{
	"id": "89a97a98-6e18-43d2-ac08-2f34fb1bcf9a",
	"created_at": "2026-04-06T00:22:07.931146Z",
	"updated_at": "2026-04-10T03:20:52.911229Z",
	"deleted_at": null,
	"sha1_hash": "c083fc8ccccadd5f6c61cbac2f3c7f8f03b5d7ae",
	"title": "COVID-19 and FMLA Campaigns used to install new IcedID banking malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2222157,
	"plain_text": "COVID-19 and FMLA Campaigns used to install new IcedID banking\r\nmalware\r\nBy Paul Kimayong\r\nPublished: 2020-06-18 · Archived: 2026-04-05 12:48:02 UTC\r\nJuniper Threat Labs has been monitoring a campaign that pushes a new IcedID banking trojan. This new campaign\r\nchanges tactics by injecting into msiexec.exe to conceal itself and use full steganography for downloading its modules and\r\nconfigurations. Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as\r\n“.dat” files. This campaign also takes advantage of the COVID-19 pandemic by using keywords such as COVID-19 and\r\nFMLA in email sender names and attachment names. IcedID is a banking malware that performs Man-in-the-Browser\r\nattacks to steal financial information.\r\nIn this blog, we will detail this campaign’s infection chain and also touch on the network communications, including how\r\nquickly threat actors update and change their network communication.\r\n1st Stage (Malicious Office Files)\r\nThe first stage of the infection chain starts with phishing emails with malicious attachments, such as below:\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 1 of 17\n\nSha256 of attachment: 822a8e3dfa14cd7aaac749dc0515c35cf20632717e191568ba5daf137db7ec17\r\nThe Word document has a malicious macro in it and, when opened by the victim, it will drop and execute a file in a\r\nspecific folder.\r\nC:\\1\\Whole\\PFSDNSKDF.EXE (Ee9fd78107cdcaffc274cf2484d6c74c56c7f3be39b1896894d9525506118d1e)\r\nIt achieves this by reading a binary embedded in it and using Windows Management Instrumentation (WMI) to execute\r\nthe binary. \r\nOlevba output of the malicious word document\r\n2nd Stage Loader\r\nThe file C:\\1\\Whole\\PFSDNSKDF.EXE that was dropped by the malicious document is another loader whose purpose is\r\nto download another IcedID loader. It first unpacked itself by reading a binary file embedded in its resource, decrypting it\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 2 of 17\n\nand executing in memory. It will then loop on the following domains, using WinHTTP queries:\r\nsupport.apple.com\r\nwww.intel.com\r\nhelp.twitter.com\r\nsupport.microsoft.com\r\nconnuwedro[.]xyz\r\nsupport.oracle.com\r\nAll of the above queries are normal, except for connuwedro[.]xyz. It does this to evade detection by trying to blend to\r\nnormal traffic. \r\nIt is specifically looking for a response that is a PNG file and ignores responses with tags present in an html, such as the\r\nfollowing:\r\nCode Snippet for filtering out benign domains\r\nIt expects a PNG file as a response from connuwedro[.]xyz. To confirm this, it will specifically look for the DWord\r\n“IDAT”, which is a tag found in any PNG files.