{
	"id": "fab94b0f-2a9c-4741-82a2-845550943b72",
	"created_at": "2026-04-06T00:10:15.366731Z",
	"updated_at": "2026-04-10T03:24:23.490212Z",
	"deleted_at": null,
	"sha1_hash": "6531765beb359ee1fa98ff5be4800c3c5184dc84",
	"title": "IcedID gziploader analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1832505,
	"plain_text": "IcedID gziploader analysis\r\nBy Abdallah Elnoty\r\nPublished: 2022-03-17 · Archived: 2026-04-05 22:51:22 UTC\r\n5 minute read\r\nIntroductionPermalink\r\nIcedID , also known as BokBot, was among one of the most active malware families and has been known for\r\nloading different types of payloads such as Cobalt Strike.\r\nIn this report, I’m going to walk through an analysis of a malicious document that distributes and executes an\r\nIcedID DLL payload then, the malicious payload itself.\r\nOur process divided to 3 stages (Entry stage + 1st stage + 2nd stage) but unfortunately, I can’t get to the second\r\nstage because the C2 server is down. Here I will review some of the characteristics of our different stages:\r\nEntry stage: Malicious document executes VBA macro to download IcedID on the disk.\r\nFirst stage: Loader is executed and download the the real malware (C2 is down in this step)\r\nThe Second: The malware for which this process was being performed is being executed and this is\r\nsomething that is determined by the server administrator (Cobalt Strike for example).\r\nEntry StagePermalink\r\nsha256: f604ca55de802f334064610d65e23890ab81906cdac3f8a5c7c25126176289c8\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 1 of 13\n\nI used olevba to extract the embedded script from the .doc file.\r\nI just want to point out that I used Exiftool to extract some meta data to understand the script:\r\n-\u003e Exiftool \u003cfilename.doc\u003e\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 2 of 13\n\nWhen I opened the document, I found obfuscated content with white color and too small size. So, I griped it and\r\nremoved all %1 instances. This is some of code after beautifying:\r\nThe main function for the whole script is decoding the 2 strings in the top of HTML code then creates a\r\nconnection with the server to download IcedID dll Loader. I cyberchef to get these strings.\r\nFinal results:\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 3 of 13\n\nFirst StagePermalink\r\nThe main purpose of this stage is to drop the payload and it could be a real malware or another dropper. This\r\nprocess depends on the malware developer and what he wants.\r\nLet’s start the analysis with our dropped DLL payload. Dropped file is packed. I tried to upload it to automatic\r\nunpacker umpac.me but it doesn’t support x64 binaries. Let’s unpack in manually with x64dbg.\r\nThe unpacking process is really simple. It allocates memory for the unpacked code using VirtualAlloc() . So we\r\njust set a breakpoint at VirtualAlloc() and run the debugger twice, then dump the file from memory.\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 4 of 13\n\nDecrypt ConfigPermalink\r\nThe first function that malware performs, it decrypts C2 server and campaign number.\r\nMalware uses a pretty simple decryption algorithm. It retrieves the encrypted data from .data section then -\u003e\r\ndata[0:32] ^ data[64:96] .\r\nI wrote a python script to decrypt the config.\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 5 of 13\n\nimport struct\r\n#data[0:32]\r\ndata = [0x55,0x00,0x29,0x36,0x84,0x33,0x8f,0x67,0x5d,0xe1,0x1b,0xc1,0x4e,0xe6,0x17,0xf5,0x2b,0x35,0xd7,0xed,0x15\r\n#data[64:96]\r\nkey = [0x16,0x68,0x29,0x53,0xe2,0x5a,0xfd,0x02,0x33,0x88,0x78,0xa0,0x3a,0x94,0x7e,0x97,0x47,0x50,0xf9,0x8e,0x7a,\r\nres = bytearray()\r\nfor i in range(32):\r\nres.append(data[i] ^ key[i])\r\nprint(\"CampaignID:\", struct.unpack(\"\u003cI\", res[:4])[0])\r\nprint(\"C2:\", res[4:].split(b'\\x00')[0].decode())\r\n'''\r\nResults\r\nCampaignID: 1694525507\r\nC2: firenicatrible.com\r\n'''\r\nThe first 4 bytes refer to Campaign number that shows the purpose of the attack. Second, C2 decryption.\r\nMisleading trafficPermalink\r\nThe mawlare sends traffic to aws.amazon.com to mislead, and between the lines it sends a request to the C2 to\r\ndrop the malicious file.\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 6 of 13\n\nPlaying with cookiesPermalink\r\nThis is first impression when you look to the function which manipulating the request cookies.