# A Spike in BazarCall and IcedID Activity Detected in March **[trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html](https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html)** Spam April 12, 2021 We discuss the cases of BazarCall and IcedID we observed in March. Both are known for the use of spam to deliver their payloads. By: Raphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy April 12, 2021 Read time: ( words) We observed a spike in BazarCall and IcedID activity in March. One thing these two campaigns have in common is the use of spam that lead victims into downloading malicious files. BazarCall takes a more roundabout approach by involving phone calls in its campaigns, while IcedID stole and repurposed real email conversations to make its malicious spam more convincing. Based on separate reports on BazarCall and IcedID, both have been actively distributed through spam campaigns in March. This is also reflected in our own findings. BazarCall [BazarCall was named for its use of phone operators to instruct users into downloading a malicious file that typically](https://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/) [leads to the payload BazarLoader. BazarLoader was discovered in 2020 and is linked to the developers of Trickbot as](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor) [well as in campaigns involving the well-known Ryuk ransomware.](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/ryuk-2020-distributing-ransomware-via-trickbot-and-bazarloader) We saw a surge in its activity in March, with most of its targeted victims residing in the US, followed by Germany and India, based on the number of spam mail containing BazarCall that we have detected. ----- Figure 1. Countries that received the most spam mail containing BazarCall from March 23 to 25 ----- Figure 2. BazarCall infection chain BazarCall’s routine starts with a spam mail stating that the victim’s free trial period for a service rendered by the fictitious company “Medical Reminder Service” is about to end. This is the same company name used in the BazarCall campaign [that Bleeping Computer reported. The campaign we have observed largely follows the pattern described in their report.](https://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/) In the email, the user is directed to call a provided phone number to unsubscribe and avoid being billed monthly charges. ----- Figure 3. The message stating that the victim’s free trial subscription is about to end and the contact number to end the subscription The phone operators will then instruct the user to go to a webpage to unsubscribe. This page is the malware chain’s download page. Once the victim enters their subscription number, the site automatically downloads an Excel document that is made to look like a regular form, but it’s actually a malware-embedded file. ----- Figure 4. The subscription site and the download page for the malicious file Figure 5. The malicious Excel document ----- The phone operator continues to guide the user into unwittingly enabling macros that will drop a malicious binary in the folder C:\Users\Public. The embedded malware will first attempt to send the command “ping” to the initial command-and-control (C&C) server where the likely response is the second stage download URL, delivering the final BazarLoader payload. Unfortunately, at the time of our analysis, we were unable to test any of the C&C