Add files via upload

2022-08-15-IOCs-for-Monster-Libra-SVCready.txt

@@ -0,0 +1,52 @@
+2022-08-15 (MONDAY) - MONSTER LIBRA (TA551/SHATHAK) PUSHES SVCREADY MALWARE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1559558884787978242
+
+INFECTION CHAIN:
+
+- email --> attached Word doc --> enable macros --> traffic for SVCready DLL --> SVCready C2 traffic --> possible follow-up activity
+
+NOTES:
+
+- Palo Alto Networks is tracking the TA551 (Shathak) threat actor as "Monster Libra."
+
+- Monster Libra currently pushes either IcedID (Bokbot), or it pushes SVCready malware.
+
+- Malicious Word documents from Monster Libra on 2022-08-15 use an Italian language template.
+
+- Since 2022-07-11, SVCready malware samples have not set up persistence correctly when we test these samples our lab environments.
+
+- SVCready's initial infection and data exfiltration still occur, but rundll32.exe is copied to the location that the SVCready DLL should be for persistence.
+
+- This means the scheduled task set up by the malware uses rundll32.exe to unsuccessfully run a copy of itself, instead of running the SVCready DLL.
+
+ASSOCIATED FILES:
+
+- SHA256 hash: e78276b7bd18e36dbd3a4b85eab8c55e9683f56b8fcf2360810859b9e801edf9
+- File size: 3,404,751 bytes
+- File name: [name removed].file.15.08.2022.doc
+- File description: Monster Libra Word document with macro code for SVCready
+
+- SHA256 hash: 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
+- File size: 61,440 bytes
+- File location: C:\Users\[username]\AppData\Local\Temp\r19F2.tmp.exe
+- File description: Copy of legitimate Microsoft file rundll32.exe, not inherently malicious
+
+- SHA256 hash: f766d2ea0d8124120d712caad5f00ac51114076fa3354fb760ae64aae39147f1
+- File size: 1,332,736 bytes
+- File location: hxxp://45.89.54[.]120/6AFO0dsXmb/6AFO0dsXmb.php?uPUHsLURhNxs7-OfbGQ5Ga_LIgyD8S29Lg~~=Lsf4PGDFAYqkIDqE88ZTWDEJItzx79AOWg~~
+- File location: C:\Users\[username]\AppData\Local\Temp\yCE1.tmp.dll
+- File location: Windows DLL for SVCready
+
+INFECTION TRAFFIC:
+
+- 45.89.54[.]120 port 80 - 45.89.54[.]120 - GET /6AFO0dsXmb/6AFO0dsXmb.php?uPUHsLURhNxs7-OfbGQ5Ga_LIgyD8S29Lg~~=Lsf4PGDFAYqkIDqE88ZTWDEJItzx79AOWg~~
+- 34.141.91[.]129 port 80 - oilproduct[.]quest - POST /tyjigsdcdg/ruiohmc/uhgvrkr
+- 34.141.91[.]129 port 80 - oilproduct[.]quest - POST /tyjigsdcdg/ruiohmc
+- 34.141.91[.]129 port 80 - oilproduct[.]quest - POST /tyjigsdcdg/ruiohmc
+- 34.141.91[.]129 port 80 - oilproduct[.]quest - POST /tyjigsdcdg/ruiohmc/truheru
+- DNS query for biofarma[.]buzz - response: No such name
+- DNS query for biotech[.]cyou - response: No such name
+- DNS query for biotech[.]ink - response: No such name

2022-09-13-IOCs-for-Qakbot.txt

@@ -2,7 +2,7 @@
 
 REFERENCE:
 
-- 
+- https://twitter.com/Unit42_Intel/status/1570149156299345920
 
 INFECTION CHAIN:
 

