{ "id": "320e5094-f998-475e-a97e-813b20c0775a", "created_at": "2026-04-06T01:32:13.045013Z", "updated_at": "2026-04-10T13:12:24.647405Z", "deleted_at": null, "sha1_hash": "92361c260601827ef5b63200de7cd25dbb48994a", "title": "Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2899535, "plain_text": "Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with\r\nDark VNC and Cobalt Strike\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-06 00:16:03 UTC\r\nIntroduction\r\nSince 2019, threat actor Monster Libra (also known as TA551 or Shathak) has pushed different families of\r\nmalware.  During the past few months, Monster Libra has primarily pushed SVCready or IcedID.  Today's diary\r\nreviews an example of Monster Libra pushing IcedID on Thursday 2022-08-11, and that IcedID infection led to\r\nDark VNC activity and Cobalt Strike.\r\n \r\nShown above:  Chain of events for IcedID infection distributed through Monster Libra.\r\n \r\nImages From the Infection\r\n \r\nhttps://isc.sans.edu/diary/rss/28934\r\nPage 1 of 8\n\nShown above:  Screenshot of a Monster Libra email.\r\n \r\nShown above:  Screenshot of the attached Word document.\r\n \r\nhttps://isc.sans.edu/diary/rss/28934\r\nPage 2 of 8\n\nShown above:  Files that appeared after enabling macros\r\n \r\nhttps://isc.sans.edu/diary/rss/28934\r\nPage 3 of 8\n\nShown above:  Scheduled task for persistent IcedID infection.\r\n \r\nhttps://isc.sans.edu/diary/rss/28934\r\nPage 4 of 8\n\nShown above:  Traffic from an infection filtered in Wireshark (image 1 of 2).\r\n \r\nShown above:  Traffic from an infection filtered in Wireshark (image 2 of 2).\r\n \r\nIndicators of Compromise (IOCs)\r\n \r\n20 Word docs found on VT:\r\n \r\nhttps://isc.sans.edu/diary/rss/28934\r\nPage 5 of 8\n\n2,316,894 bytes - [name removed] doc 08.11.2022.doc\r\n2,343,230 bytes - [name removed] doc 08.11.2022.doc\r\n2,349,822 bytes - [name removed] doc 08.11.doc\r\n2,316,250 bytes - [name removed] file 08.11.2022.doc\r\n2,365,937 bytes - [name removed] file 08.11.22.doc\r\n2,298,962 bytes - [name removed] invoice 08.11.22.doc\r\n2,343,139 bytes - [name removed],doc,08.11.22.doc\r\n2,365,983 bytes - [name removed],document,08.11.22.doc\r\n2,298,458 bytes - [name removed],file,08.11.2022.doc\r\n2,298,562 bytes - [name removed],file,08.11.22.doc\r\n2,297,841 bytes - [name removed]-doc-08.11.2022.doc\r\n2,350,727 bytes - [name removed]-invoice-08.11.22.doc\r\n2,315,700 bytes - [name removed].doc.08.11.22.doc\r\n2,316,502 bytes - [name removed].document.08.11.2022.doc\r\n2,316,883 bytes - [name removed].document.08.11.2022.doc\r\n2,316,402 bytes - [name removed].invoice.08.11.2022.doc\r\n2,351,271 bytes - [name removed]doc08.11.doc\r\n2,366,716 bytes - [name removed]document08.11.22.doc\r\n2,298,836 bytes - [name removed]document08.11.doc\r\n2,349,614 bytes - [name removed]file08.11.22.doc\r\nSHA256 hashes of the 20 Word docs:\r\n \r\n025d824f7fd062715efe4914065eb6026a0f1720256f03e18c652978ec9d6844\r\n04042893124fdbf007cfdb673ef878ac9a47f37f871c1e5322ec46945915abc1\r\n23b9a20a59041fc7d484957e49ffa7e0f6dba7dbbec0628a4adb69c2e05863ab\r\n373856a75b78406d26cfbb41cbbba7041bad1e56a3304ba17376b294bc773eee\r\n3af042bd0b5a186b98920cf0b7066344609d6d6deb163ffb0b60325dcca66e44\r\n3b86f8aff12d2b32461a0b20f01f3d13ee062c80cb647ce09ff33f296b1f9e47\r\n3c59aab375e8ebf7a3da914e7f1f38c6c54947b4c27c73c5c591ab27152dfe4d\r\n4f479dc5b981aadc01b1f245d8694b1ad043247f04148bbb78a86c8ed530b777\r\n500b85d4e573f6e14e96c0a06e2d8fe15572c0eb97e3cc6d204d3416140d8a61\r\n565c2dc637cfa658a2bf8263da58aac2492119ea8bfc4287742a34e3ef456f6f\r\n78c296d80214d887820a3c55bc06fbc42b17db90fb01aef0766365b383f1e7f1\r\n7ed7f3591