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-090x0d4y0x0d4y
IcedID – Technical Malware Analysis [Second Stage]
IcedID PhotoLoader
2023-10-12NetresecErik Hjelmvik
Forensic Timeline of an IcedID Infection
Cobalt Strike IcedID IcedID Downloader
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-08-28The DFIR ReportThe DFIR Report
HTML Smuggling Leads to Domain Wide Ransomware
Cobalt Strike IcedID Nokoyawa Ransomware
2023-07-28Team CymruS2 Research Team
Inside the IcedID BackConnect Protocol (Part 2)
IcedID
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-06-10The DFIR ReportThe DFIR Report
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
BlackCat Cobalt Strike IcedID
2023-05-30Palo Alto Networks Unit 42Brad Duncan
Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID
IcedID PhotoLoader
2023-05-22The DFIR ReportThe DFIR Report
IcedID Macro Ends in Nokoyawa Ransomware
IcedID Nokoyawa Ransomware PhotoLoader
2023-05-21Github (0xThiebaut)Maxime Thiebaut
PCAPeek
IcedID QakBot
2023-05-04ElasticCyril François
Unpacking ICEDID
IcedID PhotoLoader
2023-05-03Palo Alto Networks Unit 42Bob Jung, Daniel Raygoza, Mark Lim
Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
IcedID PhotoLoader
2023-05-03unpac.meSean Wilson
UnpacMe Weekly: New Version of IcedId Loader
IcedID PhotoLoader
2023-05-02loginsoftSystem-41
IcedID Malware: Traversing Through its Various Incarnations
IcedID
2023-04-28DISCARDED PodcastJoe Wise, Pim Trouerbach
Beyond Banking: IcedID Gets Forked
IcedID PhotoLoader
2023-04-21SophosColin Cowie, Paul Jaramillo
IcedID: Defrosting a Recent Campaign Illustrating evolving tactics and shared infrastructure
IcedID PhotoLoader
2023-04-12SANS ISCBrad Duncan
Recent IcedID (Bokbot) activity
IcedID
2023-04-12InfoSec Handlers Diary BlogBrad Duncan
Recent IcedID (Bokbot) activity
IcedID PhotoLoader
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-11Twitter (@Unit42_Intel)Unit42
Tweet on change of IcedID backconnect traffic port from 8080 to 443
IcedID
2023-04-03The DFIR ReportThe DFIR Report
Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-27ProofpointJoe Wise, Kelsey Merriman, Pim Trouerbach
Fork in the Ice: The New Era of IcedID
IcedID PHOTOFORK PHOTOLITE PhotoLoader
2023-03-20NVISO LabsMaxime Thiebaut
IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole
IcedID
2023-03-17ElasticCyril François, Daniel Stepanic
Thawing the permafrost of ICEDID Summary
IcedID PhotoLoader
2023-03-01ZscalerMeghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer
2023-02-28Intel 471Intel 471
Malvertising Surges to Distribute Malware
EugenLoader BATLOADER IcedID
2023-02-27PRODAFT Threat IntelligencePRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2023-02-24Team CymruTeam Cymru
Desde Chile con Malware (From Chile with Malware)
IcedID PhotoLoader
2023-02-15NetresecErik Hjelmvik
How to Identify IcedID Network Traffic
IcedID
2023-01-20BlackberryBlackBerry Research & Intelligence Team
Emotet Returns With New Methods of Evasion
Emotet IcedID
2023-01-09IntrinsecCTI Intrinsec, Intrinsec
Emotet returns and deploys loaders
BumbleBee Emotet IcedID PHOTOLITE
2022-12-23TrendmicroIan Kenefick
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
IcedID
2022-12-21Team CymruS2 Research Team
Inside the IcedID BackConnect Protocol
IcedID
2022-12-18ZAYOTEMBerkay DOĞAN, Dilara BEHAR, Rabia EKŞİ, Zafer Yiğithan DERECİ
IcedID Technical Analysis Report
IcedID
2022-12-15ISCBrad Duncan
Google ads lead to fake software pages pushing IcedID (Bokbot)
IcedID
2022-12-06EuRepoCCamille Borrett, Kerstin Zettl-Schabath, Lena Rottinger
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER
2022-11-14Twitter (@embee_research)Matthew
Twitter thread on Yara Signatures for Qakbot Encryption Routines
IcedID QakBot
2022-10-31ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin
ICEDIDs network infrastructure is alive and well
IcedID
2022-10-12NetresecErik Hjelmvik
IcedID BackConnect Protocol
IcedID
2022-10-07Team CymruS2 Research Team
A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader
2022-09-07GoogleGoogle Threat Analysis Group, Pierre-Marc Bureau
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID
2022-09-01Medium michaelkoczwaraMichael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-12SANS ISCBrad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID
2022-08-04Medium walmartglobaltechJason Reaves, Joshua Platt
IcedID leverages PrivateLoader
IcedID PrivateLoader
2022-07-27SANS ISCBrad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID
2022-07-18Palo Alto Networks Unit 42Unit 42
Monster Libra
Valak IcedID GOLD CABIN
2022-07-17ResecurityResecurity
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-07IBMCharlotte Hammond, Kat Weinberger, Ole Villadsen
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-06-24Soc InvestigationBalaGanesh
IcedID Banking Trojan returns with new TTPS – Detection & Response
IcedID
2022-06-21McAfeeLakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot
2022-05-30Matthieu Walter
Automatically Unpacking IcedID Stage 1 with Angr
IcedID
2022-05-19IBMCharlotte Hammond, Golo Mühr, Ole Villadsen
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker WIZARD SPIDER
2022-05-17Trend MicroTrend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-12Intel 471Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09CybereasonLior Rochberger
Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-04Twitter (@felixw3000)Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-26Intel 471Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-25The DFIR ReportThe DFIR Report
