{
	"id": "b2f6b472-0af0-4804-aabc-3c50b407ba2b",
	"created_at": "2026-04-06T01:31:33.944609Z",
	"updated_at": "2026-04-10T13:11:51.62022Z",
	"deleted_at": null,
	"sha1_hash": "7b396fffbcd87ee80cf548d50a344446a8ba9013",
	"title": "How the",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2512527,
	"plain_text": "How the\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-06 00:24:24 UTC\r\nIntroduction\r\nThis diary is based on an infection I started on Monday 2021-12-13 at 21:45 UTC that ran until Tuesday 2021-12-\r\n14 at 17:17 UTC.  The infection generated traffic for IcedID (Bokbot), DarkVNC, and Cobalt Strike.  A pcap of\r\nthe network traffic and the associated malware samples are available here.\r\n\"Contact Forms\" is a campaign that uses a web site's contact form to email malicious links disguised as some sort\r\nof legal complaint.  We've seen this campaign push BazarLoader malware and distribute Sliver, but recently it's\r\nbeen pushing IcedID (Bokbot).  Most of the time, the Contact Forms campaign uses a \"Stolen Images Evidence\"\r\ntheme, with emails stating a supposed violation of the Digital Millennium Copyright Act (DMCA).  Below is an\r\nexample seen on December 9th, 2021.\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 1 of 10\n\nShown above:  Contact form email spoofing someone from slack.com.\r\nA website's contact form is easy method for cyber criminals to reach an organization.  They can enter any name,\r\nemail, and message text in these forms to deliver.  With anonymous browsing methods like tor or VPN, criminals\r\ncan hide their true location when filling out these forms.\r\nIn this case, the link is a googleapis URL that abuses Google services to distribute malware.  I checked the link in\r\na web browser, and it was a \"Stolen Images Evidence\" themed web page.  The page automatically presented an\r\nISO file named Stolen_Images_Evidence.iso.\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 2 of 10\n\nShown above:  \"Stolen Images Evidence\" page sending an ISO file.\r\nISO files have been used by cyber criminals for years, and the Contact Forms campaign started consistently\r\ndelivering ISO files from these pages as early as November 30th, 2021.  Prior to that, this campaign almost always\r\nsent zip archives.\r\nShown above:  Stolen_Images_Evidence.iso downloaded on 2021-12-13.\r\nDouble-clicking an ISO file on a Windows host will mount the file as a drive, then it will open Windows Explorer\r\nto view its contents.  In this example, the double-clicked ISO file appears at F: as a DVD drive, and it contains a\r\nWindows shortcut.\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 3 of 10\n\nShown above:  Windows Explorer shows the ISO file mounted as a DVD drive at F:\\.\r\nBy default, Windows Explorer does not show hidden files, so we should reveal hidden files from the Explorer\r\nmenu.\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 4 of 10\n\nShown above:  Revealing hidden items in Windows Explorer.\r\nRevealing hidden files, we find a DLL and a JavaScript (.js) file hiding in the ISO.  The Windows shortcut runs\r\nboth files.  It runs the DLL using regsvr32.exe, and it also runs the .js file separately.\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 5 of 10\n\nShown above:  Hidden DLL and JS file, and the Windows shortcut designed to run them both.\r\nExamining the Windows shortcut in a hex editor, we find a Windows user account named lamar that may have\r\nbeen used when creating the shortcut.\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 6 of 10\n\nShown above:  Windows user account name lamar seen in the Windows shortcut.\r\nThe account name lamar has been consistent in each shortcut I've examined from these ISO files since they\r\nstarted appearing from the Contact Forms campaign on 2021-11-30.\r\nIndicators of Compromise (IOCs)\r\nThe following are IOCs are from an infection run I started on Monday 2021-12-13 at 21:45 UTC that ran until\r\nTuesday 2021-12-14 at 17:17 UTC.\r\nURL for the \"Stolen Images Evidence\" page:\r\nhxxps://storage.googleapis[.]com/d03uhg49h1m5na.appspot.com/0/files/st/public/d/0390vfh478gj4.html?