{ "id": "8c6ea121-db20-43a2-8392-dadb7e13b7a5", "created_at": "2026-04-06T00:09:30.720621Z", "updated_at": "2026-04-10T13:12:59.943362Z", "deleted_at": null, "sha1_hash": "193fb501f6cc9aabafd259fb8c88f68f013fbe77", "title": "IcedID (Bokbot) with Dark VNC and Cobalt Strike - SANS ISC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5945834, "plain_text": "IcedID (Bokbot) with Dark VNC and Cobalt Strike - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 17:38:21 UTC\r\nIntroduction\r\nAs early as April 2022, a long-running threat actor known as TA551 (designated by Proofpoint), Monster Libra\r\n(designated by Palo Alto Networks), or Shathak (??) started distributing SVCReady malware.  Since then, we've\r\nsometimes seen this same threat actor also push IcedID (Bokbot) malware.\r\nOn Tuesday 2022-07-26 during a recent wave of SVCReady malware from Monster Libra/TA551 targeting Italy,\r\n@k3dg3 tweeted indicators of IcedID malware from the same threat actor.\r\nToday's diary reviews an IcedD infection generated from a password-protected zip archive sent by Monster\r\nLibra/TA551.  This IcedID infection led to Dark VNC activity and Cobalt Strike malware.\r\nShown above:  Flow chart for IcedID infection on Tuesday 2022-07-26.\r\nImages From the Infection\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 1 of 11\n\nShown above:  Password-protected zip archive found through VirusTotal contains ISO file with shortcut to run\r\ncommand script.\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 2 of 11\n\nShown above:  Windows shortcut runs .js file, which then runs a DLL to install IcedID malware.\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 3 of 11\n\nShown above:  Scheduled task after IcedID is persistent on the infected Windows host.\r\nShown above:  Persistent IcedID malware DLL and license.dat binary needed to run the DLL.\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 4 of 11\n\nShown above:  Traffic from the infection filtered in Wireshark.\r\nShown above:  HTTP traffic generated by the IcedID installer returned a gzip binary.\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 5 of 11\n\nShown above:  HTTPS C2 traffic for IcedID uses self-signed certificates as shown here in Wireshark.\r\nShown above:  Encoded/encrypted traffic generated by DarkVNC malware appears after the IcedID infection.\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 6 of 11\n\nShown above:  Infected Windows host retrieves DLL for Cobalt Strike.\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 7 of 11\n\nShown above:  Cobalt Strike HTTPS C2 traffic uses a legitimate certificate from Sectigo.\r\nIndicators of Compromise (IOCs)\r\nSHA256 hash: 4b86c52424564e720a809dca94f5540fcddac10cb57618b44d693e49fd38c0a5\r\nFile size: 420,425 bytes\r\nFile description: password-protected zip archive containing malicious ISO image\r\nPassword: doc2546\r\n \r\nSHA256 hash: d9a7ce532ee39918815f9dd03d0b4961ef85dddfd2498759b868e9ed8858a532\r\nFile size: 1,267,712 bytes\r\nFile name: figures.iso\r\nFile description: malicious ISO image containing files for IcedID infection\r\n \r\nSHA256 hash: 4661a789c199544197a7d3ccfedb51ec95393641fb44875c92cf6c2c4a40fc1d\r\nFile size: 1,205 bytes\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 8 of 11\n\nFile name: statistics.lnk\r\nFile description: Windows shortcut to run IcedID installer. Only immediately visible file within the ISO\r\nimage.