2022-09-29-IOCs-for-Obama207-Qakbot-and-Cobalt-Strike.txt

@@ -0,0 +1,73 @@
+2022-09-29 (THURSDAY) - OBAMA207 QAKBOT (QBOT) INFECTION WITH COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1577332475398963204
+
+CHAIN OF EVENTS:
+
+- thread-hikacled email --> attached HTML file --> password-protected zip --> ISO --> files for Qakbot --> Qakbot C2 --> Cobalt Strike
+
+HEADERS FROM THREAD-HIJACKED EMAIL EXAMPLE:
+
+- Received: from linuxtr01.webimonline.com (linuxtr01.webimonline.com [194.1.192.131])
+- X-Authenticated-Sender: linuxtr01.webimonline.com: [email protected]
+- From: <[email protected]>
+- Date: Wed, 28 Sep 2022 20:14:32 +0300
+- Subject: Re: [subject line information removed]
+- Attachment name: REF#5689_Sep_28.html
+
+EXAMPLE OF ATTACHMENT AND EXTRACTED MALWARE:
+
+- SHA256 hash: 254fe44d8be366113010305301f9bb98c21046b819cdb7460f83177d2ea10eda
+- File size: 839,474 bytes
+- File name: REF#5689_Sep_28.html
+- File description: HTML file attached to thread-hijackedemail
+
+- SHA256 hash: af1e56b4e4e536e950dde6309529978d54b831c4dbed355d66acdd75c05e3b22
+- File size: 410,653 bytes
+- File name: attachment.zip
+- File description: password-protected zip archive presented by the above HTML file
+- Password: abc333
+
+- SHA256 hash: 74eadf557feb76f995acc9c3371712044c73e21323904bb41ba1a72378928d32
+- File size: 1,040,384 bytes
+- File name: REF#5694.iso
+- File description: ISO image extracted from the above zip archive
+
+CONTENTS OF ISO IMAGE:
+
+- SHA256 hash: 973a4e4501ebe54944cedce75462b30f90e5d06b60ced203ae9e7db66c1256e2
+- File size: 1,245 bytes
+- File name: REF.lnk
+- File description: Windows shortcut on ISO image
+- Shortcut: eloquentGlummer.js
+
+- SHA256 hash: fcdb889021a8ad5cc85f75de4247c052289dead4e09817f90e7f1ff516ea74be
+- File size: 154 bytes
+- File name and location on ISO image: gaffes\eloquentGlummer.js
+- File description: JS file run by the above Windows shortcut
+
+- SHA256 hash: cc4eea861c9c3a4ea4e9bd0e7cd6e19650f5d80d993536f41b8bd0735a7b56e4
+- File size: 142 bytes
+- File name and location on ISO image: gaffes\acknowledgeablyPartner.cmd
+- File description: CMD batch script run by the above JS file
+
+- SHA256 hash: d4adf98011c988085273146bac1d815f69adfd7c3722d8e2103c53c86b909be7
+- File size: 712,192 bytes
+- File name and location on ISO image: gaffes\wheelwright.db
+- File description: Qakbot DLL run by above CMD batch script
+- Run method: regsvr32.exe [filename]
+
+WORKING QAKBOT C2 TRAFFIC FROM AN INFECTED WINDOWS HOST:
+
+- 186.90.144[.]235 port 2222 - HTTPS traffic using TLS v1.3 
+- 186.81.122[.]168 port 443 - HTTPS traffic using TLS v1.3 
+- 85.86.242[.]245 port 443 - HTTPS traffic using TLS v1.3 
+- 193.3.19[.]137 port 443 - HTTPS traffic using TLS v1.3 
+
+COBALT STRIKE TRAFFIC SEEN DURING THIS INFECTION:
+
+- 194.165.16[.]64 port 80 - onefile[.]icu - GET /prepare/add.mp4a HTTP/1.1 