Quantum Ransomware
Cobalt Strike IcedID
2022-04-17BushidoToken BlogBushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-14Bleeping ComputerBill Toulas
Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
IcedID
2022-04-14Cert-UACert-UA
Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)
IcedID
2022-04-04The DFIR Report@0xtornado, @MettalicHack, @yatinwad, @_pete_0
Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-29Threat PostElizabeth Montalbano
Exchange Servers Speared in IcedID Phishing Campaign
IcedID
2022-03-28Bleeping ComputerBill Toulas
Microsoft Exchange targeted for IcedID reply-chain hijacking attacks
IcedID
2022-03-28FortinetFred Gutierrez, James Slaughter, Val Saengphaibul
Spoofed Invoice Used to Drop IcedID
IcedID
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-03-23SecureworksCounter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot
2022-03-23SecureworksCounter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot
2022-03-21eSentireeSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-17Github (eln0ty)Abdallah Elnoty
IcedID Analysis
IcedID
2022-03-17Trend MicroTrend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-03-09nikpxxors
BokBot Technical Analysis
IcedID
2022-02-22eSentireeSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2022-02-10CybereasonCybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot
2022-01-18Recorded FutureInsikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-01forensicitguyTony Lambert
Analyzing an IcedID Loader Document
IcedID
2021-12-16InfoSec Handlers Diary BlogBrad Duncan
How the "Contact Forms" campaign tricks people
IcedID
2021-12-03SANS ISC InfoSec ForumsBrad Duncan
TA551 (Shathak) pushes IcedID (Bokbot)
IcedID
2021-11-16IronNetIronNet Threat Research, Joey Fitzpatrick, Morgan Demboski, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil
2021-11-12Recorded FutureInsikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-11-04splunkSplunk Threat Research Team
Detecting IcedID... Could It Be A Trickbot Copycat?
IcedID
2021-11-03Team Cymrutcblogposts
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-10-18The DFIR ReportThe DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-15Trend MicroFernando Mercês
Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05Group-IBNikita Rostovcev, Viktor Okorokov
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-08-05The RecordCatalin Cimpanu
Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot
2021-07-30HPPatrick Schläpfer
Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-26vmwarePavankumar Chaudhari, Quentin Fois
Hunting IcedID and unpacking automation with Qiling
IcedID
2021-07-23Github (Lastline-Inc)Pavankumar Chaudhari, Quentin Fois
YARA rules, IOCs and Scripts for extracting IcedID C2s
IcedID
2021-07-19The DFIR ReportThe DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID
2021-07-14Cerium NetworksBlumira
Threat of the Month: IcedID Malware
IcedID
2021-07-08vmwarePavankumar Chaudhari, Quentin Fois
IcedID: Analysis and Detection
IcedID
2021-06-30CynetMax Malyutin
Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID
2021-06-24KasperskyAnton Kuzmenko
Malicious spam campaigns delivering banking Trojans
IcedID QakBot
2021-06-24SentinelOneMarco Figueroa
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
IcedID
2021-06-20The DFIR ReportThe DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID
2021-06-16ProofpointDaniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577
2021-05-29Youtube (AhmedS Kasmani)AhmedS Kasmani
Analysis of ICEID Malware Installer DLL
IcedID
2021-05-26Check PointAlex Ilgayev
Melting Ice – Tracking IcedID Servers with a few simple steps
IcedID
2021-05-19Team CymruAndy Kraus, Josh Hopkins, Nick Byers
Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network
IcedID
2021-05-18RECON INFOSECAndrew Cook
An Encounter With TA551/Shathak
IcedID
2021-05-17TelekomThomas Barabosch
Let’s set ice on fire: Hunting and detecting IcedID infections
IcedID
2021-05-17Github (telekom-security)Deutsche Telekom Security GmbH
icedid_analysis
IcedID
2021-05-12The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID
2021-05-10MALWATIONmalwation
IcedID Malware Technical Analysis Report
IcedID
2021-04-19NetresecErik Hjelmvik
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID
2021-04-17YouTube (Worcester DEFCON Group)Joel Snape, Nettitude
Inside IcedID: Anatomy Of An Infostealer
IcedID
2021-04-13Silent PushMartijn Grooten
Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-04-12Trend MicroDon Ovid Ladores, Frankylnn Uy, Junestherry Salvador, Lala Manly, Raphael Centeno
A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-114rchibld4rchibld
IcedID on my neck I’m the coolest
IcedID
2021-04-10Youtube (AhmedS Kasmani)AhmedS Kasmani
Malware Analysis: IcedID Banking Trojan JavaScript Dropper
IcedID
2021-04-09MicrosoftEmily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team
Investigating a unique “form” of email delivery for IcedID malware
IcedID
2021-04-09aaqeel01Ali Aqeel
IcedID Analysis
IcedID
2021-04-07UptycsAbhijit Mohanta, Ashwin Vamshi
IcedID campaign spotted being spiced with Excel 4 Macros
IcedID
2021-04-07MinervaMinerva Labs
IcedID - A New Threat In Office Attachments
IcedID
2021-04-01Reversing LabsRobert Simmons
Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-03-31Red CanaryRed Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-31Silent PushMartijn Grooten
IcedID Command and Control Infrastructure
IcedID PhotoLoader
2021-03-29The DFIR ReportThe DFIR Report
