{ "id": "9e8cb270-bccb-4b49-83bb-214ba5bc36d6", "created_at": "2026-04-06T00:17:06.626346Z", "updated_at": "2026-04-10T03:37:23.795155Z", "deleted_at": null, "sha1_hash": "d531c851e46b9cc0d62f15d85d99f25f5d94fbb0", "title": "TA551 (Shathak) pushes IcedID (Bokbot) - SANS ISC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 359251, "plain_text": "TA551 (Shathak) pushes IcedID (Bokbot) - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 20:31:01 UTC\r\nIntroduction\r\nTA551 (also known as Shathak) represents a threat actor behind malspam that has pushed different families of\r\nmalware over the past few years.  So far this week, TA551 is pushing IcedID (Bokbot).\r\nShown above:  Flow chart for this infection.\r\nImages from an infection\r\nhttps://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/\r\nPage 1 of 3\n\nShown above:  Screenshot from a TA551 email with sensitive information removed.\r\nIndicators of Compromise (IOCs)\r\nThe infection process was similar to my previous diary about TA551 from August 2021, but this time it delivered\r\nIcedID instead of BazarLoader.\r\nAssociated malware:\r\nSHA256 hash: d68fb04c96e925efcdb3484669365bed0cda22a272e486e99a43f9626019d31c\r\nFile size: 38,958 bytes\r\nFile name: request.zip\r\nFile description: Password-protected zip archive attached to email\r\nPassword: 55egs\r\nSHA256 hash: 0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5\r\nFile size: 34,322 bytes\r\nFile name: charge_12.01.2021.doc\r\nFile description: Word doc with macros for IcedID\r\nSHA256 hash: c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2\r\nFile size: 3,342 bytes\r\nFile location: C:\\Users\\[username]\\Documents\\youTube.hta\r\nFile description: HTA file dropped after enabling Word macros\r\nSHA256 hash: d54a870ba5656c5d3ddfab5f7f325c2fb8ee256b25e2872847c5ff244bc6ee6e\r\nhttps://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/\r\nPage 2 of 3\n\nFile size: 257,672 bytes\r\nFile location: hxxp://winrentals2017b[.]com/tegz/[long string of characters]/cab3?ref=[long string of\r\ncharacters]\r\nFile location: C:\\Users\\Public\\dowNext.jpg\r\nFile description: Installer DLL for IcedID\r\nRun method: regsvr32.exe [filename]\r\nSHA256 hash: cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705\r\nFile size: 341,898 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\ReliefEight\\license.dat\r\nFile description: license.dat data binary used to run persistent IcedID DLL\r\nSHA256 hash: c340ae2dde2bd8fbae46b15abef0c7e706fe8953c837329bde409959836d6510\r\nFile size: 116,224 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\{24DB904E-86F7-2F2C-B7C1-\r\n85D8BBCE1181}\\Miap\\Giowcosi64.dll\r\nFile description: persistent IcedID DLL\r\nRun method: rundll32.exe [filename],DllMain --giqied=\"[path to license.dat]\"\r\nIcedID traffic:\r\n143.204.155[.]37 port 443 - aws.amazon[.]com - HTTPS traffic\r\n87.120.254[.]190 port 80 - normyils[.]com - GET / HTTP/1.1\r\n87.120.8[.]98 port 443 - baeswea[.]com - HTTPS traffic\r\n91.92.109[.]95 port 443 - bersaww[.]com - HTTPS traffic\r\nFinal words\r\nIcedID can be followed by Cobalt Strike when an infected host is part of an Active Directory (AD) environment. \r\nThese types of infections can deliver ransomware as a final payload in real-world environments.\r\nBut decent spam filters and best security practices can help you avoid IcedID. Default security settings in\r\nWindows 10 and Microsoft Office 2019 should prevent these types of infections from happening.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/\r\nhttps://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/" ], "report_names": [ "28092" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434626, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d531c851e46b9cc0d62f15d85d99f25f5d94fbb0.pdf", "text": "https://archive.orkl.eu/d531c851e46b9cc0d62f15d85d99f25f5d94fbb0.txt", "img": "https://archive.orkl.eu/d531c851e46b9cc0d62f15d85d99f25f5d94fbb0.jpg" } }