servers for live activity. BazarCall also distinctly makes use of Campo Loader, which appears to be a malware-as-a-service (MaaS), to deliver its final BazarLoader payload. We continue to monitor developments for BazarCall. At present, the surge we saw in March seems to have tapered off in April. IcedID [Meanwhile, IcedID is a banking trojan first discovered in 2017. It has been used by the threat group Shathak or TA551 in](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/icedid-banking-trojan-targets-us-financial-institutions) [2020. The group used malicious spam that contains a password-protected Word document with malicious macros.](https://success.trendmicro.com/solution/000283386) [Similar to BazarCall, we saw a spike in IcedID activity last month. IcedID campaigns are known for using stolen real](https://www.difesaesicurezza.com/en/defence-and-security/cybercrime-icedid-is-back-in-italy-with-the-same-last-week-stolen-conversation/) email conversations on which they attach their malicious files in zip format. This was the same tactic we observed. Figure 6. Sample of spam used to deliver IcedID. It is a copied message containing a compressed attachment. If the attachment is opened it would contain an XLSM file. This file uses a simple stealth technique — a hidden column containing malicious formulas in white text, making it invisible to the victim unless they unhide and highlight the column. If the victim runs the macro code, it will download a 64-bit .dll file, which is the IcedID in binary. Figure 7. The Excel file used to download IcedID: The left image shows the column still hidden and the right shows it visible and highlighted. Our detections for IcedID show continuing activity going into April but as with BazarCall, these have also decreased in number. Implications and security recommendations ----- The use of spam is a traditional and staple way of delivering malware. Attacks that use such methods can resurge whenever threat actors find a way to make their fake instructions and messages more convincing. Threat actors are also on the lookout for situations where users are especially susceptible to such schemes. Remote work conditions or the use of timely topics, for example, can make users less vigilant. These scenarios are exemplified by BazarCall and IcedID. The use of phone calls and the BazarCall operators’ adoption of a regular company identity has had victims convinced of the bogus service and subscription. While IcedID’s continued [use of stolen conversations allows it to avoid many of the usual indicators of a malicious email. IcedID has also recently](https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims) used emails centered on the Covid-19 pandemic to trick its victims. Users need to be especially wary of the tactics that BazarLoader and IcedID employ as they have also been used to [deliver other payloads such as well-known ransomware families. As mentioned earlier, BazarLoader has already been](https://www.trendmicro.com/vinfo/tmr/?