2023-01-16 (MONDAY) - ICEDID (BOKBOT) WITH BACKCONNECT AND VNC AND COBALT STRIKE

NOTES:

 

ASSOCIATED FILES:

 

2023-01-16 (MONDAY) - ICEDID (BOKBOT) INFECTION WITH BACKCONNECT TRAFFIC, VNC, AND COBALT STRIKE

NOTES:

- Big thanks to @pr0xylife for sharing the PDF sample on Malware Bazaar.

INFECTION CHAIN:

- email --> PDF attachment with firebasestorage link --> downloaded zip file --> extracted ISO --> 
  Windows shortcut runs IcedID installer --> IcedID C2 --> backconnect traffic --> VNC and Cobalt Strike

ASSOCIATED MALWARE:

- SHA256 hash: c2e3097e2de547d70f1d4543b51fdb0c016a066646e7d51b74ca4f29c69f5a85
- File size: 111,961 bytes
- File name: Scan_34262_INV.pdf
- File description: Email attachment, PDF file used to download password-protected zip archive below
- Sample avaiable at: https://bazaar.abuse.ch/sample/c2e3097e2de547d70f1d4543b51fdb0c016a066646e7d51b74ca4f29c69f5a85/

- SHA256 hash: 778f1cbd036de33d6e6eb5b0face18c276732e365111bdfae447b30ccfebf8c5
- File size: 145,276 bytes
- File name: Document-2325.zip
- File location: hxxps://firebasestorage.googleapis[.]com/v0/b/atlantean-field-372418.appspot.com/o/vnnaLMV3ii%2F
                 Document-2325.zip?alt=media&token=3eb21a6e-77b3-453c-a091-cae359354173
- File description: Password-protected zip archive
- Password: 53842

- SHA256 hash: f96779056b8390e4329b2012fc1bf7bc7b55aca84665ba41c9e3674169080413
- File size: 1,441,792 bytes
- File name: Document-2325.iso
- File description: ISO image extracted from the above zip archive

CONTENTS OF ISO IMAGE:

- SHA256 hash: 377aaa472ab194cdd112cc225fcf56e37506685186df6e9508347bf9ae78d5fc
- File size: 1,978 bytes
- File name: REF_Scan_01-16.lnk
- File description: Windows shortcut

- SHA256 hash: 95c7ec322d35e25ed95ff77a0f7e05352158b6a5b921ebd93a06e37072d8e6ee
- File size: 1,503 bytes
- File name: raycatmady\vatphiefts.cmd
- File description: .cmd script run by above Windows shortcut

- SHA256 hash: c06805b6efd482c1a671ec60c1469e47772c8937ec0496f74e987276fa9020a5
- File size: 233,864 bytes
- File name: raycatmady\kickboxing.dat
- File description: 64-bit DLL for IcedID installer, run by above .cmd script

FILES FROM THE INFECTION:

- SHA256 hash: 0f08d92c3d1ffd8ca2555dbc08d0d90a88a6d02139897fcd33abb650c0a4a74c
- File size: 583,427 bytes
- File location: hxxp://dgormiugatox[.]com/
- File description: Gzip binary retrieved by IcedID installer

- SHA256 hash: 509628d0ce1f30b6ce77aa484fb687aa23fa9d7ee73ed929e149eee354b3a3b0
- File size: 352,906 bytes
- File location: C:\Users\[username]\AppData\Roaming\SupremeRail\license.dat
- File description: Data binary used to run persistent IcedID DLL

- SHA256 hash: 09d005017ec20c72934a64a507bb3f1165239d56c4edf95587ba7b8fdf13835d
- File size: 229,768 bytes
- File location: :\Users\[username]\AppData\Roaming\Doaw3\Jopeqi\nifoedcm1.dl
- File description: 64-bit DLL for persistent IcedID infection
- Run method: rundll32.exe [filename],init --daebro="[path to license.dat]"

- SHA256 hash: 58e13af4b331aea02c255dbc64b0a1f224da0c6a7f587ff4fbd7b773edf392ac
- File size: 114,688 bytes
- File location: C:\ProgramData\p64.dll
- File description: 64-bit DLL for Cobalt Strike stager
- Run method: rundll32.exe [filename],DllRegisterServer

INFECTION TRAFFIC:

ICEDID INSTALLER RETRIEVES GZIP BINARY:

- 168.100.10[.]178 port 80 - dgormiugatox[.]com - GET / HTTP/1.1 

ICEDID C2:

- 89.44.9[.]157 port 443 - ijoyzymama[.]com - HTTPS traffic
- 5.230.74[.]203 port 443 - felzater[.]lol - attempted TCP connections, unsuccessful
- 45.12.109[.]195 port 443 - siantdarik[.]lol - HTTPS traffic

BACKCONNECT TRAFFIC AND VNC:

- 51.195.169[.]87 port 8080

COBALT STRIKE TRAFFIC:

- 23.227.202[.]188 port 80 - clarkitservices[.]com - GET /wp-includes/br.jpg HTTP/1.1 
- 23.227.202[.]188 port 80 - clarkitservices[.]com - GET /ms?operation=false HTTP/1.1 
- 23.227.202[.]188 port 80 - clarkitservices[.]com - POST /FAQ HTTP/1.1  (application/x-www-form-urlencoded)

 

Click here to return to the main page.