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil
2021-03-12Binary DefenseJames Quinn
IcedID GZIPLOADER Analysis
IcedID
2021-03-04F5Dor Nizar, Roy Moshailov
IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
IcedID
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-25FireEyeBrendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-03Mimecast, Nettitude
TA551/Shathak Threat Research
IcedID
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Medium elis531989Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-19Palo Alto Networks Unit 42Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-18tccontre Blogtcontre
Extracting Shellcode in ICEID .PNG Steganography
IcedID
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-07Palo Alto Networks Unit 42Brad Duncan
TA551: Email Attack Campaign Switches from Valak to IcedID
IcedID
2021-01-01AWAKEAwake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2020-12-10NRI SECURENeoSOC
マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説
IcedID
2020-12-09CiscoCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-09MicrosoftMicrosoft 365 Defender Research Team
EDR in block mode stops IcedID cold
IcedID
2020-12-02CyberIntCyberint Research
IcedID Stealer Man-in-the-browser Banking Trojan
IcedID
2020-11-26CybereasonCybereason Nocturnus, Lior Rochberger
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-09-29MicrosoftMicrosoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-08-16kienmanowar Blogm4n0w4r
Manual Unpacking IcedID Write-up
IcedID
2020-08-12JuniperPaul Kimayong
IcedID Campaign Strikes Back
IcedID
2020-08-10tccontre Blogtccontre
Learning From ICEID loader - Including its Steganography Payload Parsing
IcedID
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-01Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Biasini
Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
Valak IcedID ISFB MyKings Spreader
2020-06-22zero2autoDaniel Bunce
Unpacking Visual Basic Packers – IcedID
IcedID
2020-06-18JuniperPaul Kimayong
COVID-19 and FMLA Campaigns used to install new IcedID banking malware
IcedID
2020-06-17Github (f0wl)Marius Genheimer
deICEr: A Go tool for extracting config from IcedID second stage Loaders
IcedID
2020-05-29Group-IBIvan Pisarev
IcedID: When ice burns through bank accounts
IcedID
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-18Sophos LabsLuca Nagy
Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-01-22Thomas Barabosch
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020-01-01SecureworksSecureWorks
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2019-12-18Github (psrok1)Paweł Srokosz
IcedID PNG Extractor
IcedID
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-03MalwarebytesThreat Intelligence Team
New version of IcedID Trojan uses steganographic payloads
IcedID
2019-07-09FortinetKai Lu
A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
IcedID
2019-06-25Dawid Golak
IcedID aka #Bokbot Analysis with Ghidra
IcedID
2019-06-16FortinetKai Lu
A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
IcedID
2019-04-04SecurityIntelligenceLimor Kessem, Nir Somech
IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
IcedID
2019-03-21CrowdStrikeJames Scalise, Shaun Hurley
Interception: Dissecting BokBot’s “Man in the Browser”
IcedID
2019-02-15CrowdStrikeBex Hartley, Brendon Feeley
“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER
2019-02-06SecurityIntelligenceItzik Chimino, Limor Kessem, Ophir Harpaz
IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites
IcedID
2019-01-03CrowdStrikeJames Scalise, Shaun Hurley
Digging into BokBot’s Core Module
IcedID
2018-11-09Youtube (OALabs)Sean Wilson, Sergei Frankoff
Reverse Engineering IcedID / Bokbot Malware Part 2
IcedID
2018-10-26Youtube (OALabs)Sergei Frankoff
Unpacking Bokbot / IcedID Malware - Part 1
IcedID
2018-09-07Vitali Kremez
Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
IcedID
2018-08-09Fox-ITAlfred Klason
Bokbot: The (re)birth of a banker
IcedID Vawtrak
2018-04-10Cisco TalosDaphne Galme, Michael Gorelik, Ross Gibb
IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution
IcedID
2017-11-14Digital GuardianChris Brook
IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites
IcedID
2017-11-13IntezerJay Rosenberg
IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IcedID IcedID Downloader
2017-11-13SecurityIntelligenceLimor Kessem, Maor Wiesen, Tal Darsan, Tomer Agayev
New Banking Trojan IcedID Discovered by IBM X-Force Research
IcedID IcedID Downloader
Yara Rules
[TLP:WHITE] win_icedid_auto (20241030 | Detects win.icedid.)
rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.icedid."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85ff 7418 c60700 47 57 ff15???????? }
            // n = 6, score = 1300
            //   85ff                 | test                edi, edi
            //   7418                 | je                  0x1a
            //   c60700               | mov                 byte ptr [edi], 0
            //   47                   | inc                 edi
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_1 = { 6905????????e8030000 50 ff35???????? ff15???????? }
            // n = 4, score = 1300
            //   6905????????e8030000     |     
            //   50                   | push                eax
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_2 = { 740c 50 ff15???????? 33c0 40 eb11 }
            // n = 6, score = 1300
            //   740c                 | je                  0xe
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   eb11                 | jmp                 0x13