/us/security/definition/Ransomware) linked to [Ryuk. IcedID was very recently](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/ryuk-2020-distributing-ransomware-via-trickbot-and-bazarloader) [used to deliver Sodinokibi, and was used in Egregor ransomware attacks.](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/) Here are some of the best practices businesses and users can adopt to defend against threats such as BazarCall and IcedID: Always check the email sender, subject, and body for anything suspicious before downloading and opening email attachments. Be wary of unsolicited emails with unknown senders. Check the file extension of the attached file and make sure it is in the intended file format. Only activate macro for any attached Microsoft Office files when necessary. Be especially wary of emails that request macro activation using an image of the body of the opened file or those that don’t show anything. Watch out for spoofed domains embedded in emails before opening them and do a quick search of the company or website used in emails to check their legitimacy. Trend Micro solutions Organizations can benefit from having Trend Micro™ endpoint solutions such as Trend Micro Smart Protection Suites and [Worry-Free™ Business Security. These can protect users and businesses from threats by detecting](https://www.trendmicro.com/en_us/small-business/worry-free.html) malicious files and spammed messages as well as blocking all related malicious URLs. The Trend Micro Deep Discovery™ solution has an email inspection layer that can protect enterprises and users by detecting malicious attachments and URLs. [Trend Micro Email Security delivers continuously updated protection to stop spam, malware, spear phishing,](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-security.html) ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions. [Phish Insight provides the most effective phishing simulations and cybersecurity awareness training modules on the](https://phishinsight.trendmicro.com/) market. Powered by Trend Micro, the Phish Insight team creates a simulation template library based on billions of real phishing samples as well as a fully automated and staggered delivery system that makes the simulation emails even more convincing. Not only integrating the best and the most prevalent training modules from around the world, Phish Insight also allows users to customize their own training programs. Phish Insight enhances information security awareness for organizations by empowering people to recognize and protect themselves against the latest cyber threats. Indicators of Compromise (IOCs) **BazarCall** SHA256 Detection 056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7 Trojan.X97M.BAZAR.YABCZ 0606be9a1e3e32dc452cdd0ee48c3cecdb045545fa01789f580c197cefd220a4 Trojan.X97M.BAZAR.YABCY ----- 06c38b4c73015d04536d80262bb531183bead459371dd6db86a40dfccbdf236a Trojan.X97M.BAZAR.YABCY 0e266ef60c8059c2c828de3e77fd68a49e50626d7b0d4d659afd03806247d5bc Trojan.X97M.BAZAR.YABCYT 13141db5db00c63f5f7a2cd33f35d9236956f9ae7767725564693dbab6b14f10 Trojan.X100M.BAZAR.YEBCX 151308d22127e12066636627acb269e6ac71aa99cca1ac9dd00b582de3b5e0cd Trojan.X97M.BAZAR.YABCY 15a1cd485f5b09fa05c46ec81d7eaaaa1e71bfd3b19e3465f555704dbfadce31 Trojan.X102M.BAZAR.YEBCX 1681ae715209131c86f885453e3abd627de1edab974294b73789dfd396d2793e Trojan.X97M.BAZAR.YEBCW 16bfc0c0fcb0ccb6bb27cdc4178d08538c0b18c146d93a3a44be5fb15d8d43cb Trojan.X97M.BAZAR.YABCY 1c293c65680d01a8503c477f7d8f46cfbc62ce4fa6e507a4c0ae7436f33efa08 Trojan.X97M.BAZAR.YEBCX 1eba154cdc2e540704eebfaca2f51fb643c44129911eb9b668f82ab95c1b157d Trojan.Win64.BAZARLOADER.YABCY 2032cca770ec5bb02896b5b098f00564add5a5ee528973aa264fa85cdb1b1375 TrojanSpy.Win32.EMOTET.YABCY 204ddd2c357d7d5a5d30761f2da8363a3d26e1717e90ccc69b00b7be456f4092 Trojan.X97M.BAZAR.YEBCX 20cd67833a009771483fed52ad8450d1614df7843715eb67250dd605780d1e8b