+- 194.165.16[.]64 port 80 - onefile[.]icu - GET /risk.ico HTTP/1.1 
+- 194.165.16[.]64 port 80 - onefile[.]icu - POST /target HTTP/1.1  (text/plain)

2022-10-04-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt

@@ -0,0 +1,188 @@
+2022-10-04 (TUESDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1577773890012594177
+
+INFECTION CHAIN:
+
+- email --> HTML attachment --> password-protected zip --> ISO image --> Windows shortcut runs installer DLL --> IcedID C2 --> Cobalt Strike
+
+16 EXAMPLES OF HTML ATTACHMENTS:
+
+- 8ddb832907c67d27e15bd8cde80809dcf5fa61eb60dc7033395ff186eb90e125  aipare+doc+10.04.22.html
+- 7b609483bdaf3191f334860750ed8a74993d006119447471e0c1a8e0168ae863  ajhsolutions+invoice+10.04.html
+- 82a32d326b3ae21d3c716cd7c2e3969fa2ab9e7c144a6ef3dfc8f65fb63a6a28  albinali-document-10.04.2022.html
+- 2c22ad0604052a2ed42e12ccfc9691b324daf08489de14991b4e562745e7ab77  allsoulsmb-invoice-10.04.2022.html
+- 55ace25fda086db024b45a0cb4ed0adea4da42791165ba05b992dc17625790c7  almoez_invoice_10.04.22.html
+- f7b68d6981a6e94070c74844ed5ba3634dfbbc1a3f0ceb346a2d828114efe68a  alohatruss.file.10.04.2022.html
+- fcffd720bf5da856048902aae3f6a98a87ea48175a3c47efc11d002a5b6961b3  aramsolar+document+10.04.html
+- a582ce5578830a87ea0b6c2198638dc0a3391ce2d901d79bb40d48d616d638ac  atlanticbbn,document,10.04.2022.html
+- cfef49cc83dee304e30d6ce7079627e4262d93ee65472e0d098351e4b30a3fe4  autotechnologiesinc-document-10.04.2022.html
+- 4195fffc60cf68f3542119c0fa48fb2903f82c97404c328d4b2a65d367c2935f  bdcanarias.document.10.04.2022.html
+- b2bfbf4ebee23a12425d38e65482a578add6109f9feb1a3fad92a8e00a465aef  beautybasicsupply-document-10.04.2022.html
+- 6715c8587a70b9133d15bf8a5e8433ddd24651e71ba90c1c8cdf00f838848f0a  beljan-file-10.04.html
+- d06c287885ff24b34f866831e49186f824b4c9452b7e0f7af317dffdcaf954de  bewleysweeper-file-10.04.html
+- 5cd8ae0ddf6b9f504944a738d87b219e46a91d8c12e95a61281da4fb8ca3210d  demoscan-207.html
+- 83b7a677cadfb491e159cdb474a30ffa33a06dbeec42b01e51da59124151fd7c  list_of_documents-376.html
+- cb8157a92b54bf4c2268c59ac856788ef2db8de7489ef5c027fc7c173a12cb32  scandocument-364.html
+
+16 EXAMPLES OF ZIP ARCHIVES PRESENTED BY THE ABOVE HTML FILES:
+
+- 13679d8ff8d5523ded69dc483884b35cec62f6ce0fafaba2cc98d9b5eb9f66dc  attachment.zip  (password: 5cI_MLrW)
+- 185aea757706058bb4f3d99004c7106b27e9fd44f8a7cd93dd7566215ad65061  attachment.zip  (password: 9Y0YFgp6)
+- 4a6db88f99be6de39dd348990e1a78576b6754c850ee32ba1d264df712e0f56b  attachment.zip  (password: 9t-T8ZWp)
+- e71409734912c99ad77c5f57d3267f6ca88b335ae779e9c96c843ac37b693339  attachment.zip  (password: Cie7WffR)
+- 6b7c44a29d6af9ade5b602d6d5c34abafe88e756cac3b944c6fba349faee833a  attachment.zip  (password: JOkx1rgz)
+- 291615c2693df5230dbc32562863e0797fbe212907c3b8820ddfa9fc7e167c9d  attachment.zip  (password: OrUpAZeJ)