\r\nCode snippet for finding the ‘IDAT’ keyword on PNG file\r\nIt would then decrypt this PNG file using the RC4 algorithm and execute the embedded binary. It also includes checksum\r\nchecking in the code to make sure that it is the correct file. This technique is also known as steganography.\r\nThe binary will be saved in the %APPDATA% folder and, for persistence, it creates a scheduled task that will execute\r\nevery hour.\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 3 of 17\n\nTask Job of 3rd stage loader\r\nThe hash of the binary is c35dd2a034376c5f0f22f0e708dc773af8ee5baf83e2a4749f6f9d374338cd8e and we designate it\r\nas the 3rd stage loader whose purpose is to download the IcedID main module.\r\n3rd Stage Loader and Main Module\r\nThis is the loader that will download the IcedID main module. Similar to the second stage, it applies the same technique\r\nof unpacking itself and using steganography. It unpacks an embedded binary in its resource and executes it. Once\r\nunpacked, it will download the IcedID main module as a PNG file from the following link:\r\nhttps://cucumberz99[.]club/image?id={01XXXXXXXXXXXXXXXXXXXXXX}\r\nThis domain resolves to 31.24.224[.]12, during our analysis.\r\nThe image will be saved in the following directory:\r\nIcedID stored as PNG file\r\nThis image is stored at that specific location so that when the third stage loader starts, it does not need to download it\r\nagain. The size of the image is more than 600KB and embedded in it is the encrypted IcedID main module. The\r\nencryption algorithm is RC4 and the keys are also embedded in the image at specific offset. \r\nThe decrypted code is not a complete PE image, as it does not contain any header. Most of its strings are also encrypted,\r\nwhich makes analysis even harder.\r\nThe first part of the shellcode is to spawn a suspended process of msiexec.exe. \r\nCode snippet for injecting to msiexec.exe\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 4 of 17\n\nIt calls the following series of API calls to inject itself on the remote process before it exits:\r\nZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, NtResumeThread.\r\nUsing msiexec.exe /i {random name}.msi is a simple technique to try to conceal itself and look like a normal installation\r\nof an msi application.\r\nThe code injected into an msiexec.exe sends a beacon signal to the CnC server and awaits commands. The commands\r\ninclude:\r\nUpdate the IcedID main module\r\nUpdate configurations\r\nSend bot logs to the server\r\nExecute a shellcode from the CnC server\r\nCollect system information\r\nDownload and execute a file from the CnC server\r\nExecute a command and send results to the server\r\nReboot the client machine\r\nUpload a file to the server\r\nExtract passwords stored in browsers and mail applications\r\nMan-in-the-Browser\r\nThe IcedID core’s main function is to steal financial data using webinjects. The IcedID main module, which is injected\r\ninto msiexec