{ "id": "216b3317-ed7c-41a4-b202-b5fde9047789", "created_at": "2026-04-06T00:18:13.392676Z", "updated_at": "2026-04-10T03:20:39.706176Z", "deleted_at": null, "sha1_hash": "f7dbd958692323e2fe01346300d869c75b1b61f9", "title": "Recent IcedID (Bokbot) activity - SANS Internet Storm Center", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 746230, "plain_text": "Recent IcedID (Bokbot) activity - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 18:30:08 UTC\r\nIntroduction\r\nThis week, we've seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments.  The\r\nPDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives.  The\r\npassword for the downloaded zip archive is shown in the PDF file.  The downloaded zip archives contain EXE\r\nfiles that are digitally-signed using a certificate issued by SSL.com.  The EXE file is designed to install IcedID\r\nmalware on a vulnerable Windows host.\r\nToday's diary reviews an IcedID infection generated on Tuesday 2023-04-11.\r\nShown above:  Chain of events for IcedID infections so far this week.\r\nImages from the infection\r\nhttps://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/\r\nPage 1 of 6\n\nShown above:  Example of thread-hijacked email pushing IcedID from Tuesday 2023-04-11.\r\nShown above:  Attached to the email, this PDF file has a link to download a password-protected zip archive.\r\nhttps://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/\r\nPage 2 of 6\n\nShown above:  EXE extracted from the zip archive is digitally signed using a certificate issued by SSL.com.\r\nhttps://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/\r\nPage 3 of 6\n\nShown above:  Scheduled task to keep the IcedID infection persistent.\r\nShown above:  Persistent DLL for IcedID and the data binary used to run the persistent DLL.\r\nhttps://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/\r\nPage 4 of 6\n\nShown above:  Traffic from the infection filtered in Wireshark.\r\nFiles From an Infected Windows Host\r\nSHA256 hash: 6d07c2e05e76dd17f1871c206e92f08b69c5a7804d646e5f1e943a169a8c50ee\r\nFile size: 27,273 bytes\r\nFile name: INV_Unpaid_683_April.pdf\r\nFile description: PDF file attached to thread-hijacked email distributing IcedID\r\nSHA256 hash: 59e0f6e9c4ce2ab8116049d59525c6391598f2def4125515d86b61822926784f\r\nFile size: 58,031 bytes\r\nFile name: Docs_Inv_April_11_450.zip\r\nFile location: hxxps://firebasestorage.googleapis[.]com/v0/b/logical-waters-377622.appspot.com/o/MCRERY0iJA%2FDocs_Inv_April_11_450.zip?alt=media\u0026token=799ca8a7-\r\n44ce-44e8-b93d-a346faaf0ea3\r\nFile description: password-protected zip archive downloaded from link in above PDF file\r\nPassword: 572\r\nSHA256 hash: 52d3dd78d3f1a14e18d0689ed8c5b43372f9e76401ef1ff68522575e6251d2cf\r\nFile size: 131,168 bytes\r\nFile name: Docs_Inv_April_11_450.exe\r\nFile description: Extracted from the above zip archive, a 64-bit, digitally-signed EXE to install IcedID\r\nSHA256 hash: 54d064799115f302a66220b3d0920c1158608a5ba76277666c4ac532b53e855f\r\nFile size: 647,389 bytes\r\nFile description: Gzip binary from shoterqana[.]com retreived by above EXE\r\nSHA256 hash: dbf233743eb74ab66af8d1c803f53b7fe313ed70756efcc795ea4082c2f3c0c8\r\nFile size: 354,282 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\[random directory name]\\license.dat\r\nFile description: data binary used to run persistent IcedID DLL\r\nSHA256 hash: 5953f8f23092714626427316dd66ff2e160f03d2c57dcb1a4745d2e593c907ae\r\nhttps://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/\r\nPage 5 of 6\n\nFile size: 292,352 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\[random directory path under Local or Roaming]\\[random\r\nname].dll\r\nFile description: Persistent IcedID DLL (64-bit DLL)\r\nRun method: rundll32.exe [file name],init --ashego=\"[path to license.dat]\"\r\nTraffic From an Infected Windows Host\r\nLink from the PDF file:\r\nhxxp://80.77.23[.]51/lndex.php\r\nAbove URL redirected to:\r\nhxxps://firebasestorage.googleapis[.]com/v0/b/logical-waters-377622.appspot.com/o/MCRERY0iJA%2FDocs_Inv_April_11_450.zip?alt=media\u0026token=799ca8a7-\r\n44ce-44e8-b93d-a346faaf0ea3\r\nCaused when running the extracted EXE, because the EXE was digitally signed using a certificate from SSL.com:\r\nhxxp://www.ssl[.]com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt\r\nNote: The above URL is not malicious, but it's an indicator for this particular infection chain.\r\nInstaller EXE for IcedID retrieves gzip binary:\r\n172.86.75[.]64 port 80 - shoterqana[.]com - GET / HTTP/1.1\r\nIcedID C2:\r\n192.153.57[.]82 port 443 - villageskaier[.]com - HTTPS traffic\r\n162.33.178[.]40 port 443 - deadwinston[.]com - HTTPS traffic\r\nFinal words\r\nRunning recent IcedID samples in a lab environment this week generated IcedID BackConnect traffic over\r\n45.61.137[.]159 over TCP port 443 (reference) and 193.149.176[.]100, also using TCP port 443 (reference).  443\r\nis a new TCP port for IcedID BackConnect traffic, which previously used TCP port 8080.  These two IP addresses\r\nare good indicators of an on-going IcedID infection if you find traffic to these servers from your network.\r\n----\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/\r\nhttps://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/" ], "report_names": [ "29740" ], "threat_actors": [], "ts_created_at": 1775434693, "ts_updated_at": 1775791239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f7dbd958692323e2fe01346300d869c75b1b61f9.pdf", "text": "https://archive.orkl.eu/f7dbd958692323e2fe01346300d869c75b1b61f9.txt", "img": "https://archive.orkl.eu/f7dbd958692323e2fe01346300d869c75b1b61f9.jpg" } }