+- 73e34ea3cf4ad6dfb6d1ad2c36660a55367a842121abfaa9b0f883886155c9c3  attachment.zip  (password: Q6jgYLPU)
+- 2c0b8b47613dc982aad3a6c0ae6fe67b78726d6d3ab162695acde215a98a4e69  attachment.zip  (password: TrJenpcF)
+- 5f6b19b1cfce7e9d9dbdc2054dfa4d43855c2973242e42a60ca7feb50cfc0bde  attachment.zip  (password: VlRSR61X)
+- 22e943fac6a4480eb30f9727f715b1548a13576bef57b11f9599333a2a16a26c  attachment.zip  (password: W8q52ogX)
+- 530c2edea3aed8bcbca6f378449ce0a529b8cbbc8a7d53e497bfe0b99e1d39d5  attachment.zip  (password: XyURBqI0)
+- 1ad879708daf00e6895e6e93a0b3399427e4c464bc0209477bc2bcce9a087d21  attachment.zip  (password: bNRdqoQR)
+- 8c25c9790402b32cce514dee4b86e0c43b5b70f3c19e054189088e77d713df7d  attachment.zip  (password: j6rsbEul)
+- 81f2377007550edcca42bbb5c573289bbfa1c95f5d2b9a0b2696516149761946  attachment.zip  (password: oaQfw1HZ)
+- c2034152de46d85ad05903096613aaa38e86cf9ddd2e33185f4ee92ebe5d7dcb  attachment.zip  (password: xX_9X886)
+- 657ef26c2e62b6d5598f6edd4a54f857e3acf951c2b36e49ef6a28c0f92d2ac6  attachment.zip  (password: yR34TWSB)
+
+16 EXAMPLES OF ISO IMAGES EXTRACTED FROM THE ABOVE ZIP ARCHIVES:
+
+- 9bce1cc26f6f5676615758551ba352f961448a8955cf587e6724579be7dbc818  demoscan-4c8ad5f0-49d5-43fd-89c3-b9da57f0a126.iso
+- cb391142773651eba72b81a5fdd1c78c846358b059a264f20172d29ba092918f  demoscan-4f25ba30-bbd0-4415-a109-a4e2d2d97e01.iso
+- c67fea5212880c10bca58279286435422462fe73e75a87d8f5a1760064b65184  demoscan-d7ae2907-12e7-4fac-8402-0f2617da6da8.iso
+- 12c12e12b7bd05f3bcf4851633986af8da487146018933454c19fc9050ff0686  demoscan-eab936f0-7a72-4dc9-8c5a-5469e8ba7c98.iso
+- 396490eeb6160fa07014a84e04e2feabc93e2f4fa8237549b2273a9248768bd0  document-06b4e33e-eb6b-4e73-bba7-0fd6bd0beeb7.iso
+- f53828673e05ab9ada9d2660d4a378423e129b31fc2bcb0cb9efdbd074ffa1ec  document-1764f645-6895-4a43-bbc7-0b56fe607a9b.iso
+- 76aaa740e7521c0b1c986c8eec9d0327bd67206f142910564a041825d8dcfee6  document-892d04df-b197-4a95-8bf7-c8f0b817872e.iso
+- 1cb931a7539d1e340975b0b2a95cb37a784ed5f0f910e5bc9050bd73469073e3  for_you_presentation-1724680a-9d89-40b7-8567-6c8e5dba127b.iso
+- b8d1b55d3b9222e05cdce0325f0b2f989a915dc76e103598ee0190aee85e5f52  for_you_presentation-1d98827c-258b-4773-a7b9-b9a9baf47879.iso
+- 3f547399135cc54d2bb54217cc85815e093d9bbecb471e5a9a43547a4a3357ae  list_of_documents-55191b44-0b6e-4c0f-bb2a-fbf291030301.iso
+- 7ee247713e47f172dbf93e61283d15c5e2598feeb361b2a06b99f6dace78c296  list_of_documents-b6c1c2b9-49c9-4ab7-9481-54a765f8a48a.iso
+- ce26998a51863a04861e110e3a5514c89cd4198fe3074fe159b53bad56ffa086  notice-e37b9874-2b64-4b16-9c81-e16e28918eec.iso
+- 9707eda89b032e6bfd9b7be4218c8ce8452a947ad078af1ed5047ea454f9a499  order-aff124a3-31d8-4ad4-a130-d941172d4eb2.iso
+- 2ec7242456801cd2864191f96ea876cf1053b54b8e36781fe6526d6f91646e36  order-c306a429-aea0-4fdd-a9ea-31ece2ab531e.iso