        $sequence_3 = { ff15???????? 8bf7 8bc6 eb02 33c0 }
            // n = 5, score = 1300
            //   ff15????????         |                     
            //   8bf7                 | mov                 esi, edi
            //   8bc6                 | mov                 eax, esi
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 0fb605???????? 0fb60d???????? 50 0fb605???????? 50 0fb605???????? 50 }
            // n = 7, score = 1300
            //   0fb605????????       |                     
            //   0fb60d????????       |                     
            //   50                   | push                eax
            //   0fb605????????       |                     
            //   50                   | push                eax
            //   0fb605????????       |                     
            //   50                   | push                eax

        $sequence_5 = { 7413 ff36 6a08 ff15???????? 50 ff15???????? }
            // n = 6, score = 1300
            //   7413                 | je                  0x15
            //   ff36                 | push                dword ptr [esi]
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { ff15???????? 85c0 7420 837c241000 }
            // n = 4, score = 1300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7420                 | je                  0x22
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0

        $sequence_7 = { 7427 6a3b 56 ff15???????? }
            // n = 4, score = 1300
            //   7427                 | je                  0x29
            //   6a3b                 | push                0x3b
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_8 = { e8???????? 8bf0 8d45fc 50 ff75fc 6a05 }
            // n = 6, score = 1000
            //   e8????????           |                     
            //   8bf0                 | push                edi
            //   8d45fc               | push                ebx
            //   50                   | not                 eax
            //   ff75fc               | and                 eax, dword ptr [ebp - 4]
            //   6a05                 | mov                 esp, ebp