Trojan.X97M.BAZAR.YABCY 227b402fe1ad5c40edd6385590dd22add3e493be6c90c813786a1d2a92c5508b Trojan.X97M.BAZAR.YABCYT 27cbaa0a743ded5ed298ba18bb2bca3c9cf605a9d75f7168ea7cc00ac54687b2 Trojan.X98M.BAZAR.YEBCX 2ae9a949242e7691ea1df0475a0f266118dc382fd27350b575473d9da9d9fc1f Trojan.X97M.BAZAR.YABCYT 2c9787310c6307f1d169c5dff44455a52a5da01681b45f6ad9c382334c431400 Trojan.X97M.BAZAR.YABCZ 2fcc02b25bfccda87b03b1149eeb22379abb5b00f2ea474151979f87ee6a8289 Trojan.X97M.BAZAR.YABCYT 3369c4b31d3b5904783ee651d94d78995aa8ac2d6d4b52bc455c17c75845efbd Trojan.X97M.BAZAR.YABCYT 3866ad9640aefdefb66843ed3151d95007d76a7254e41d9a17389656a97afc80 TrojanSpy.Win32.EMOTET.YABCY 391c2301f9c1b27b489b78bac987e2e61e7923da1342941f3f52618e2d1ee1f8 Trojan.X97M.BAZAR.YABCYT 39e79fa4dffb5d3c4099ccd77f9a889a7a0179948862790aeba79c69ffeb8582 Trojan.X97M.BAZAR.YABCY 3a274a44ca7e8c943f9a2d1995d97582886d8f9684b7d5c5b51625f9f833d7ec Trojan.X97M.BAZAR.YABCYT 3eda5bc62ee17d2ba137c4253eacfd9f96926ec071eb583777935c084cdcb604 Trojan.X97M.BAZAR.YABCYT ----- 403e6317c3ef24bdacd6ff265a5b93cf43361398cba8918af459fb7072fd8ceb Trojan.X97M.BAZAR.YABCYT 413ca9be6e90c35d5e680ea00891976673cd22446ca31c3dc4e678356737d75c Trojan.X97M.BAZAR.YABCYT 43af28b1e4057888f074b01ddce13b6445b530cf70741d3e3bb65a712dc58775 Trojan.X97M.BAZAR.YEBCX 4435942b9f09846a337474f396fd0a885f41742f05899dcc1a12b6b44a31126b Trojan.X97M.BAZAR.YABCYT 461172b3e91e48945f91e7cb507f02d391bee5b2736ab33ef87c4068da99cabf Trojan.X97M.BAZAR.YABCY 4d1c7b33d3dd2ec8187bf29971a3785a9103a4dbd97cad37d6fd16f4dc761c0a Trojan.X97M.BAZAR.YABCY 4e58b94d857970b01c70e8fb4c68c99a409c5eb105e286f521325eb209e19a59 Trojan.X97M.BAZAR.YABCY 580436ddf51ed876d2e1547047288b0640bfd7570ffd7a2ef9074b116ad5f823 Trojan.X97M.BAZAR.YABCY 5b6e4db97888c248d70e6a2ecfe4967b5bb3ffba3e73fc04fcc91da8afe37f81 Trojan.X97M.BAZAR.YABCYT 5c03e5522fb03bc224b51be1206728e4cfc5ab6b5a45555c455819e8b5006356 Trojan.X97M.BAZAR.YABCYT 5c7a7b0b29a2f51eca70e25936b2f88570b44b0aef504d07b208621df0022103 Trojan.X97M.BAZAR.YABCY 5ee9bc24c82ee40e1a9f98aff8e36388ccea92a9423539e13b927291bebede72 Trojan.X97M.BAZAR.YABCYT 624a74c9469e95f404baebd07a8c563baa38e752d391bca5e8894dbc87186388 Trojan.Win64.BAZARLOADER.YABCX 6529aee58be4346065cf8f5166c49ecd7dbecfeb179092d0ba9ee4fecbbb0f8d Trojan.X97M.BAZAR.YABCYT 67b5ef18a2155a91980d6ecd5ce2fb73242b47921715095565ba5e7d97922aa6 Trojan.X97M.BAZAR.YABCY 683cf783dffa8ce135496f8f5017fc06268c57874ad79267cb52dfc202dfc3bc Trojan.X97M.BAZAR.YABCYT 701ff2df2c26f4ec31eb39074e0f7da97ad9f8e7e0877558571148db64a343cf Trojan.X97M.BAZAR.YABCY 739a35cdd227b78b2a3f49dff22b9185df7b6da1336dccd0c6f552ae0767397c Trojan.X97M.BAZAR.YEBCX 825e158ac8c57cee3a2d12ba062633e7a955e20d438b6b1b89c435181586a0ef Trojan.X97M.BAZAR.YABCYT 8300b9b7de6fd356541b30ed343c00235bf38fbcbe2325ecd4b6f06b2b711f03 Trojan.X97M.BAZAR.YABCY 8a6adc186c65c1db9026fa07e02e813e059a1463fc89b05c4440e2ddb143bd46 Trojan.X97M.BAZAR.YABCYT 8a9014b5a7e0975e760ebb41b5d6cac6e76bf1b3b5c2cb0dfebd94e577a6940b Trojan.X97M.BAZAR.YABCYT 8c908237c4354e3f96af0944dc84fd1d503827226f914a5e711f5415b1cec156 Trojan.X97M.BAZAR.YABCY ----- 8ca38418522c7797e0e2fcf8649b3adb64b70f9ad547f7cdc53a55cacacc0b4e Trojan.X97M.BAZAR.YABCYT 931a10977e46a3a1c810c1e3dad558b511a8fc75bd30e2eb3ffe292428f99847 Trojan.X97M.BAZAR.YABCYT 94ab1b1ca2123fccd39b956c9216f53ba56c012553281801d4af035dc1644569 Trojan.X97M.BAZAR.YABCY 95330c3095995c4e018936438d2f6da39cd55d29c52438c8042d39118ac81dc9 