+- e7730128331d995d26bf580381875075f9fb5e098e3fbad3908477fce35c87b3  order-fef9c700-1855-4f2d-807b-080897d8cc2e.iso
+- a79f0e93771c588a09bee6774d64c1451128cc018cef99fb25e765dfcef4e319  scandocument-29f4f28d-2e8e-446b-8801-5860be22074a.iso
+
+CONTENTS OF THE ABOVE ISO IMAGES (.LNK FILE RUNS ICEDID DLL):
+
+- 9e7ab27b89884175a2520cf92d3fae2ae082799cf3109d2d45bde3fd360f1adb  af06a6f8-ce22-4529-876e-e5f64cdfb78d.OYB  (IcedID DLL)
+- 3251494f94f61bfa69b2abdc7eb7e174c1c16cd93bdb74c7f198acc9814178b9  bedfcf0e-068f-4fe1-b70f-80ddd132a913.png
+- 7e6c26eabf89bff4856ab5e3a459381aa7feae06e59c7b8123c8947c4e3d0158  demoscan-4c8ad5f0-49d5-43fd-89c3-b9da57f0a126.lnk
+
+- 9f37a667a91246bd4b8113345169ceb2740c378f774760b829c0984e7a179838  b6cd96e3-0d74-4e5e-8c25-7c86b41e268b.png
+- f7f41a1f1438ee7b5a670997b921dfd0c1f12781bb6bf8a1aba72fe5de0e7ddd  demoscan-4f25ba30-bbd0-4415-a109-a4e2d2d97e01.lnk
+- 61752de0ccc4dfcd0ac1f39bdee088337c1a9bb32bc149f3fc4447ea79ac04a6  efbff6fd-1bfc-46bc-a4a4-cd43ef8d1ff8.gWX  (IcedID DLL)
+
+- 02a907cb134b1aa4c5a3f7f7c2639fc19bf718b1d6d6c28b25099a0d5d4c1aab  65df3cd1-7af9-4194-adfa-6007726bf274.y4z  (IcedID DLL)
+- 80f213db61e9ab36a59a21060f22bf28770d1e8bd2d97a5569447ae89d3e8cba  790f2ef0-cd20-4a75-8a18-9bdce53cfeb1.png
+- 2c186dde2446ee238f26c79faf132488b0e80488615f81dc1f1e319f10e99fcd  demoscan-d7ae2907-12e7-4fac-8402-0f2617da6da8.lnk
+
+- e6d41a5b58a0516a3a1ba4715ca1ab9dc893622db99856a8289cb74e8b16a2f2  560649bd-2adf-446c-aa73-9abb0d03cd2f.sdt  (IcedID DLL)
+- 89151fa96b1c822f745a42b34ef0565203348a72ee0f00ee39a949cddd4d5d98  c0da5855-ddd9-4351-a88a-8af64637984e.png
+- 509da85f9293ad96aa9b2208723d844c7dc6a70cb38d64878730cf1405562912  demoscan-eab936f0-7a72-4dc9-8c5a-5469e8ba7c98.lnk
+
+- fee948c063f0967aa2935b0bcecc60f04d571156140798e0085db23ded4dc304  12020edc-3d5c-4e1a-9fbf-13cb66bbd3a7.B4K  (IcedID DLL)
+- 29309d14f480741e3026d83913a6c29731ca3c00f95c27ed485907a7ba6df37d  b56df379-0c8c-4794-97a6-33a0409f3ba7.png
+- b63236070bed29ae29db09534d225978b775e00325dc874651ccacb6ceef0eb7  document-06b4e33e-eb6b-4e73-bba7-0fd6bd0beeb7.lnk
+
+- 991e11cc33dc6c96fad498d6e8d816303b7e8655c89d9964624cfcd05fd55bad  185bb8d7-238f-4e4d-92c0-dfe7e4e07002.png
+- 850757b5b223c6780940b8877802dbe41e43547d449ab2fc877ceecb1e08dd7d  33c655b6-3d8c-448e-8a6c-cc5d63fa2d58.ZG2  (IcedID DLL)
+- 44ca8191d83a40fea6ba6dc800da46d2cf224a53b9aec96501acd18b30058025  document-1764f645-6895-4a43-bbc7-0b56fe607a9b.lnk
+
+- 6850ab00ab488232856ad16aa43c8ea9be56af0428792a33966dd74e4ef65bda  2795beb5-83ea-4855-96da-3764522b48b7.png
+- 7fd809f8a1f0bea701a4e39d36474c90aa5636071cdc5061a773e8f2c7339955  7966a690-48da-4f17-94e0-4f890d4e7c96.nKv  (IcedID DLL)
+- 6ee3aac8bc0b4f96c8e6751e021f12e52dadc07c2dd487ff61ee1ff7b8f92592  document-892d04df-b197-4a95-8bf7-c8f0b817872e.lnk
+
+- e5eae9c99ca7abd7bb028084d986c2c240ee0c781fd0ce2dbf29887a0a8de3bf  8a290699-bad2-42d6-940c-8d61de06774c.VF4  (IcedID DLL)