        $sequence_9 = { 8b542414 0302 833800 759f }
            // n = 4, score = 800
            //   8b542414             | inc                 edi
            //   0302                 | add                 ebx, 2
            //   833800               | cmp                 edi, ebp
            //   759f                 | jb                  0xffffffcb

        $sequence_10 = { 47 83c302 3bfd 72c4 8b542414 0302 }
            // n = 6, score = 800
            //   47                   | add                 esp, 0x14
            //   83c302               | inc                 edi
            //   3bfd                 | cmp                 edi, dword ptr [eax + 0x20]
            //   72c4                 | jb                  0xffffffd7
            //   8b542414             | test                edx, edx
            //   0302                 | je                  0x56

        $sequence_11 = { 8b12 85d2 7454 8d6af8 d1ed 6a00 5f }
            // n = 7, score = 800
            //   8b12                 | and                 eax, dword ptr [ebp - 4]
            //   85d2                 | mov                 esp, ebp
            //   7454                 | pop                 ebp
            //   8d6af8               | ret                 
            //   d1ed                 | push                ebp
            //   6a00                 | not                 eax
            //   5f                   | and                 eax, dword ptr [ebp - 4]

        $sequence_12 = { 83c414 47 3b7820 72d1 }
            // n = 4, score = 800
            //   83c414               | mov                 edx, dword ptr [edx]
            //   47                   | test                edx, edx
            //   3b7820               | je                  0x58
            //   72d1                 | lea                 ebp, [edx - 8]

        $sequence_13 = { 3b7820 72d1 5b 33c0 40 5f }
            // n = 6, score = 800
            //   3b7820               | je                  0x56
            //   72d1                 | lea                 ebp, [edx - 8]
            //   5b                   | shr                 ebp, 1
            //   33c0                 | push                0
            //   40                   | shr                 ebp, 1
            //   5f                   | push                0

        $sequence_14 = { 0fb713 8954241c 66c16c241c0c 0fb7d2 }
            // n = 4, score = 800
            //   0fb713               | lea                 eax, [ebp - 4]
            //   8954241c             | push                eax
            //   66c16c241c0c         | push                dword ptr [ebp - 4]
            //   0fb7d2               | push                5

        $sequence_15 = { 8d4508 50 0fb6440b34 50 }
            // n = 4, score = 800
            //   8d4508               | mov                 esp, ebp
            //   50                   | pop                 ebp
            //   0fb6440b34           | ret                 
            //   50                   | push                ebp

        $sequence_16 = { a808 75f5 a804 7406 }
            // n = 4, score = 400
            //   a808                 | test                al, 8
            //   75f5                 | jne                 0xfffffff7
            //   a804                 | test                al, 4
            //   7406                 | je                  8

        $sequence_17 = { ff15???????? 85c0 750a b8010000c0 e9???????? }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   b8010000c0           | mov                 eax, 0xc0000001
            //   e9????????           |                     

        $sequence_18 = { ff5010 85c0 7407 33c0 }
            // n = 4, score = 400
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax

        $sequence_19 = { 85c9 7408 48 8b03 }
            // n = 4, score = 200
            //   85c9                 | test                ecx, ecx
            //   7408                 | je                  0xa
            //   48                   | dec                 eax
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_20 = { ff15???????? 4d 85ff 7414 ff15???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   4d                   | dec                 ebp
            //   85ff                 | test                edi, edi
            //   7414                 | je                  0x16
            //   ff15????????         |                     