process, watches for specific browser process names:\r\nFirefox.exe\r\nChrome.exe\r\nIexplore.exe\r\nWhen it finds that a browser process is present, three things happen:\r\nIt creates a local proxy that listens on 127.0.0.1:56654\r\nIt hooks the following API on the browsers:\r\nChrome.exe and Iexplore.exe\r\nCertGetCertificateChain\r\nCertVerifyCertificateChainPolicy\r\nconnect\r\nFirefox.exe\r\nconnect\r\nSSL_AuthCertificateHook or function from the library SSL3.dll\r\nIt generates a self-signed certificate in the %TEMP% folder\r\nWith these three things, all connections to the browser are proxied to msiexec.exe and it achieves full control of the\r\nbrowser. \r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 5 of 17\n\nTCPView results on a system infected with IcedID\r\nIt will monitor browser activity related to financial transactions and inject forms on the fly to try to steal credit card\r\ndetails. Among the banks and financial-related services it targets are the following:\r\nAmazon.com\r\nAmerican Express\r\nAT\u0026T\r\nBank Of America\r\nCapital One\r\nChase\r\nCIBC\r\nComeriсa\r\nDell\r\nDiscover\r\nDollar Bank\r\neBay\r\nErie Bank\r\nE-Trade\r\nFrost Bank\r\nHalifax UK\r\nHancock Bank\r\nHuntington Bank\r\nJ.P. Morgan\r\nLloyds Bank\r\nM\u0026T bank\r\nCentennial Bank\r\nPNC\r\nRBC\r\nCharles Schwab\r\nSunTrust Bank\r\nSynovus\r\nT-Mobile\r\nUnion Bank\r\nUSAA\r\nUS Bank\r\nVerizon Wireless\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 6 of 17\n\nWells Fargo\r\nMore details about the functionality of the main module have already been discussed by various security blogs. We link to\r\nthese in the reference section.\r\nLet’s Go Hunt\r\n1st Stage Loader\r\nThe vast majority of benign documents do not perform any network communication, even towards benign domains. The\r\nfollowing network behavior could be used for finding other samples related to this campaign. With this, we have found\r\nother samples that are using COVID-19 and FMLA keywords. All of them have macros.\r\nVT search for finding related malware\r\nFor the second stage, we found 29 unique domains with varying IP resolutions. \r\nDownload Domains for Third Stage\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 7 of 17\n\n3rd Stage and Main Module\r\nThe network communication of this IcedID is unique, as it follows this specific format:\r\n{cnc_domain}/image/?id=01XXXXXXXXXXXXXXXXXXXXXX\r\nVT Query for hunting third stage loaded\r\nUsing VTs behavior search module, we are able to find  approximately 250 unique samples. Out of these samples, we\r\nidentified 62 unique C2 domains. The complete list of hashes and domains will be listed in the IOC section of this blog.