Trojan.X97M.BAZAR.YABCZ 95c9b5f666e90730d21e342aeac6f101d9c624ace3bd4e8bd7d5d9c541094283 Trojan.X97M.BAZAR.YABCY 98a54d72539d50134f8e95fb95d3807502ca50c2f27990a220c78432a799d461 Trojan.X97M.BAZAR.YABCY 9aa42472f59e5558987ce477e257fdccd61080d4278fe9a92f1c50bda11e4f0f Trojan.X97M.BAZAR.YABCY 9cc79e32ca74fea9e6a9ed7ab09abfa33d0fb2c3ef8752baed056de05f4b2de6 Trojan.X97M.BAZAR.YABCYT 9d6581dbec6c8f74f2d999b5b72a8d8f515bd71c1d0966754374b8a16d3c4bd7 Trojan.X97M.BAZAR.YEBCW a05ec823e486a21a5cea8811115ae750c9796f918228566463ed9a9f712238c7 Trojan.X97M.BAZAR.YABCY a144bdfb007c72eaab61f424725107366747afc2252675e2a8992401f581f2b5 Trojan.X97M.BAZAR.YABCYT a14e4ee9f2967d2189e7b725cbb7156a5132f55e96ce6497ac0a582d3a696510 Trojan.X97M.BAZAR.YABCYT a839e6e8570d4e836ef03ced53d77217cbd3f08558582733da8f60b0a0e6fa83 Trojan.X97M.BAZAR.YEBCX adbb324ef7beb35f9ea52e92b3cc613f8082ba9d Trojan.X97M.BAZAR.YABCZ b17773d67198e8ca31b2029789fdbf034dbe7d65e3425dae9c02638fd1da33ee Trojan.X97M.BAZAR.YABCYT b4631d97013e59555487c6c4c93798dd044e8268858eb031f6c324039cdff962 Trojan.X97M.BAZAR.YABCY b4b5161dbce88e4f35a58921fa4e81b9231e2ab92d6e80091bfd9ef4574ef822 Trojan.X103M.BAZAR.YEBCX b4d956e037fd49630847b92997906c14d76513ae2f00ffe8ba40d9fd5dae98ad Trojan.X97M.BAZAR.YEBCX bb9387320d69ddd3e4cd4586ae85ffd672d241d112e0199eeda0e59634aea4b0 Trojan.X97M.BAZAR.YABCYT bc604d1564b8b0360eb316b6d330d069dd887875db3d1c0cc1e6e8b6d044fa84 Trojan.X97M.BAZAR.YABCY bcfd5b1ab6019b320a299ec62374df157162116b7ab76d2dd852075b2df36d06 Trojan.X97M.BAZAR.YABCY be0466432cbd09f14c01975d9cbf24ce3539fd245918bd1b567d3cdda8f76324 Trojan.X97M.BAZAR.YABCYT c1d2ac7f3abee76af28e858f9d9b5c26bd121bc298280f44cb06e00951cb28d7 Trojan.X97M.BAZAR.YABCYT ----- c242a240f6836d70944d4810c9fbc4b2ee7221c5938f483d1ab8579955a4c78f Trojan.X97M.BAZAR.YEBCX c8768444c9e489989a6610537ecb1bc204216e0b0880079e6d9e561e56dc60a8 Trojan.Win64.BAZALOADER.YABCW c8d4265b3762f38162e9b93563bccf603081de769b9c5c38d41b65872d0c944c Trojan.X97M.BAZAR.YABCYT cd0332bed798951f6e1635b6169e07c41138323490e52fa9f674b6a113156a34 Trojan.X97M.BAZAR.YABCZ ce8fa7b1fbc88467678f3d2877c5580a5bf310cc489536a3aaef3f9b8d1db992 Trojan.X97M.BAZAR.YEBCX d021f3c83a2fb22da832e301962d63c695194907ab415d0b978858699e22952a Trojan.X97M.BAZAR.YEBCW d4723b2d858287cb8c01f64a00970f089be96ad886e83a1da38e84325fc9b886 Trojan.X97M.BAZAR.YABCY d49953673284c656971ba15caf8a1cc07902ae972836bd282a20aca916d15e45 Trojan.X97M.BAZAR.YABCY d8bcb2ec7da1dd5ea941807b790aa7dfdab9291e1cdc80fee3dc1d6e3b6981e2 Trojan.X99M.BAZAR.YEBCX d92bf3350a4b310ab6b7d295a0d1727155ec6d669b2da021c91aa9b565593a7b Trojan.X101M.BAZAR.YEBCX d969d06464b2c8eab75bf45e650020cc88add0bc947643dd24d69bbf34481906 Trojan.X97M.BAZAR.YABCY df38d84cefcaf27b357bf0c678ab22531d5e2886658f5482e9ace04a315828e6 Trojan.X97M.BAZAR.YABCYT e335e27175c66affc5c2b571878757b35642699b70250c4221800e47356d4b59 Trojan.X97M.BAZAR.YEBCX e4782e0fcb58e3643a293e9792be9d33b2147c96824c110105a198602c587d47 Trojan.X97M.BAZAR.YABCY e8c6014607b1160a2efa1ebc35f71e73e7e08c1e027d8128d985729b61c3d203 Trojan.X97M.BAZAR.YABCY e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6 Trojan.Win64.BAZARLOADER.YABCX ecf5a6e4dfd2bc3a9a659699ee03e6c5ebcbd3252664245761f1594044f0c5fa Trojan.X97M.BAZAR.YABCW ee9ba17fb42f85ed79f5a9f15673327579538de8eb268ea134b97bff3f54c44c Trojan.X97M.BAZAR.YABCZ f2853ce6b6515446daf068272aba80c2c059f2c20e197f32060b9baf6bbd17a2 Trojan.X97M.BAZAR.YABCYT f3badf0a258410c281afe6ac253cbd48b1b4be6a656db60813131a3025cd8d11 