        $sequence_21 = { 33c0 c74424200e000f00 4c 8d486b ff5018 85c0 7593 }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   c74424200e000f00     | mov                 dword ptr [esp + 0x20], 0xf000e
            //   4c                   | dec                 esp
            //   8d486b               | lea                 ecx, [eax + 0x6b]
            //   ff5018               | call                dword ptr [eax + 0x18]
            //   85c0                 | test                eax, eax
            //   7593                 | jne                 0xffffff95

        $sequence_22 = { 8b442420 48 8b4c2428 8a09 }
            // n = 4, score = 200
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   48                   | dec                 eax
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   8a09                 | mov                 cl, byte ptr [ecx]

        $sequence_23 = { 8b44480c 8b0c48 48 034f10 48 035728 ff15???????? }
            // n = 7, score = 200
            //   8b44480c             | mov                 eax, dword ptr [eax + ecx*2 + 0xc]
            //   8b0c48               | mov                 ecx, dword ptr [eax + ecx*2]
            //   48                   | dec                 eax
            //   034f10               | add                 ecx, dword ptr [edi + 0x10]
            //   48                   | dec                 eax
            //   035728               | add                 edx, dword ptr [edi + 0x28]
            //   ff15????????         |                     

        $sequence_24 = { ff15???????? 488d5702 488bce ff15???????? }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488d5702             | dec                 eax
            //   488bce               | lea                 edx, [edi + 2]
            //   ff15????????         |                     

        $sequence_25 = { 44334c2440 48897c2438 4885ff 746b }
            // n = 4, score = 100
            //   44334c2440           | dec                 eax
            //   48897c2438           | mov                 ecx, esi
            //   4885ff               | inc                 esp
            //   746b                 | xor                 ecx, dword ptr [esp + 0x40]

        $sequence_26 = { ff15???????? 8bf8 85c0 7409 8b4c2478 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8bf8                 | dec                 eax
            //   85c0                 | sub                 esp, 0x40
            //   7409                 | xor                 edi, edi
            //   8b4c2478             | dec                 ebp

        $sequence_27 = { 7506 ff15???????? 80bb8000000040 0f8577ffffff }
            // n = 4, score = 100
            //   7506                 | xor                 edx, edx
            //   ff15????????         |                     
            //   80bb8000000040       | dec                 eax
            //   0f8577ffffff         | test                edi, edi

        $sequence_28 = { 7409 8b4c2478 493b0e 741e }
            // n = 4, score = 100
            //   7409                 | je                  0x1f
            //   8b4c2478             | jmp                 0xffffffa3
            //   493b0e               | dec                 eax
            //   741e                 | mov                 esi, dword ptr [ebp + 0x290]

        $sequence_29 = { 488bf0 4885c0 750d ff15???????? 33c0 e9???????? 8bd7 }
            // n = 7, score = 100
            //   488bf0               | dec                 eax
            //   4885c0               | mov                 esi, dword ptr [ebp + 0x290]
            //   750d                 | dec                 eax
            //   ff15????????         |                     
            //   33c0                 | mov                 edi, dword ptr [esp + 0x38]
            //   e9????????           |                     
            //   8bd7                 | xor                 ecx, ecx

        $sequence_30 = { 488bb590020000 488b7c2438 33c9 33d2 4885ff 7411 }
            // n = 6, score = 100
            //   488bb590020000       | mov                 edi, eax
            //   488b7c2438           | test                eax, eax
            //   33c9                 | je                  0xd
            //   33d2                 | mov                 ecx, dword ptr [esp + 0x78]
            //   4885ff               | test                eax, eax
            //   7411                 | je                  0xb

        $sequence_31 = { 4883ec40 33ff 4d8bf0 482178d8 4c8bfa }
            // n = 5, score = 100
            //   4883ec40             | dec                 eax
            //   33ff                 | mov                 dword ptr [esp + 0x38], edi
            //   4d8bf0               | dec                 eax
            //   482178d8             | test                edi, edi
            //   4c8bfa               | je                  0x75

    condition:
        7 of them and filesize < 303104
}
Download all Yara Rules