\r\nThe following data shows how quickly IcedID threat actors update or change their CnC. \r\nCnC Domains for March\r\nCnC Domains for April\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 8 of 17\n\nCnC Domains for May\r\nCnC Domains for June\r\nA commonality among these download and CnC domains is that they only use the following TLDS:\r\n.xyz\r\n.club\r\n.top\r\n.pw\r\n.online\r\n.email\r\n.best\r\n.bid\r\n.site\r\n.uno\r\n All of these domains also use the Nameserver dnspod.com\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 9 of 17\n\nNameserver information of IcedID download and CnC domains\r\nSelf-signed certificates\r\nIcedID uses TLS in all of its communication but the certificate is self-signed. They can be spotted, as they use this kind of\r\na self-signed certificate. The keyword “Internet Widgits Pty Ltd” is also being used by Trickbot, another banking\r\nmalware, and it is believed that Trickbot and IcedID are cousins.\r\nNetwork Miner output of IcedID certificate\r\nConclusion\r\nIcedID is a very complex malware and there is no doubt the threat actors behind this are very much capable with constant\r\nupdates to their arsenal. In summary, this latest IcedID Campaign focused on evasion by implementing the following:\r\nSigned Binary Proxy Execution using msiexec\r\nFull steganography\r\nHTTPS communication\r\nString encryption\r\nBlend communication with normal traffic\r\nJuniper Advanced Threat Prevention (ATP) products detect this malware.\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 10 of 17\n\nJuniper ATP detection\r\nIOC\r\n1st stage malicious documents\r\n822a8e3dfa14cd7aaac749dc0515c35cf20632717e191568ba5daf137db7ec17\r\n74d6e374d7958e70c6733b6c17e2f0d79b629e172aaf385c142c76678647f3b8\r\n436b0c94c1be2be6b328830568ef7f031b45bf6d2377fa9f4b1f872ffb39b369\r\n4ca8c054641c1f11c033cc20ebae77c4a41853e2fe693ecf4b93a9719b624c1e\r\nafdb9b4c2e9a47a137a385e41a47727c0a04b2001aab60d6b3e099d0faf4ddef\r\ne4f89d4ff1d26e0959c7147df641c6dae3e0d15729a5fd275857e98225b44245\r\n3ff97578adea9f45bccea091234c5ccee6a12b3c52e7e29195a45e3c191aa926\r\ne15744eb13666670ad3cf256c31df57a01c40f355a0f8a592294187d4fedc257\r\n454ff6a5ebf01fc7d9c1ced5b081d582d11119ab9b49fc06ccaf22b1b0259c23\r\n54197c58c9693580c8ca961d8ff326cbad7688b23627114f7437c59fede46e82\r\nf1bf5ef89f644b1558dd54e68148e60310d537ca45c2daae2b410c30540d7de6\r\ne48e4e74dc7e67523878a2cf68b2ce72b5e5c999897e075d6b993e41c81f4174\r\nef2ab4bc4ee63dd1b9f04a56fe727a87f56ddd476bc1cd72c78f4d31abff322a\r\nfd11736701395813459091b6d07878c52b448a4d9a5825517a0308fbfe6fa070\r\n9979063dae01bdfffd946ed012e69fabb82be3795323a52b06532b42b0f59609\r\n09c3ada49c47af20854d87fbb76a24263d759f93f8de7e5af88549111ce55dda\r\n10ab8bfff505a3add9537bf742ede32f985e9f1ecc3a8afca99005b7255bca1b\r\na6e0690db18e89187c2a9b0924585264606482dfdd9ac97c744bb649615ced65\r\n1e988d02dedc8307c518e6bc2c6f8be14e4f0cd941972622deebcd90a6f09013\r\nf4fecef8cd7c7688d98ff168e137c70d98f01866114e552ede71aa28e2088018\r\nb0dc0a79862585b381afb61b05640276d51001961ddf9608703195bc183f1f06\r\n8664c34e72bc78098668331faa8f5113ad798a29c085662a0a9d83c4598843b2\r\n404650dbf9d8d4fcf844f529b042b895979f3a87334fb97925805c8072725ea8\r\nf5d8de500a504f6493af21ac67f50f5a4de5d6371e36c3a2251ac098f256187b\r\n385a41aaa192a8cd56bc35b1841a8e4a31f4cae1d5b68542ae7584b6420d363e\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 