# Internet Storm Center **isc.sans.edu/diary/29740** ## Recent IcedID (Bokbot) activity **Published: 2023-04-12** **Last Updated: 2023-04-12 06:34:56 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [0 comment(s)](https://isc.sans.edu/diary/Recent+IcedID+Bokbot+activity/29740/#comments) **_Introduction_** This week, we've seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives. The password for the downloaded zip archive is shown in the PDF file. The downloaded zip archives contain EXE files that are digitallysigned using a certificate issued by SSL.com. The EXE file is designed to install IcedID malware on a vulnerable Windows host. Today's diary reviews an IcedID infection generated on Tuesday 2023-04-11. _Shown above: Chain of events for IcedID infections so far this week._ **_Images from the infection_** ----- _Shown above: Example of thread-hijacked email pushing IcedID from Tuesday 2023-04-11._ ----- _Shown above: Attached to the email, this PDF file has a link to download a password-_ _protected zip archive._ ----- _Shown above: EXE extracted from the zip archive is digitally signed using a certificate_ _issued by SSL.com._ ----- _Shown above: Scheduled task to keep the IcedID infection persistent._ _Shown above: Persistent DLL for IcedID and the data binary used to run the persistent DLL._ ----- _Shown above: Traffic from the infection filtered in Wireshark._ **_Files From an Infected Windows Host_** SHA256 hash: [6d07c2e05e76dd17f1871c206e92f08b69c5a7804d646e5f1e943a169a8c50ee](https://bazaar.abuse.ch/sample/6d07c2e05e76dd17f1871c206e92f08b69c5a7804d646e5f1e943a169a8c50ee/) File size: 27,273 bytes File name: INV_Unpaid_683_April.pdf File description: PDF file attached to thread-hijacked email distributing IcedID [SHA256 hash: 59e0f6e9c4ce2ab8116049d59525c6391598f2def4125515d86b61822926784f](https://bazaar.abuse.ch/sample/59e0f6e9c4ce2ab8116049d59525c6391598f2def4125515d86b61822926784f/) File size: 58,031 bytes File name: Docs_Inv_April_11_450.zip File location: hxxps://firebasestorage.googleapis[.]com/v0/b/logical-waters377622.appspot.com/o/MCRERY0iJA%2FDocs_Inv_April_11_450.zip? alt=media&token=799ca8a7-44ce-44e8-b93d-a346faaf0ea3 File description: password-protected zip archive downloaded from link in above PDF file Password: 572 [SHA256 hash: 52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf](https://bazaar.abuse.ch/sample/52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf/) File size: 131,168 bytes File name: Docs_Inv_April_11_450.exe File description: Extracted from the above zip archive, a 64-bit, digitally-signed EXE to install IcedID SHA256 hash: [54d064799115f302a66220b3d0920c1158608a5ba76277666c4ac532b53e855f](https://bazaar.abuse.ch/sample/54d064799115f302a66220b3d0920c1158608a5ba76277666c4ac532b53e855f/) File size: 647,389 bytes File description: Gzip binary from shoterqana[.]com retreived by above EXE [SHA256 hash: dbf233743eb74ab66af8d1c803f53b7fe313ed70756efcc795ea4082c2f3c0c8](https://bazaar.abuse.ch/sample/dbf233743eb74ab66af8d1c803f53b7fe313ed70756efcc795ea4082c2f3c0c8/) ----- File size: 354,282 bytes File location: C:\Users\[username]\AppData\Roaming\[random directory _name]\license.dat_ File description: data binary used to run persistent IcedID DLL [SHA256 hash: 5953f8f23092714626427316dd66ff2e160f03d2c57dcb1a4745d2e593c907ae](https://bazaar.abuse.ch/sample/5953f8f23092714626427316dd66ff2e160f03d2c57dcb1a4745d2e593c907ae/) File size: 292,352 bytes File location: C:\Users\[username]\AppData\[random directory path under Local or _Roaming]\[random name].dll_ File description: Persistent IcedID DLL (64-bit DLL) Run method: rundll32.exe [file name],init --ashego="[path to license.dat]" **_Traffic From an Infected Windows Host_** Link from the PDF file: hxxp://80.77.23[.]51/lndex.php Above URL redirected to: hxxps://firebasestorage.googleapis[.]com/v0/b/logical-waters377622.appspot.com/o/MCRERY0iJA%2FDocs_Inv_April_11_450.zip? alt=media&token=799ca8a7-44ce-44e8-b93d-a346faaf0ea3 Caused when running the extracted EXE, because the EXE was digitally signed using a certificate from SSL.com: hxxp://www.ssl[.]com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt Note: The above URL is not malicious, but it's an indicator for this particular infection chain. Installer EXE for IcedID retrieves gzip binary: 172.86.75[.]64 port 80 - shoterqana[.]com - GET / HTTP/1.1 IcedID C2: 192.153.57[.]82 port 443 - villageskaier[.]com - HTTPS traffic 162.33.178[.]40 port 443 - deadwinston[.]com - HTTPS traffic **_Final words_** Running recent IcedID samples in a lab environment this week generated IcedID [BackConnect traffic over 45.61.137[.]159 over TCP port 443 (reference) and](https://twitter.com/Unit42_Intel/status/1645851799427874818) [193.149.176[.]100, also using TCP port 443 (reference). 443 is a new TCP port for IcedID](https://twitter.com/malware_traffic/status/1645862110931611649) ----- BackConnect traffic, which previously used TCP port 8080. These two IP addresses are good indicators of an on-going IcedID infection if you find traffic to these servers from your network. --- Brad Duncan brad [at] malware-traffic-analysis.net [Keywords: Bokbot](https://isc.sans.edu/tag.html?tag=Bokbot) [IcedID](https://isc.sans.edu/tag.html?tag=IcedID) [malspam](https://isc.sans.edu/tag.html?tag=malspam) [PDF](https://isc.sans.edu/tag.html?tag=PDF) [0 comment(s)](https://isc.sans.edu/diary/Recent+IcedID+Bokbot+activity/29740/#comments) ### Comments [Login here to join the discussion.](https://isc.sans.edu/login) Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----