Trojan.X97M.BAZAR.YABCZ f6391f0bb648e3821d88179b2f76426197961c739b7ad88329a91d5a1328cc61 Trojan.X97M.BAZAR.YABCYT f8662af41f8a99a17220a0181c3d4c5fd82ca6b522c5da4856f03accf3838a72 Trojan.X97M.BAZAR.YABCY fc3d3e2e605e76289cecb3612bd000471e613bf8841cc4e9c6b9f47b527a3d6a Trojan.X97M.BAZAR.YABCZ ----- fd93b2dd5067d6933d9d06878c75b53bdba8756f092c4ccb1e9ce881bb1ec85c Trojan.X97M.BAZAR.YABCY fee876283fdd75a8ea08d19c15e9c78755a8cc3135d157609097d2b249e0e7fc Trojan.X97M.BAZAR.YABCY C&C servers: hxxp://18[.]220[.]10[.]246 hxxp://52[.]90[.]97[.]160 hxxps://35[.]168[.]81[.]240 hxxps://52[.]167[.]249[.]196 hxxps://52[.]90[.]97[.]160 **IcedID** **SHA256** **Detection name** 219e7715d364c0a46c667bdb93b05776f257da38028cbaa5a504873eb166315a Trojan.XF.ICEDID.THCCABA 89756db6627e4c3ab511a0a6efe68dcfb6bec881c4942331dc95d53435e8f38b Trojan.Win64.ICEDID.THCCABA 8de416bd5b7913a0f58610c56f0fdb293873a069522024f281c2e0106fd74042 Trojan.XF.ICEDID.THCCABA a1411ad0725807a327258b5520ac7c1b709878ca84a6d2ee1d7a9913833b7429 Trojan.Win64.ICEDID.THCCABA a1411ad0725807a327258b5520ac7c1b709878ca84a6d2ee1d7a9913833b7429 Trojan.Win64.ICEDID.THCCABA a2fcccd77c387840adb0de73b7361fa8a230c4a50ef309c1353fb499004272fb Trojan.XF.ICEDID.THCCABA cb5864f279f49a06becdbcc287925d6073a4b72798daba165433a75d2bb3b0f9 Trojan.Win64.ICEDID.THCCABA 2f0dc07dc3a2ca82ee1ba3c92c83c1702d1dea8fe363d4f224b399377ab50e51 Trojan.Win64.ICEDID.THCCABA 442b31da9f6c4ffedd0a0d40a725c966a3c25284a0903ef40e2d0aa6bd8bfdaa Trojan.Win64.ICEDID.THCCABA 47eafc7cbd120f040b93ce9e682de907f3a9fe8a78ec187f5af48039fd55ce5f Trojan.XF.ICEDID.THCCABA 54efde21d125c3f0d057e89c4c10960d925b14253b59cfbbcda03a7e9d80fabc Trojan.XF.ICEDID.THCCABA 56b6eaacab819f6199b96b06510eebeb30f99adcd559e3c87111a18d1ca6ed76 Trojan.Win64.ICEDID.THCCABA 6d7751eb2aea2a561e5e33a951cc43d70b1f0c20054b60b8f1004aa36dc4dccc Trojan.XF.ICEDID.THCCABA 89756db6627e4c3ab511a0a6efe68dcfb6bec881c4942331dc95d53435e8f38b Trojan.Win64.ICEDID.THCCABA 9052448c8250fdf0b739d16b30d8d6807b1223a7e919d4f1f09a4ba5f847e74a Trojan.Win64.ICEDID.THCCABA 9cbf18d067a292361999b12af131ebf575d1d8acf21a58e55b2837a3621aeb2f Trojan.Win64.ICEDID.THCCABA ----- a2e4dc07cc85543b86e7c46887e7f96626e2cd9993e0787daa7b963a7e1b324c Trojan.Win64.ICEDID.THCCABA ba54ae65803b5c842dbb86a7ac72167906d3d22332c7aa56f2b6b4a337a9aabb Trojan.Win64.ICEDID.THCCABA c0768ee6bd8a1d5a5435e2839eb54f8b6d1a120a323c51c679070a22e550b1d5 Trojan.XF.ICEDID.THCCABA d258d95c4ca5e71cf03f7952bb53876a730c12f3def5918beb3862aacc39f0d6 Trojan.XF.ICEDID.THCCABA d86405130184186154daa4a5132dd1364ab05d1f14034c7f0a0cda690a91116d Trojan.XF.ICEDID.THCCABA df4fb2147efad93deb6fbc74545bb346ff2e719f7b77830988ca15df28857a21 Trojan.Win64.ICEDID.THCCABA e0f75a7b2d229eca6028061fe23483acd46c565b6d0e6dfa38148ad079f94aa7 Trojan.Win64.ICEDID.THCCABA e8ad149f6e754162432b1040443269ed078d2ab027f3e93ae4b4ff8801ac8760 Trojan.Win64.ICEDID.THCCABA eb9981fb381d6b252c1fce45b95baec5b563897b82ccc855f482f73e64e6ed46 Trojan.Win64.ICEDID.THCCABA f8b7283ffc3cbc94cdfa193d833497c7f32611f97963a15f1ee9e4d07cc87b67 Trojan.Win64.ICEDID.THCCABA fb7b725d0d1b47564070e0f10e237baf1f27d6f86afa11f163ae9692c85f2638 Trojan.Win64.ICEDID.THCCABA URLs: hxxps://agenbolatermurah[.]com/ds/3003[.]gif hxxps://agenbolatermurah[.]com/ds/3003[.]gif hxxps://columbia[.]aula-web[.]net/ds/3003[.]gif hxxps://metaflip[.]io/ds/3003[.]gif hxxps://partsapp[.]com[.]br/ds/3003[.]gif hxxps://tajushariya[.]com/ds/3003[.]gif -----