\r\n \r\nSHA256 hash: eef2684a47bbadf954f3bc06b3611989447f1b5cfd47cdeacb38321987b3565c\r\nFile size: 30 bytes\r\nFile location in ISO image: me\\EDGwfAE.cmd\r\nFile description: run by above shortcut, this command script runs the below JS file\r\n \r\nSHA256 hash: df66d308065919c5d45f6c9b718b1a7c58f9e461488bbef850c924728f053b14\r\nFile size: 263 bytes\r\nFile location in ISO image: me\\PGJqfV.js\r\nFile description: run by the above command script, this JS file runs the below IcedID installer DLL\r\n \r\nSHA256 hash: f53321d9a70050759f1d3d21e4748f6e9432bf2bc476f294e6345f67e6c56c3e\r\nFile size: 217,600 bytes\r\nFile location in ISO image: me\\t1OvWm.dat\r\nFile description: run by the above JS file, this 64-bit DLL installs IcedID\r\nRun method: rundll32.exe [filename],#1\r\n \r\nSHA256 hash: a15ae5482b31140220bb75ce2e6c53aaafe3dc702784a0d235a77668e3b0a69a\r\nFile size: 217,600 bytes\r\nFile location in ISO image: one\\jGv5XFIe.dat\r\nFile description: another 64-bit DLL to install IcedID, not used for this infection\r\nRun method: rundll32.exe [filename],#1\r\nSHA256 hash: ee0379ef06a74b3c810b4f757097cd0534ec5c4ebf0d92875b07421fe1a5dd55\r\nFile size: 537,531 bytes\r\nFile location: hxxp://tritehairs[.]com/\r\nFile description: gzip binary from tritehairs[.]com used to create persistent IcedID 64-bit DLL and\r\nlicense.dat\r\nSHA256 hash: e512027d42d829fad95d14aa4c48f3ce30089e5c200681a2bded67068b8973f4\r\nFile size: 194,560 bytes\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 9 of 11\n\nFile location: C:\\Users\\[username]\\AppData\\Local\\{A42A69E9-9159-9F0A-BB24-\r\nF9DAA57621A1}\\Olfann64.dll\r\nFile description: persistent IcedID 64-bit DLL\r\nRun method: rundll32.exe [filename],#1 --ixte=\"[path to license.dat]\"\r\nSHA256 hash: 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7\r\nFile size: 342,218 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\FlightQuarter\\license.dat\r\nFile description: data binary used to run the persistent IcedID DLL\r\n \r\nSHA256 hash: a7a0025d77b576bcdaf8b05df362e53a748b64b51dd5ec5d20cf289a38e38d56\r\nFile size: 1,018,368 bytes\r\nFile location: hxxp://lufuyadehi[.]com/svchost.dll\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\Yuicku32.dll\r\nFile description: 64-bit DLL for Cobalt Strike\r\nRun method: regsvr32.exe [filename]\r\n \r\nTraffic from an infected Windows host:\r\nTraffic for gzip binary:\r\n159.203.45[.]144:80 - tritehairs[.]com - GET /\r\n \r\nIcedID HTTPS C2 traffic:\r\n46.21.153[.]211:443 - peranistaer[.]top - HTTPS traffic\r\n46.21.153[.]211:443 - wiandukachelly[.]com - HTTPS traffic\r\n178.33.187[.]139:443 - alohasockstaina[.]com - HTTPS traffic\r\n178.33.187[.]139:443 - gruvihabralo[.]nl - HTTPS traffic\r\n \r\nDarkVNC traffic:\r\n135.181.175[.]108:8080 - Encoded/encrypted traffic\r\n \r\nCobalt Strike traffic:\r\n108.177.235[.]8:80 - lufuyadehi[.]com - GET /svchost.dll\r\n108.62.118[.]133:443 - zuyonijobo[.]com - HTTPS traffic\r\n \r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 10 of 11\n\nFinal Words\r\nA packet capture (pcap) of the infection traffic, along with the associated malware and artifacts can be found here.\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nhttps://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884" ], "report_names": [ "28884" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434170, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/193fb501f6cc9aabafd259fb8c88f68f013fbe77.pdf", "text": "https://archive.orkl.eu/193fb501f6cc9aabafd259fb8c88f68f013fbe77.txt", "img": "https://archive.orkl.eu/193fb501f6cc9aabafd259fb8c88f68f013fbe77.jpg" } }