11 of 17\n\n55e1ba8683bb6b1d2a4f8b16b16ede25943d66e5884c9793f8c078614d12d9c4\r\ndea7eaee76df0fa27ae5ddd2988222b8afefd73ff80f5a5a14108cb499b85a23\r\nf30f283832f7a371c2c23cb2b5801e71bd33856c026480ab9165e584300fa3b3\r\n57ea3ae558efce33cf28a5cefa26e93a07186e5cdf799d5d066edaf581f66706\r\n2e294fbc75cefcbece50a3e57730212fd7672a4cce487db0bdfd241032a5bcb7\r\n3a11e16512b0f4c1380c5f94ff65312c421955c5693ea73260e2274eb34470c8\r\n2nd stage download domains\r\n2pillsofhunderts[.]pw\r\n3chickens[.]pw\r\n3glanzepages[.]top\r\nbividilli[.]xyz\r\ncarpetkisa[.]xyz\r\nconnuwedro[.]xyz\r\nfeminization[.]xyz\r\nfilacolonel[.]xyz\r\nfredoferodo[.]top\r\nfrenchfries8[.]top\r\nghefgekil[.]club\r\ngigakolors[.]club\r\ngoodcolonell[.]xyz\r\ngroggypirogy[.]top\r\nhinkaly[.]club\r\nkarantino[.]xyz\r\nkassadesada[.]top\r\nknockaddress[.]xyz\r\nknockdomain[.]xyz\r\nlokolojazz[.]club\r\npyramide33[.]pw\r\nsiffersniffer[.]best\r\nsilkycow[.]pw\r\nstuffed8tomatoes[.]club\r\ntestermeisterz[.]top\r\ntryfreder[.]xyz\r\nvodkahater[.]xyz\r\nyahzdaje2[.]website\r\nzajjizev[.]club\r\n3rd stage loader hashes\r\nc35dd2a034376c5f0f22f0e708dc773af8ee5baf83e2a4749f6f9d374338cd8e \r\n014b422e6c1bc23db2b5898dd0c49ac61fbac174c1e0d916f68b41cfb535cdb5\r\n015243f1e4fa8c0eabf86ae752056e2876e50b3b67e95fa486451904d311580d\r\n021cae01a3e9e734ca0b96c30d7d358b7b41c84565c95b448771de56ae85621e\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 12 of 17\n\n063ed7054f8f7d72cb34f9a37725b5974fdafc743c338b07bc7b0b2ab6a212e1\r\n06d21126d11e3fd07c66c7f9c096f80fa8046b5e1bf4370187401890fdf4fd5c\r\n07671c10dd548d8a535939c0282d6710b07c8e2e8e7efa466de09202d02cd550\r\n08bb93772c22c2842e968f5ad3753062530c4fcee87110afe46d95889c484dfb\r\n0b0b92a625911a7065cf0e48d470acac71290c6832363a715b1f46aff01fe4c8\r\n0c69c38b7d436280492807d77a308f2eec5007afc0683aa206358db91c116def\r\n15041d3408372977905bda10cbccd9a86135eb441152968299e3c05ebcbae93c\r\n16ae5983ca6e3f7bf893e0ba9ef44f2f46270a717abed860fdd56a7ad5cc8f77\r\n16efa114618cdf5426f514c79597d29fe0ced79f32c5b56985cf2820854d7a36\r\n18726b5405dc2f8159f3496939c5df3ca742ff271a2dd294b033433203f35eb3\r\n1faa5ce90b3496c6938f3fe3a25f89939a297254a183fb75a8d58abfcc9fddfd\r\n1fd7fea39524f3e5edcd0d41e9b2f9c9fa639ec22e80bacd173b7744b4a05601\r\n2660abba68d81b50c997b787a98484e1eeea47269cdbe1f5ae87e6ac086b5237\r\n26e0468acd186e744e895f116d14e20179d74f61fa819b5984442cac51f07b00\r\n284aaafa51b1131e6656b270af6c3a032cf454ead1d5f0a5926ebe22772cf0d9\r\n2aab4bb300e505e278a20a2aa804c9ba5920c2513b425440b1c818d53a0dd672\r\n2b7ccec0aa1d9f09fb7d17034acf00b0e96dd47ecabe767b419a474a0854e42c\r\n2ba7ecdb95e16f4af77d2cb09e301306c2115350da49e36afa26a365fceb110c\r\n2bfa9f878dce2de087715d7986e369197aecd166a635c80a2f2c39a9b8e327fd\r\n2e1d4c5755845068909b229939511d6a9a0b7b5df6801f44a3a3a274d6048804\r\n32efada9f1ba73c5ded10c2338fe261e0e4c997f48696464978af942c9f2599f\r\n3391f3da58a8b440b0c58084a280cf9cac28395ecf87c8307d5efb9d66b6164f\r\n359ea0e4217bea81d92e6e274681ab7df24caaaaa0e6ad412e2f9045113c6ea1\r\n386becd1260847d03958dbc82b5f6565e2855ed5439