{ "id": "70fec77c-d46e-45b9-b063-cd96ddc16ad7", "created_at": "2026-04-06T00:09:28.035886Z", "updated_at": "2026-04-12T02:22:19.160814Z", "deleted_at": null, "sha1_hash": "7ff647df8515d34c24c9742358b0b6bc4ac4e989", "title": "How to Identify IcedID Network Traffic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 142356, "plain_text": "How to Identify IcedID Network Traffic\r\nBy Erik Hjelmvik\r\nPublished: 2023-02-15 · Archived: 2026-04-05 22:58:36 UTC\r\n, \r\nWednesday, 15 February 2023 10:52:00 (UTC/GMT)\r\nBrad Duncan published IcedID (Bokbot) from fake Microsoft Teams page earlier this week. In this video I take a\r\ncloser look at the PCAP file in that blog post.\r\nNote: This video was recorded in a Windows Sandbox to minimize the risk of infecting the host PC in\r\ncase of accidental execution of a malicious payload from the network traffic.\r\nAs I have previously pointed out, IcedID sends beacons to the C2 server with a 5 minute interval. According to\r\nKai Lu’s blog post A Deep Dive Into IcedID Malware: Part 2, this 5 minute interval is caused by a call to\r\nWaitForSingleObject with a millisecond timeout parameter of 0x493e0 (300,000), which is exactly 5 minutes.\r\nUPDATE 2023-03-22\r\nIn the research paper Thawing the permafrost of ICEDID Elastic Security Labs confirm that IcedID's default\r\npolling interval is 5 minutes. They also mention that this interval is configurable:\r\nOnce initialized, ICEDID starts its C2 polling thread for retrieving new commands to execute from one\r\nof its C2 domains. The polling loop checks for a new command every N seconds as defined by the\r\ng_c2_polling_interval_seconds global variable. By default this interval is 5 minutes, but one of the C2\r\ncommands can modify this variable.\r\n0:00 / 11:04\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-02\u0026post=How-to-Identify-IcedID-Network-Traffic\r\nPage 1 of 3\n\nThe IcedID trojan uses a custom BackConnect protocol in order to interact with victim computers through VNC, a\r\nfile manager or by establishing a reverse shell. There was no IcedID BackConnect traffic in this particular PCAP\r\nfile though, but several other IcedID capture files published on malware-traffic-analysis.net do contain IcedID\r\nBackConnect traffic. For more information on this proprietary protocol, please see our blog post IcedID\r\nBackConnect Protocol.\r\nIOC List\r\nFake Microsoft Teams download page\r\nURL: hxxp://microsofteamsus[.]top/en-us/teams/download-app/\r\nMD5: 5dae65273bf39f866a97684e8b4b1cd3\r\nSHA256: e365acb47c98a7761ad3012e793b6bcdea83317e9baabf225d51894cc8d9e800\r\nMore info: urlscan.io\r\nIcedID GzipLoader\r\nFilename: Setup_Win_13-02-2023_16-33-14.exe\r\nMD5: 7327fb493431fa390203c6003bd0512f\r\nSHA256: 68fcd0ef08f5710071023f45dfcbbd2f03fe02295156b4cbe711e26b38e21c00\r\nMore info: Triage\r\nIcedID payload disguised as fake gzip file\r\nURL: hxxp://alishabrindeader[.]com/\r\nMD5: 8e1e70f15a76c15cc9a5a7f37c283d11\r\nSHA256: 7eb6e8fdd19fc6b852713c19a879fe5d17e01dc0fec62fa9dec54a6bed1060e7\r\nMore info: IcedID GZIPLOADER Analysis by Binary Defense\r\nIcedID C2 communication\r\nIP and port: 192.3.76.227:443\r\nDNS: treylercompandium[.]com\r\nDNS: qonavlecher[.]com\r\nX.509 certificate SHA1: b523e3d33e7795de49268ce7744d7414aa37d1db\r\nX.509 certificate SHA256: f0416cff86ae1ecc1570cccb212f3eb0ac8068bcf9c0e3054883cbf71e0ab2fb\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3S: ec74a5c51106f0419184d0dd08fb05bc\r\nBeacon interval: 5 minutes\r\nMore info: ThreatFox\r\nNetwork Forensics Training\r\nCheck out our upcoming live network forensics classes for more hands-on network forensic analysis. Our current\r\nclass material doesn’t include any IcedID traffic though, instead you’ll get to investigate C2 traffic from Cobalt\r\nStrike, TrickBot, njRAT, Meterpreter and a few others.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-02\u0026post=How-to-Identify-IcedID-Network-Traffic\r\nPage 2 of 3\n\nPosted by Erik Hjelmvik on Wednesday, 15 February 2023 10:52:00 (UTC/GMT)\r\nTags: #IcedID#CapLoader#Video#Periodicity#GzipLoader#a0e9f5d64349fb13191bc781f81f42e1\r\n#ec74a5c51106f0419184d0dd08fb05bc\r\nShort URL: https://netresec.com/?b=23242ad\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2023-02\u0026post=How-to-Identify-IcedID-Network-Traffic\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-02\u0026post=How-to-Identify-IcedID-Network-Traffic\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.netresec.com/?page=Blog\u0026month=2023-02\u0026post=How-to-Identify-IcedID-Network-Traffic" ], "report_names": [ "?page=Blog\u0026month=2023-02\u0026post=How-to-Identify-IcedID-Network-Traffic" ], "threat_actors": [], "ts_created_at": 1775434168, "ts_updated_at": 1775960539, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7ff647df8515d34c24c9742358b0b6bc4ac4e989.pdf", "text": "https://archive.orkl.eu/7ff647df8515d34c24c9742358b0b6bc4ac4e989.txt", "img": "https://archive.orkl.eu/7ff647df8515d34c24c9742358b0b6bc4ac4e989.jpg" } }