Created 2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt

2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt

@@ -0,0 +1,74 @@
+2021-03-24 (WEDNESDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1375111512478601216
+
+NOTES:
+
+- This infection took place in an Active Directory (AD) environment, and we saw traffic associated with Cobalt Stike activity after the
+  initial IcecdID infection.
+
+- We often see follow-up activity like Cobalt Strike from IcedID and other malware families when testing in an AD environment. 
+  But when testing the same malware on stand-alone Windows hosts, we do not find Cobalt Strike.
+
+CHAIN OF EVENTS:
+
+- Email --> attached ZIP archive --> extracted Excel spreadsheet --> Enable macros --> installer DLL --> gzip compressed binary --> IcedID (Bokbot)
+
+MALWARE FROM AN INFECTION:
+
+- SHA256 hash: 03494593165c2e14643f692edf60ee67ba5983d814eea12d8ea7319eb1a28100
+- File size: 208,386 bytes
+- File name: Documents (478).xlsm
+- File description: Example of Excel spreadsheet with macro for IcedID (Bokbot)
+
+- SHA256 hash: 39022f8c0188179ac2459fb3757db51f61cd9657568ee79001c6f9501d85e84e
+- File size: 67,416 bytes
+- File location: hxxp://ovesf23knfg03eixqds[.]xyz/gf.gif 
+- File location: C:\Users\Public\connectfront.xref
+- File description: Installer DLL for IcedID (Bokbot)
+- Run method: regsvr32 -s C:\Users\Public\connectfront.xref
+
+- SHA256 hash: f90ddca891da06aece3acf7e63070b4cb7d2c5acc0e52ad73b23ae795befd237
+- File size: 386,379 bytes
+- File location: hxxp://24savetonnofmaoney[.]xyz/
+- File description: Binary with gzip compressed data used to create license.dat and IcedID DLL files
+
+- SHA256 hash: 29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
+- File size: 341,098 bytes
+- File location: C:\Users\[username]\AppData\Roaming\LuxuryQuarter\license.dat
+- File description: data binary needed to run the IcedID DLL files
+
+- SHA256 hash: 6c2846b4ea908abb46663d6044a50012d42eed123bf47fe045f59f076104c92c
+- File size: 45,056 bytes
+- File location: C:\Users\[username]\AppData\Local\Temp\item_64.dat
+- File description: initial IcedID DLL
+- Run method: rundll32.exe [filename],update /i:"AreaArrest\license.dat"
+
+- SHA256 hash: 5fe4d17b25fd66a417eb4f4fe1c9214f9410bb66937ad877295c938f318c2744
+- File size: 45,056 bytes
+- File location: C:\Users\[username]\AppData\Roaming\[username]\{9382BE5D-ADC1-386D-2E12-25BAA43199E2}\aruqsefu.dll
+- File description: persistent IcedID DLL
+- Run method: rundll32.exe [filename],update /i:"AreaArrest\license.dat"
+
+TRAFFIC FROM AN INFECTION:
+
+TRAFFIC TO RETRIEVE INSTALLER DLL:
+
+- 8.209.98[.]100 port 80 - ovesf23knfg03eixqds[.]xyz - GET /gf.gif
+
+TRAFFIC GENERATED BY RUNNING INSTALLER DLL:
+
+- port 443 (HTTPS) - aws.amazon[.]com - GET /  (connectivity check, not malicious)
+- 164.90.163[.]184 port 80 - 24savetonnofmaoney[.]xyz - GET / 
+
+ICEDID (BOKBOT) C2 TRAFFIC:
+
+- 138.68.10[.]5 port 443 - shaxtugel[.]fun
+- 138.68.10[.]5 port 443 - kosmolitopor[.]space
+
+COBALT STRIKE TRAFFIC:
+
+- 66.70.246[.]6 port 443 - HTTPS traffic
+- 66.70.246[.]6 port 443 - securityinstant[.]org - HTTPS traffic