eef34b57678410877174e\r\n396a445f43fc63122543cbb16fe2919e19aa2371f7165c3817acac7885701afd\r\n3a09fb755bb94cfbd598d16c3a8dd430be51a1eed9dc5791a8f07bab6e2bc284\r\n4267ef18ddeb15cf6920e2bc89f5c9247b6f554112a124ee2211281ce98ec04f\r\n43275d3fdf60216df9c0151b11db2896a1dd56b9e7267ed6db78f4ef21cb8b46\r\n44271a7612f1b32ed5fb0bac211992ea5e5c243710b9b4e8ad83f08af6a6cf4f\r\n46a19f4b4dcfcb51b0db1718ad6d64bf0eb28170c61421e87e7edc07facd329c\r\n48293a9ec8e7d12370cb1c1266653053ad5861761c74c437b2350aa909490327\r\n4aec02ec7bc4ff2fbde2e36eb40411bcd69ee2dd9abeaccdd306a3aca8f5ad1a\r\n4e7161be03f206c1b086bb15b47470ec1c9381302eb34d0e76915496aec77193\r\n50cee93429653fd24d534c31c52a94e71b4fdc1e5409f8ac4ae2a81210ea12e2\r\n5542f9cc78b5aa2901c2187f1dcee8e214aca20465c81c4da51035477d19287c\r\n55acf5558ef68bd26148074c6f916311ea760edc6cbd136973ea638c98606a93\r\n57100de2a289e45824f5cbaf8074e3f6e543eb2aa9a18584b1a007c7b4ddaa48\r\n5c91d58ad4b5f1536c2548ac3080f02155df555025c634659cb15dfc5ec2143f\r\n5de3eb250030550512c0ce92923ff30bc16529a45a5f24c624e9d7c7a4e0c1e4\r\n5e38dcb3632d7ac183bded4662c139db2f54c104ae1efda75b62b0bd0b9882f1\r\n61ca03447437e224ac301c56a72684a3c08310a3b850aff69952d124b488bc4e\r\n696ef2c7fb064b293173bae309c1cabe3d2dd2d1a1becab040acb05c82022c2e\r\n69fced2e42d5fcb3b0ade5ebc81359c1f8c2e51935db74f40c94fb5c646130d9\r\n6c02225c8a5ae583e738417866bc2f66636834ff025749da7f36ea639cbcacb6\r\n6c878a7145e9f783f28b665207d9d180d04d0fe8e42bb2ff594faf5692f25ebd\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 13 of 17\n\n72d4df9bca3cdf2074ffa84580c01fa425d528be54f331c59eb27a12a3736093\r\n7a41e722fb6fd0067378cba5e4ddcb9c122205f41eee22204ce83af63a89b4fe\r\n7babfaa95153f3f4c06630ff30d225760ae4a50e75764b9e049d8d70bfd88107\r\n7f45cf09a572799af51ea935b95b185c05e13f749c9f1e2a2d41f8001c76487e\r\n7fb71830442acb35dd86e559d632d7a14c21b60639203c61d371831b78dde6e3\r\n81869e50ce5599cab247458445cc36b5a3108398f1ed520d29a4e7395a81afe0\r\n82f48defd2de04d87de86ce8e584c6cb1bad8581d99e65ae99b58ef96f623089\r\n87322aed33bf01ca618ad94e1d6a042bae91c978fabfb3e7fcccfa75a64c5d6a\r\n882a9e7001dd1618c593f68e11f77c8e86239f610283e88981eecab93b5158a7\r\n8831ac358046286facb6ca2643927aa837907937d1895ee3b73472c58bf3ef2c\r\n8a4b045d11a898ced073e564e601b9624ace121be688ec20f31d56bc1edfc377\r\n8a60949ae63dd0d80a49485a7a2ce1a29505ed76eee018ef12d28ac70bece07d\r\n8d1b83eff1b3c604365fd29de1bb43204852de842c0bb148975fe7a7485310e4\r\n8d97b91ce882f9405b7a7de5b1f08fdef0a0db4303977140546ebff72af1bc7f\r\n9118ba30cefcc565be8a9ba85ee66da7670f18b08ec3cb205be80e78bf64f5fa\r\n927a8d1445750400db3850d0b2dc3522b0f373098385373efa3d7762120f3689\r\n949d06fb921d1e32be7232933d0578c086112c5b782640cd5b9a6b6570f27bf7\r\n961588c90fe84a65e9aff3b98a95cd46d581add783ce639065665a01a16530f5\r\n961ced78105cf07255f79dd7ad0ecaa2360b6ac08264acfb22d927e3d7f441c4\r\n96c825103005a025660b5d32002a636d2242801949d0b970a77625be268a8cd5\r\n97a32b419c28bfa62220fc8a7c715a899bf84484e34a75ee97c766d7d43b2b4a\r\n9c19493c7ecb8067a0a52e089b819f53adf6a1f6b0535b42f1e5325a789125d9\r\n9caa061ca9619b215e657