\r\nIcedID sends 6 parameters in cookies after manipulating them numerically. I will give you a summary of them\r\nand why they are important then explain in details.\r\nName Value\r\n_gads\r\nFirst DWORD from decoded config data(Campaign number), flag from inspecting server certificate,\r\nnumber of milliseconds, sys info\r\n_gat Windows version info\r\n_ga Processor info via CPUID including hypervisor brand if available\r\n_u Computername, Username and VM detection\r\n_io Domain identifier from SID\r\n_gid Based on physical address of NIC\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 7 of 13\n\n_gadsPermalink\r\nCampaign numberPermalink\r\nI already explained it in the code above (Campaign number = 1694525507)\r\nflagPermalink\r\nThe value most of time = 1 because amazon server is always available\r\nVM detectionPermalink\r\nGetTickCount64 retrieves the number of milliseconds that have elapsed since the system was started.\r\nSystem informationPermalink\r\nRetrieves the specified system information.\r\n_gatPermalink\r\nCheck version:\r\n_gaPermalink\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 8 of 13\n\nCheck cpu:\r\n_uPermalink\r\nComputernamePermalink\r\nUsernamePermalink\r\nVM detectionPermalink\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 9 of 13\n\nThe last parameter is a bit tricky. I crossed reference the values then I found that:\r\nIts common to use RDTSC to get fine-grained timing information, where the overhead of a virtualization\r\ntrap would be quite significant. Most common use is to have two RDTSC instructions with a small amount\r\nof code between them, taking the difference of the times as the elapsed time (number of cycles) for the\r\ncode sequence.\r\nBut in our case, this malware sleeps 4 times instead of calling it twice.\r\n_ioPermalink\r\nCheck SID:\r\n_gidPermalink\r\nThe GetAdaptersInfo function retrieves adapter information for the local computer.\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 10 of 13\n\nThe view from sandbox traffic.\r\nNow, the attacker knows almost all the information about the victim’s machine, and he is ready to drop a suitable\r\nmalware to start Stage2 depending on the campaign number that determines the attack behavior.\r\nConnect C2 serverPermalink\r\nIn this step, malware connect to C2 server.\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 11 of 13\n\nThen it drops the malicious file in c:\\\\ProgramData\\\\ .\r\nUnfortunately, This is the end of analysis because the server is down.\r\nConclusionPermalink\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 12 of 13\n\n1. Phishing mails drops malicious document\r\n2. Malicious document runs VBS script\r\n3. The script executes JavaScript code to drop dll file\r\n4. dll file connects to C2 server\r\nThere are several steps you can take to protect against phishing:\r\nDo not reply, even if you recognize the sender as a well-known business or financial institution. If you\r\nhave an account with this institution, contact them directly and ask them to verify the information included\r\nin the email.\r\nDo not click any links provided in these emails.\r\nDo not open any attachments. If you receive an attachment you are not expecting, confirm with the\r\nsenders that they did indeed send the message and meant to send an attachment.\r\nDo not enter your personal information or passwords on an untrusted Web site or form referenced in\r\nthis email.\r\nDelete the message.\r\nIOCsPermalink\r\nHash\r\ndoc -\u003e f604ca55de802f334064610d65e23890ab81906cdac3f8a5c7c25126176289c8\r\nPacked dll -\u003e\r\nCFE2CAF566857C05A6A686CA296387C5E1BFDDA6915FF0ED984C1C53CD5192A3\r\nUnpacked dll -\u003e\r\n1A2A8F604B8E4917A7E5A2A8994F748B59CA435C8AABC6D3ED211C696B883BC4\r\nURLs\r\nmaldonadoposts.com\r\nfirenicatrible.com\r\nFiles\r\nc:\\users\\public\\youYou.jpg\r\nc:\\users\\%username%\\documents\\karolYouYou.hta\r\nSource: https://eln0ty.github.io/malware%20analysis/IcedID/\r\nhttps://eln0ty.github.io/malware%20analysis/IcedID/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://eln0ty.github.io/malware%20analysis/IcedID/"
	],
	"report_names": [
		"IcedID"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6531765beb359ee1fa98ff5be4800c3c5184dc84.pdf",
		"text": "https://archive.orkl.eu/6531765beb359ee1fa98ff5be4800c3c5184dc84.txt",
		"img": "https://archive.orkl.eu/6531765beb359ee1fa98ff5be4800c3c5184dc84.jpg"
	}
}