+- 7a67786a31aab92049cbc6abf5f852446acff970970b53961ceb496c2d8336a9  c1d5a960-e1ca-4722-bc48-2892378f13f0.png
+- d1b1e998906a646d6fed13a7cd45846b07c4e417f0cc5d0e7c76c51f5b2a50ac  for_you_presentation-1724680a-9d89-40b7-8567-6c8e5dba127b.lnk
+
+- 7cc8b12aaa169c687e702370a657a74fda51e4a324a937c4a2f429ffad4624b7  e9896022-3597-4be8-b62f-7cd641973c49.png
+- f80a853f20ed5091d7e671cbede916902e8ab351ff1051edc7949878777de348  fc6ad989-43ef-41da-ad83-5921c7100130.Aba  (IcedID DLL)
+- 313fcc6fb04a0a86047f29fb7e292178d6b60a291ea0af1506daddc2eda59b72  for_you_presentation-1d98827c-258b-4773-a7b9-b9a9baf47879.lnk
+
+- 99e3bd6d5f282529a4e28c271987e0dd1113767523584b2aaef238a9a40c4166  22f0b923-f9d8-49d1-bcca-300322e2d464.png
+- 68d3837df389c6640e83efa01c7ce1862ce1339741a7cb980392d78719205e18  4886a08f-62f3-4df2-9ce5-64db3c47573c.Lio  (IcedID DLL)
+- d842371853563e480062e16482dab3db11e6231f3480342a7dd7b6cf42949a5b  list_of_documents-55191b44-0b6e-4c0f-bb2a-fbf291030301.lnk
+
+- dbaa27251a35b040bc48a85fffe71ae2a6cf138aa3e978b3740e9493f824bf96  d9dd19ed-3f72-436c-b46f-4a3b04e18192.png
+- 1135b2724cc7b45e56d0d2e7b5d0978e673fd770439b250de68ef9db720df742  e3375650-edf0-4776-9e7e-b1733fc62158.EQ_  (IcedID DLL)
+- ab9358b6cfe70b7fff5e3f2ffdad135abc2f1b2325313b4fff858375dbc5d613  list_of_documents-b6c1c2b9-49c9-4ab7-9481-54a765f8a48a.lnk
+
+- f93bdc7c06494b2e0eead9d0d998026947932d965e46fb9999f11461a7b5d2b5  b5adf369-0d6a-4ffb-bb09-0d837a0d81b8.png
+- a6acbb0cab41a65b98d843312653da6ac5191a488fc001fcb2c724a596744a73  d09ac4c8-ff18-408b-98cb-6bcc8ba20040.dVm  (IcedID DLL)
+- 62bd09df283dbf156c24f2bf7c61160e9a7c8ec4d4c19f48fbe9924f6b32d349  notice-e37b9874-2b64-4b16-9c81-e16e28918eec.lnk
+
+- 5ff013e47571256d9432c04126dc249f71292b50317d01c6a1c0b6902e3661a8  c3695013-085a-4d1d-9136-6ff8b077092d.1VO  (IcedID DLL)
+- c70a91772b8f179ec9d02ed1afefc48fca1c9b454cdbed2d365fb99263ce11ed  d9d7dbee-801d-4218-aa93-dde646fd3ce0.png
+- aad08720c0dac224876041c721f8e71f8b07288cacf4e756b0a39df8e2646e4d  order-aff124a3-31d8-4ad4-a130-d941172d4eb2.lnk
+
+- 1857cafdd35c8ab32109ae6555675754f06994983f48e645c62c704830ed25fe  b596de04-2cf6-4a35-bb17-64d42a13b8ad.png
+- af5a4aab3cef86de6aed5741c2d53da6f9da1dc73ea996d201ee02c9e88ac653  ce9ea4ae-4083-4431-9cc7-320ace51060c.eNj  (IcedID DLL)
+- b73b423fc6d7e63e667ba86e008452dbd14b3874e41d86d448cb9e14850806bb  order-c306a429-aea0-4fdd-a9ea-31ece2ab531e.lnk
+
+- 68f1a7d1ce4b321b4cf05d57347ef96cce86ed305dc73420a30002387011764d  ba57b5ab-dea9-461d-9c05-fc2f8067ba2b.8mi  (IcedID DLL)
+- 23d8482414b2af047067b842cdd9002fe257b4614d313896c0c40bef7a10673c  ff2e1af4-8885-46b3-86f3-03a30b8dfc76.png
+- fcacace3cf73a92a8713cfd6314d0dd58a2d33e6429a3b3e7e7046b8e7bf49db  order-fef9c700-1855-4f2d-807b-080897d8cc2e.lnk
+
+- 7ba314831052cdc904e585e7dc5f8434a0a614f19b44d2ee398a317aaa1ba48b  274a8450-1ab5-4c71-9485-40b33f537fd3.j6S  (IcedID DLL)