357f368e9fa7d64e402c13d55b76578c5acddd25aab\r\n9ff86c3e52aea34f885d1f298ee9e448368d941bf122f61278b6d50addb36744\r\na234c29baff478276e9ae616046d98ca1ed57311616691a7e048e0af6d9c1c44\r\na24fe24beb66aef2978017939f29a7eb3cbd1ca3d210a9834cae112ba86d075b\r\na299a3d1d838adc37ea985039650b7b32428d3787a0b7e31feeafcb831eb984d\r\na3d5871579dd194d86e5af84e306c38d27703bbe9b7e7d4209b68cafd21464e6\r\na55a668b4180ea3cd58472dc0fb9b45dd92c09cf049644cbc25f5b50a9d05001\r\na6fa541a097faa1f61b7085eb52b46bd893944f93a8bd20205118b1b7b802fd4\r\na9129fc61d0ea9a2756c64febfc486895e37312e5ff8eabd16b7ff201bb90e7c\r\nad58f15ff69ee59a32ae410acd564cd4b53a5cfaea6ede136046cee12f1c0b59\r\nadc05158b29dcb3f96532e526bdb296cb5e424a96e6f7b83b6c0b82b811d2740\r\nade52f993013635afe7eaf0d91cc0521b97f3de1ca541882bde3ee94c872982f\r\nade6356fb4f693664d5dcb54c3e1ca6a9013ef653b473bdd7a2e1407bddc6193\r\nb6c2ebd3be005f672514cbc3ab320b9dd887f17b6bc14bd5bd34adc5a951ef17\r\nb78d867fa64b9c7f8ad19b6fc4ec934b3c1c13e6fe080c84d4685629f18a0de6\r\nb7de965c5e2cfef42def39f124d37d1302ea93b91aa394d2cf41cfa7df2607e6\r\nb8768315d048093fc216c8921dcc392628d977ea97efcf352e5a89035635ffdd\r\nb90881ea27e45a5beec5abdcfa7f83709b8ca02b9a533a7d1325df059522d21c\r\nbdb743a2f2cd6ef45f9d0c97ec8feb590831d108bc7d434b5f65e87ab4be9746\r\nbf4da5aa980f12573157473f694210276a72d4f26cb7bfce38b84be5e33fd195\r\nc35dd2a034376c5f0f22f0e708dc773af8ee5baf83e2a4749f6f9d374338cd8e\r\nc57c797dc857427dd9d34524f32897cd001dd0d5526b7ae382158989a57541a4\r\nc7ef139a5291a1e2b70551f4fc8290a4bc963ba4bf36101aa787eab21fa2aa83\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 14 of 17\n\nca59caa3199f6ec24cead3e4b705f8a22c5b78f3b62f84791c03784e3b55993a\r\ncba5edb9a6a3c25b635a050492d6f9e6cd69f916ec57f4787e5b2e3a8356182c\r\ncddb94b07baa8502aa7ec15815606d89630fc6d62790a42fb9b0aabe76700de1\r\ncebb538862dcfa960e48d09a7d44dc0b096cff66bd61606f54949433ce94ff7f\r\nced9b6411f4c3db104f9b25b9c638f5874097219152c1800fd7988f03da15b29\r\ncf79819a5ab92e53568736463be90254504a60a07543f6d1d14148808940519e\r\nd5e2868d0eaab6056d49a9f2a35842e0d2390e84beed0e352ed3cb19f3dc380e\r\nd8619ab7066af14878548719f8737ec110df19badbdd3d6394a941127c268d19\r\nd9ea9d94359fa3e8edda3e1e659925f25e7003a8254b52229800220b67b651bb\r\ndf0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec\r\ndf30ccce6ec03c03e2e1ca041200267cd3b708946cc2f18577dfee7ea351272c\r\ne0d78b3a64c0d256d4be7c2b959fb8ce49950bd2abb975aa35b6421d1be6e9e9\r\ne1a2490b48fe59d053f5d486af00f72b2973d71ea87496c8158cd60e72f9b386\r\ne48d5ea33faf98eb5264896ad8fdc72cb53998282c871edd189a615096c3ec56\r\ne624144b6c38455eb528fa2fdb1631b822608bde5eacbec097a18ef3e54c40b7\r\ne6c21816d712973a1e6b615164ed475dc58694afb88c69ec61c81bba7daa1297\r\ne7bcd48b2948a278876343900aa3ee30cab266e6fa26c3031eee5dd846983ce2\r\nea6cecdaef1dde96281060a27ba65beb4079c04313697f60073be1196af7ecc6\r\nebac2e585e43af2737f6bdf291b93e88dfddb64efc97ed5c514afd2848814515\r\nec1f379b1032fc9f8acb9785d83978e3197dda7a3ab42ff697529c8cb7dfa579\r\nec56f0a98216810fe2706d04c9c7350e3e125b3e3207ccde0442f91fb8804921\r\nee1bc25