{
	"id": "cd8690f4-6a46-4bff-8c17-57d22a00a2f3",
	"created_at": "2026-04-06T01:31:08.009639Z",
	"updated_at": "2026-04-10T03:21:46.971554Z",
	"deleted_at": null,
	"sha1_hash": "deadd949692f8e3e254191328482b8f2f06c3944",
	"title": "Detecting IcedID... Could It Be A Trickbot Copycat? | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5027033,
	"plain_text": "Detecting IcedID... Could It Be A Trickbot Copycat? | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2021-11-04 · Archived: 2026-04-06 00:43:58 UTC\r\nIcedID targets financial institutions across different countries including banks, payment card providers, and e-commerce sites. IcedID has also been observed deployed in conjunction with other malware payloads such as\r\nValak, Qakbot, Conti Ransomware. It is clear from studying past campaigns that the actors behind IcedID have\r\nexpanded beyond banking information in order to extend similar features and coverage as other popular carriers\r\nsuch as Emotet or trickbot and by doing so current iterations of IcedID look more like a copycat or maybe even a\r\nsuccessor.\r\nSpear Phishing Documents\r\nIn a recent campaign, malicious actors were observed using a document builder to simulate legitimate DocuSign\r\ndocuments and embedding exploitation code for CVE-2017-8570 to trigger the installation of IcedID. These\r\ndocuments were delivered via spear-phishing technique.\r\nBelow is the screenshot of the phishing campaign (Word and Excel) that will download the IcedID downloader as\r\nsoon as the user runs the malicious macro document in the targeted host.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 1 of 14\n\nThis malicious document will download the IcedID loader then drop it as a “.sys” or “.jpg” file and execute it\r\nusing regsvr32.exe windows application with “-s” parameter like the screenshot below.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 2 of 14\n\nOther exploitation vectors include running an obfuscated HTML application (.hta) to download the DLL loader as\r\na .jpg file then execute it with rundll32.exe windows application with the “PluginInit” parameter. Below is the\r\nscreenshot of the macro code that executes the .hta file and the de-obfuscated .hta script shows how it downloads\r\nand executes the first payload.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 3 of 14\n\nIcedID Initial Downloader (Stage 1)\r\nThe initial IceID loader binary will decrypt another .dll file in memory to download the 2nd stage payload (png or\r\n.dat) files. This is done by initially connecting to aws.amazon.com to check the internet connection and to prepare\r\nits initial C2 communication.\r\nIcedID Payload Loader - PhotoLoader and “License.dat” decrypter) (Stage 2)\r\nOnce the second stage payload is downloaded, It will load a shellcode or headless executable file which is the\r\nmain IcedID bot. This shellcode can be extracted either in .png file format (payload obfuscated by steganography)\r\nor gzip payload format containing a “license.dat” file.\r\nThe next code snippet below shows the .dll in memory locating the .png payload in a randomly generated\r\ndirectory based on the user name of the compromised machine created in either %appdata% or “C:\\Programdata”.\r\nIf the .png file payload is found in either of those two folder paths, it will decrypt the shellcode from the image\r\nfile if not it tries to download from the C\u0026C server.\r\nFor the gzip file, It uses a similar code to locate the “license.dat” payload, aside from having an additional\r\nparameter check “/i” in the syntax line, as seen in the screenshot below.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 4 of 14\n\nIcedID .PNG Steganography and “License.dat” Payload\r\nThe PNG payload uses steganography to hide the shellcode inside the PNG. The encrypted shellcode and the 8\r\nbytes rc4 decryption keys are placed in the IDAT chunk type structure of the PNG header file. A python script was\r\ndeveloped (IceIdPNGShellcodeExtractor.py) to automatically extract the shellcode on the said payload.\r\nFor the “license.dat” IcedID payload, it will decrypt it using its customized decryption algorithm using its last 16\r\nbytes as the decryption key. In this case, the IceIdDecrypt.py tool can be used to decrypt license.dat and do a static\r\nanalysis of the file.\r\nIcedID Core/Main Bot (Stage 3)\r\nThe shellcode or the core IcedID BOT will be injected in either spawned svchost.exe system processor in\r\nmsiexec.exe or within the memory space of a rundll32 process that loads the .dll shellcode decryptor. After that, it\r\nwill hook some native API, create a mutex as a mark of its infection, and make sure only one instance is running.\r\nBelow are other notable behaviors seen in this main bot.\r\nHook Browser:\r\nThis shellcode will try to hook common browsers like firefox and chrome to steal credentials, cookies, and\r\nsessions saved. The screenshot below shows what it looks like in firefox and chrome browsers in the compromised\r\nmachine.