+- 7a1ae23a8bad08c2184131b5c7616fbe473bf8b2f22df7b99cca0770f2220626  ba8ff36c-4e28-4efb-878d-ba73b6f623ef.png
+- ee4c0715a8a05173d03a424a6c3601a7a94263141a39ac30e69cb5cab7ca8668  scandocument-29f4f28d-2e8e-446b-8801-5860be22074a.lnk
+
+NOTE:
+
+- Run method for any of the above IcedID DLL files is: rundll32.exe [filename],PluginInit
+
+ICEDID FILES FROM AN INFECTED WINDOWS HOST:
+
+- SHA256 hash: 7c2a9e3c791222f3f9b44e979e55132780ee04f979118e2e46d1a49f53f02af3
+- File size: 844,862 bytes
+- File location: hxxp://fireskupigar[.]com/
+- File description: gzip binary from fireskupigar[.]com retrieved by IcedID DLL from an ISO, used to create persistent IcedID DLL with license.dat
+
+- SHA256 hash: 55be890947d021fcc8c29af3c7aaf70d8132f222e944719c43a6e819e84a8f8b
+- File size: 363,338 bytes
+- File location: C:\Users\[username]\AppData\Roaming\HabitAmused\license.dat
+- File description: data binary used to run persistent IcedID DLL
+- Note: First submitted to VirusTotal on 2022-09-23
+
+- SHA256 hash: 171bb576d2f5aadffae14a768a227d292eb4211118547eba6d876f819f26a37f
+- File size: 480,768 bytes
+- File location: C:\Users\[username]\AppData\Local\{8FBE9BB4-F5BA-8A17-1299-6E7E9A031FE6}\unvoeqst32.dll
+- File description: 64-bit DLL for IcedID persistent on the infected host 
+- Run method: rundll32.exe [filename],#1 --obsu="[path to license.dat]"
+
+ICEDID TRAFFIC FOR GZIP BINARY:
+
+- 68.183.184[.]0 port 80 - fireskupigar[.]com - GET / HTTP/1.1
+
+ICEDID POST-INFECTION TRAFFIC:
+
+- 165.232.142[.]62 port 443 - trainbondarexil[.]com - HTTPS traffic
+- 103.208.85[.]95 port 443 - frabigwin[.]info - HTTPS traffic
+- 5.2.77[.]232 port 443 - dietappli[.]shop - HTTPS traffic
+- 103.208.85[.]95 port 443 - gropcropila[.]com - HTTPS traffic (repeats)
+
+- 51.89.201[.]236 port 8080 - TCP traffic that includes instructions to retrieve powershell script for Cobalt Strike
+
+FILES FOR COBALT STRIKE (RUN FROM SYSTEM MEMORY, NOT SAVED TO DISK):
+
+- SHA256 hash: eb88412c9a0f78dfd515e3c602548aea1aee4e91847289eb58214841350aa12f
+- File size: 226,341 bytes
+- File location: hxxps://aicsoftware[.]com:757/coin
+- File description: Initial Powershell script used to start Cobalt Strike infection
+
+- SHA256 hash: 967e4afe80e8e0f005ffca8baaf18e4eb7b997709d9d40e6aeca1b8189f5be90
+- File size: 351,211 bytes
+- File description: second-stage Powershell script for Cobalt Strike created by the above Powershell script
+
+- SHA256 hash: fe143d2a4e74094c076bd72bd144ee1cfb4764bb62545a252113bff470011123
+- File size: 261,636 bytes
+- File description: Shellcode for Cobalt Strike created by the second-stage Powershell script
+
+COBALT STRIKE HTTPS TRAFFIC:
+
+- 23.29.115[.]152 port 757 (HTTPS) - aicsoftware[.]com - GET /coin
+- 23.29.115[.]152 port 757 (HTTPS) - aicsoftware[.]com - GET /templates?mark=true