f45c431fce214dc0f0838fa8969142296a20c3887282750521ee41518\r\nee29459f34c2d80b939ee41268e4c7f09eb639b2f4b97346ef10722d999323ec\r\neeb4caedbe98e144bf7e30165f9c4e16525b964927af3dda94616abe18d0c476\r\nef25d0b852fc83e6843c0ad7e081cbcc4541a4a0713f81a8261375f451585f6b\r\nf02094836adc271479734dfd5326a74f79a7545b679df03e03e339cd5db0c116\r\nf3ba5d0b27ff406dcd1c624aee919f394d231b878f040ec23e36c7f0cf81df99\r\nf77ff256c9e359a4d6fb7dc28aebaef987c919c54b001494e1624df09b73fb26\r\nf78bfa34d031119443d2e4fac2c291cd2e16fe932cec448cd88b8f8592aa76d5\r\nf7b5c622fd5f295615df5af2ad883f5946ad2f72002c4c3be1a9ad0df7c2b2e5\r\nfb82d8338af07adaa5d46c372e5597015ccfb0f6e48dd9dbfceb282d5e8781b7\r\nfd56107c80cef6e7b7493d01175d6801ba28c0393c4f36f440bc97c8cf5f0e3d\r\nCnC domains\r\n30miles[.]xyz\r\nantivarevare[.]club\r\nantivarevare[.]pw\r\nbavadivaclub[.]club\r\nberadocolon[.]top\r\nbluekit[.]pw\r\nbonwes[.]bid\r\nbredretre[.]uno\r\ncarztesla[.]xyz\r\nchumocarz[.]club\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 15 of 17\n\ncitytrallbus[.]xyz\r\ncolocarantino[.]xyz\r\ncosacasa[.]top\r\ncostacolonel[.]club\r\ncostamustero[.]pw\r\ncoucarachiz[.]top\r\ncozyappt[.]club\r\ncrossbones[.]email\r\ncryptocrio[.]pw\r\ncryptocrio[.]top\r\ncucumberz99[.]club\r\ndayafterthe[.]xyz\r\ndezisenkor[.]club\r\ndocccutime[.]xyz\r\nemergencytoolz[.]pw\r\nextraordinarycurc[.]club\r\nfekilopol[.]xyz\r\nfidelliware[.]pw\r\nfilacolonel[.]site\r\nfilteroggy[.]pw\r\nfishmak[.]pw\r\nflighfinder[.]xyz\r\nflightslots[.]online\r\nforwardnogi[.]pw\r\nfullplainefares[.]club\r\ngerenada[.]club\r\nglassyradua[.]xyz\r\ngoodservers[.]top\r\nherekeder[.]best\r\ninstarobotics[.]club\r\nloacorecoder[.]club\r\nmenosmeno[.]best\r\nmillogorillo[.]top\r\nnadalia[.]top\r\nnorthdestrickt[.]top\r\noggytarakan[.]club\r\noggythecoucca[.]xyz\r\npolymorphis[.]top\r\npravizzillo[.]club\r\npravizzillo[.]email\r\npresserdresser[.]best\r\npythonfinder[.]top\r\nsafebanktest[.]top\r\nseguridadcolonel[.]club\r\nsharedocar[.]xyz\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 16 of 17\n\nsmallhole[.]club\r\nsvaerossi[.]pw\r\ntourdayly[.]top\r\ntrythisone2[.]best\r\nuxozhuki[.]pw\r\nvereseptem[.]pw\r\nwithoutemblems[.]top\r\nReferences\r\nhttps://www.group-ib.com/blog/icedid\r\nhttps://securityintelligence.com/posts/breaking-the-ice-a-deep-dive-into-the-icedid-banking-trojans-new-major-version-release/\r\nhttps://isc.sans.edu/forums/diary/Microsoft+Word+document+with+malicious+macro+pushes+IcedID+Bokbot/26146/\r\nhttps://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one\r\nSource: https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nhttps://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware"
	],
	"report_names": [
		"covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434927,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c083fc8ccccadd5f6c61cbac2f3c7f8f03b5d7ae.pdf",
		"text": "https://archive.orkl.eu/c083fc8ccccadd5f6c61cbac2f3c7f8f03b5d7ae.txt",
		"img": "https://archive.orkl.eu/c083fc8ccccadd5f6c61cbac2f3c7f8f03b5d7ae.jpg"
	}
}