-
Notifications
You must be signed in to change notification settings - Fork 11
/
2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt
74 lines (51 loc) · 2.93 KB
/
2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
2021-03-24 (WEDNESDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1375111512478601216
NOTES:
- This infection took place in an Active Directory (AD) environment, and we saw traffic associated with Cobalt Stike activity after the
initial IcecdID infection.
- We often see follow-up activity like Cobalt Strike from IcedID and other malware families when testing in an AD environment.
But when testing the same malware on stand-alone Windows hosts, we do not find Cobalt Strike.
CHAIN OF EVENTS:
- Email --> attached ZIP archive --> extracted Excel spreadsheet --> Enable macros --> installer DLL --> gzip compressed binary --> IcedID (Bokbot)
MALWARE FROM AN INFECTION:
- SHA256 hash: 03494593165c2e14643f692edf60ee67ba5983d814eea12d8ea7319eb1a28100
- File size: 208,386 bytes
- File name: Documents (478).xlsm
- File description: Example of Excel spreadsheet with macro for IcedID (Bokbot)
- SHA256 hash: 39022f8c0188179ac2459fb3757db51f61cd9657568ee79001c6f9501d85e84e
- File size: 67,416 bytes
- File location: hxxp://ovesf23knfg03eixqds[.]xyz/gf.gif
- File location: C:\Users\Public\connectfront.xref
- File description: Installer DLL for IcedID (Bokbot)
- Run method: regsvr32 -s C:\Users\Public\connectfront.xref
- SHA256 hash: f90ddca891da06aece3acf7e63070b4cb7d2c5acc0e52ad73b23ae795befd237
- File size: 386,379 bytes
- File location: hxxp://24savetonnofmaoney[.]xyz/
- File description: Binary with gzip compressed data used to create license.dat and IcedID DLL files
- SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
- File size: 341,098 bytes
- File location: C:\Users\[username]\AppData\Roaming\LuxuryQuarter\license.dat
- File description: data binary needed to run the IcedID DLL files
- SHA256 hash: 6c2846b4ea908abb46663d6044a50012d42eed123bf47fe045f59f076104c92c
- File size: 45,056 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\item_64.dat
- File description: initial IcedID DLL
- Run method: rundll32.exe [filename],update /i:"AreaArrest\license.dat"
- SHA256 hash: 5fe4d17b25fd66a417eb4f4fe1c9214f9410bb66937ad877295c938f318c2744
- File size: 45,056 bytes
- File location: C:\Users\[username]\AppData\Roaming\[username]\{9382BE5D-ADC1-386D-2E12-25BAA43199E2}\aruqsefu.dll
- File description: persistent IcedID DLL
- Run method: rundll32.exe [filename],update /i:"AreaArrest\license.dat"
TRAFFIC FROM AN INFECTION:
TRAFFIC TO RETRIEVE INSTALLER DLL:
- 8.209.98[.]100 port 80 - ovesf23knfg03eixqds[.]xyz - GET /gf.gif
TRAFFIC GENERATED BY RUNNING INSTALLER DLL:
- port 443 (HTTPS) - aws.amazon[.]com - GET / (connectivity check, not malicious)
- 164.90.163[.]184 port 80 - 24savetonnofmaoney[.]xyz - GET /
ICEDID (BOKBOT) C2 TRAFFIC:
- 138.68.10[.]5 port 443 - shaxtugel[.]fun
- 138.68.10[.]5 port 443 - kosmolitopor[.]space
COBALT STRIKE TRAFFIC:
- 66.70.246[.]6 port 443 - HTTPS traffic
- 66.70.246[.]6 port 443 - securityinstant[.]org - HTTPS traffic