ed5a7db3e12df16c9625bdc0367ebd5d6aab6d83a98bd5e40bf288f\r\n9cb01729327bd958e32aa9481d5a81303627ab7a59b9ae134fb6600ef4e5b680\r\naabc9295e27a673dcfb902960b8196a561923cef78ddb061956cb627fcfa782c\r\nabc8d1097f0249c749f2c7d7058be1b39c88e21d26d45d76985c989289565214\r\nbc45389ee9779bf1c6ad66d8b25b4032212fbd5db0defd2e5443a27c1b7a4e80\r\nbcd1525b0a107b809deb7cce89ae7b873681c14f3513d930b63f2b8739c76c4d\r\nd297f78ca4fc35e899792260c98f752947f7d6b5999650a6210f4a8538a2e655\r\nd66a64e64a1d1b44ebcc854f04b1e175ccc93b61fff0f093394f6dcdcd785d82\r\nhttps://isc.sans.edu/diary/rss/28934\r\nPage 6 of 8\n\ne9258541a5c96fcacb6a2ce349282db7e9403a16fa9f952e8f1f69929dda7abc\r\nFile size: 61,440 bytes\r\nFile location: C:\\Windows\\SysWOW64\\rundll32.exe\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\r2FB9.tmp.exe\r\nFile description: Copy of legitimate Microsoft system file rundll32.exe.  This is not inherently malicious.\r\nSHA256 hash: 8cd135e5b49d16aceb7665b6316cd4df2e132ef503ff0af51c080bad7010efd6\r\nFile size: 360,448 bytes\r\nFile location: hxxp://45.8.146[.]139/fhfty/6VGPA_LVJVCA8YKG3HF2E1-VHCR4UDER/-f\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\y2D56.tmp.dll\r\nFile description: 64-bit DLL to install IcedID retrieved by Word macro\r\nRun method: rundll32.exe [filename],#1\r\nSHA256 hash: 5af2d2e245b36447fffff463b66164807f505dc9efcbe7fadfe4d450b1715c46\r\nFile size: 688,572 bytes\r\nFile location: hxxp://alexbionka[.]com/\r\nFile description: gzip from alexbionka[.]com, used to create license.dat and persistent IcedID DLL\r\nSHA256 hash: 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7\r\nFile size: 342,218 bytes\r\nFile name: C:\\Users\\[username]AppData\\Roaming\\LampEyebrow\\license.dat\r\nFile description: Data binary used to run persistent IcedID DLL\r\nSHA256 hash: d45c78fa400b32c11443061dcd1c286d971881ddf35a47143e4d426a3ec6bffd\r\nFile size: 345,600 bytes\r\nFile name: C:\\Users\\[username]\\AppData\\Roaming\\[username]\\[username]ijexogdf64.dll\r\nFile description: Persistent 64-bit DLL for IcedID\r\nRun method: rundll32.exe [filename],#1 --keac=\"[path to license.dat]\"\r\nNote: No binaries were saved to disk for DarkVNC or Cobalt Strike.\r\nTraffic for IcedID installer DLL:\r\nhxxp://45.8.146[.]139/fhfty/6VGPA_LVJVCA8YKG3HF2E1-VHCR4UDER/-f\r\nTraffic for gzip binary:\r\n64.227.108[.]27:80 - alexbionka[.]com - GET / HTTP/1.1\r\nIcedID C2 activity:\r\n103.208.86[.]124:443 - klareqvino[.]com - HTTPS traffic\r\n46.21.153[.]211:443 - wiandukachelly[.]com - HTTPS traffic\r\nhttps://isc.sans.edu/diary/rss/28934\r\nPage 7 of 8\n\n84.32.188[.]164:443 - ultomductingbig[.]pro - HTTPS traffic\r\nDarkVNC activity:\r\n212.114.52[.]91:8080 - encoded/encrypted TCP traffic\r\nCobalt Strike activity:\r\n174.139.150[.]128:8080 - projectextracted[.]com - HTTPS traffic\r\nFinal Words\r\nIcedID continues to be an active malware in our current threat landscape.  Threat actors like Monster Libra\r\ncontinue to push IcedID through malspam-based campaigns as described in this diary.  We expect to find more of\r\nthis activity in the coming weeks.\r\nBrad Duncan\r\nbrad [at] malwre-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/28934\r\nhttps://isc.sans.edu/diary/rss/28934\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://isc.sans.edu/diary/rss/28934" ], "report_names": [ "28934" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439133, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/92361c260601827ef5b63200de7cd25dbb48994a.pdf", "text": "https://archive.orkl.eu/92361c260601827ef5b63200de7cd25dbb48994a.txt", "img": "https://archive.orkl.eu/92361c260601827ef5b63200de7cd25dbb48994a.jpg" } }