\r\nDesktop Screenshots:\r\nThis code displays the ability to take screenshots of the desktop window of the compromised host. This bitmap\r\nimage file format will be saved in the temp folder with a .tmp file extension to blend on normal .tmp files\r\nactivities.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 5 of 14\n\nPassff.tar and cookie.tar\r\nIt will also create files named “passff.tar” for the browser history and “cookie.tar” for the browser cookies that\r\nmay contain stolen browser information.\r\nStealing Browser Information\r\nIcedID will also download and load a “sqlite64.dll” in the %temp% folder that will be needed for parsing firefox\r\nand chrome browser database to extract information. Below are SQLite commands decrypted in the shellcode to\r\nharvest autofill information from browser .db like cookies, password, company_name, street_address, city, state,\r\nzip code, country_code, phone number, user full name, and credit card information.\r\nUAC Bypass\r\nThe following are two functions to Bypass UAC (User Account Control). The Eventvwr and the fodhelper UAC\r\nbypass technique.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 6 of 14\n\nHarvest Email/Outlook Information and Browser Password Storage\r\nExfiltration tasks also include querying several registry keys related to email client Microsoft Outlook to steal user\r\nprofiles, email signatures, and stored password folders through registry and ActiveMail Partners. “%u” is the\r\noutlook version installed in the machine.\r\nRecon AV Product\r\nThe following PowerShell commands detect Antivirus Product information.\r\nOther Execution and RemoteThread Execution\r\nWe also found chcp command execution and passage of the result to a created pipe. The result of this command\r\nline may give the locale country region of the compromised host base on its result. For example, the 437 result\r\nmeans “default code page in the US”.\r\nAnother regsvr32 execution with “/s” parameter to execute DLL payload downloaded from its C2 server, copy of\r\nitself or decrypted DLL that was dropped in the compromised host.\r\nCode injection into a cmd.exe process.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 7 of 14\n\nPersistence\r\nIcedID creates a scheduled task entry to download the file that will decrypt and load the license.dat file using a\r\nprocess spawned via the Rundll32 application, as seen in the screenshot below.\r\nIn addition to using scheduled tasks for spawning processes, the main bot is also capable of creating a regrun entry\r\nfor its DLL payload using SHSetValueA API. This will ensure that the DLL will be loaded every time a user logs\r\non.\r\nCreate Self Signed Certificate\r\nIcedID will also add certificates into the certificate store that will be saved in the %temp% folder as part of its\r\npossible proxy communication to its C2 server bound to IP 127.0.0.1 port 54245. The screenshot below shows the\r\ndecrypted certificate format that IcedID will add to the certificate store in a .tmp file. This proxy function also\r\ncompliments the web inject vector as an alternative way to capture traffic and credentials.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 8 of 14\n\nThe screenshot below shows how IcedID setup proxy from IP 127.0.0.1 port 54245 by listening on the created\r\nsocket relative to the IP and port mentioned above.\r\nThe following are several detection methods created by STRT to address IcedID. All these detections are\r\nencompassed in an Analytic story released in our content updates.\r\nDetections\r\nSuspicious Rundll32 Plugininit (New)\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 9 of 14\n\nSuspicious IcedID Rundll32 Cmdline (New)\r\nRundll32 Process Creating Exe Dll Files (New)\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 10 of 14\n\nSuspicious IcedID Regsvr32 Cmdline (New)\r\nRundll32 CreateRemoteThread In-Browser (New)\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 11 of 14\n\nOffice Application Spawn Regsvr32 process (new)\r\nRecon AVProduct Through Pwh or WMI (Modified)\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 12 of 14\n\nCHCP Command Execution (New)\r\nCreate Remote Thread In Shell Application (New)\r\nDrop IcedID License.dat (New)\r\nIcedID Exfiltrated Archived File Creation (New)\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 13 of 14\n\nSQLite Module In Temp Folder (New)\r\nContributors\r\nWe would like to thank the following for their contributions to this post: Teoderick Contreras and Rod Soto.\r\nSource: https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nhttps://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html"
	],
	"report_names": [
		"detecting-icedid-could-it-be-a-trickbot-copycat.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439068,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/deadd949692f8e3e254191328482b8f2f06c3944.pdf",
		"text": "https://archive.orkl.eu/deadd949692f8e3e254191328482b8f2f06c3944.txt",
		"img": "https://archive.orkl.eu/deadd949692f8e3e254191328482b8f2f06c3944.jpg"
	}
}