\r\nd=958418188474764759\r\nDomain called by above googleapis page:\r\n172.67.195[.]237 port 443 - maruadix[.]top - HTTPS traffic\r\nTraffic generated after double clicking Windows shortcut in downloaded ISO file:\r\nCaused by the .js file:\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 7 of 10\n\n104.21.68[.]138 port 80 - maruadix[.]top - GET /stis1.php\r\nCaused by the DLL (an installer for IcedID):\r\nport 443 - aws.amazon.com - HTTPS traffic (not inherently malicious)\r\n192.236.177[.]53 port 80 - hdgravity[.]com - GET /\r\nIcedID (Bokbot) post-infection traffic:\r\n194.180.174[.]136 port 443 - asrspoe[.]com - HTTPS traffic\r\nDarkVNC activity starting on 2021-12-13 at 23:33 UTC:\r\n88.119.161[.]88 port 8080 - encoded/encrypted TCP traffic\r\nCobalt Strike activity starting on 2021-12-14 at 06:30 UTC and ending at 11:55 UTC:\r\n149.91.89[.]17 port 80 - 149.91.89[.]17 - GET /soft/musicbee.dll\r\n104.41.145[.]218 port 443 - api.musicbee.getlist.destinycraftpe[.]com - HTTPS traffic\r\nCobalt Strike activity starting on 2021-12-14 at 15:33 UTC and continued through the end of the pcap at 17:17\r\nUTC:\r\n192.34.109[.]104 port 80 - 192.34.109[.]104 - GET /download/HI1FA3OB3N7D9.dll\r\n192.34.109[.]104 port 443 - bqtconsulting[.]com - HTTPS traffic\r\nSHA256 hash: 0e1fa8cc5697d60664e9bf5fb4ef6af14d63d7f31f0b1565e0ff0e7ce86af735\r\nFile size: 1,376,256 bytes\r\nFile name: Stolen_Images_Evidence.iso\r\nFile description: ISO file downloaded from googleapis page.\r\nSHA256 hash: 5b2751fa6c0c93f8f625375a87c8f235d7b61eb9941633f59cf2ec18352f915a\r\nFile size: 2,113 bytes\r\nFile name: Stolen_Images_Evidence.lnk\r\nFile description: Windows shortcut contained in ISO\r\nSHA256 hash: c7d3cabf68151b9207d6262f3fd739f70f18a736a5a8d04479150f08448bd7bf\r\nFile size: 1,164 bytes\r\nFile name: kf.js\r\nFile description: JS file contained in ISO\r\nAnalysis: https://tria.ge/211216-ecnb5sbbe2\r\nSHA256 hash: b71f914f40d146462cafac5f360f816d59366be377268b33d0d4688917950223\r\nFile size: 221,184 bytes\r\nFile name: data.dll\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 8 of 10\n\nFile description: installer DLL for IcedID contained in ISO\r\nRun method: regsvr32.exe [filename]\r\nAnalysis: https://tria.ge/211216-ebwbcsbbd7\r\nSHA256 hash: 0cc2afa847096e322c014f04f54b405902ce2613c555fb6b36fc4f93d53ba2a5\r\nFile size: 497,278 bytes\r\nFile location: hxxp://hdgravity[.]com/\r\nFile description: binary of gzip compressed data retrieved by IcedID installer DLL\r\nFile type: gzip compressed data, was \"Artwork.txt\", from FAT filesystem (MS-DOS, OS/2, NT), original\r\nsize modulo 2^32 2063440\r\nSHA256 hash: cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705\r\nFile size: 341,898 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\TrueLend\\license.dat\r\nFile description: data binary used to run persistent IcedID DLL\r\nSHA256 hash: 4fbf01e80561ac1528b50e3a49b7b7bf8139decf62c3653672a545cfec7deee5\r\nFile size: 154,624 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\ukudhe3\\ojfepp.dll\r\nFile description: IcedID DLL persistent through scheduled task\r\nRun method: rundll32.exe [filename],DllMain --fi=\"[path to license.dat]\"\r\nAnalysis: https://tria.ge/211216-d9t1hsbhcm\r\nSHA256 hash: fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507\r\nFile size: 154,624 bytes\r\nFile location: hxxp://149.91.89[.]17/soft/musicbee.dll\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\oben32.dll\r\nFile description: 64-bit DLL for Cobalt Strike retrieved by IcedID-infected host\r\nRun method: regsvr32.exe [filename]\r\nAnalysis: https://tria.ge/211214-q5xl3afgf6\r\nSHA256 hash: f9c4a119234df78e1ad71b10fb0bf18622fd5245b72b93e5b71992f20cb9fd2e\r\nFile size: 413,696 bytes\r\nFile location: hxxp://192.34.109[.]104/download/HI1FA3OB3N7D9.dll\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\Ihopot2.dll\r\nFile description: another 64-bit DLL for Cobalt Strike retrieved by IcedID-infected host\r\nRun method: rundll32.exe [filename],[unknown entry point]\r\nAnalysis: https://tria.ge/211214-vw9mgsgbe3\r\nFinal words\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 9 of 10\n\nThis and similar IcedID infections have led to Cobalt Strike, which can lead to other malicious activity like\r\nransomware as reported in this real-world example.\r\nA pcap of the network traffic and the associated malware from this infection are available here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nhttps://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/"
	],
	"report_names": [
		"28142"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439093,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b396fffbcd87ee80cf548d50a344446a8ba9013.pdf",
		"text": "https://archive.orkl.eu/7b396fffbcd87ee80cf548d50a344446a8ba9013.txt",
		"img": "https://archive.orkl.eu/7b396fffbcd87ee80cf548d50a344446a8ba9013.jpg"
	}
}