BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
45
Global rank
51 infographic chevron month
Month rank
81 infographic chevron week
Week rank
7944
IOCs

IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules.

Trojan
Type
Unknown
Origin
1 September, 2017
First seen
3 July, 2024
Last seen
Also known as
BokBot

How to analyze IcedID with ANY.RUN

Type
Unknown
Origin
1 September, 2017
First seen
3 July, 2024
Last seen

IOCs

IP addresses
173.232.146.11
64.225.70.62
45.155.250.236
45.61.139.126
159.65.169.200
45.66.248.119
80.78.24.3
80.77.23.51
216.73.159.60
216.73.159.80
168.100.8.93
162.33.177.91
45.61.138.105
116.90.53.23
91.228.10.231
162.33.177.93
84.32.34.68
94.232.46.221
185.143.223.6
178.62.57.180
Hashes
9ab23add898fd65cd6271ec929fecc56a156fbbda475d43741aab7ae60d20fb4
4b40ee78a5f3c649b2e60fe91d1d016dc4e658b7737b17d3a2557996422b73fd
aa8138d2fd97003e534e36c9961e1a105b13ea24ccf7db1059ea4026b28b5247
1e3d10c3c84d7617692174a1f9ae8a658eabb22c7122ef1c8f37f35641ccf7aa
e70c965ae03c89538c94cc65ada5194c0b129a67e4c5f0eca728965ff4f831ae
bd67e49c2ca15156c54956655928723063eca5b4d90ae22dd6ce1029ba596b35
efa83e8dbbcba65c282e41c18e6065649abc08002a89ddfd2f4d52f67ee21d6c
2495778f3a15543896ff57a44e8eff9f232cfc0fc4c09aeb211d964329f2144d
4c1b683fb00c66041ffe3cc17176b595e57ca10da6f05a842a915ee2e4d27c5b
1d5cfd8ac58bd64648110862f39ccc421ad58920e99ed948de2dd832e6ecd0a4
3f38ae75758c8afb75b0660a7c927ccb2bce73f572a9e105ea2288f1288f682b
b4521e9e0dd02b2267b80e5684d32233d5c2fdb10442a206fd8050707264632c
31248b5640e4c711934b88fbdb774545469256f08156ea098c2ad5f037ad1da2
9e8408714a5a5830f047f1890497fc326c94fbc277bd90a03347d069a7a9c1d4
252c75237d927a1b9aeae3d4b4c04389f6c8eeccc318cdc7ae05508fed7b7b4e
ed4fe06b27cf2f178cf59d21d9a81460cba702164080ad9d481b99a426e2b677
595349f2bee834c22d2fce1f640d6fd089df862daafeaeb388bc2f1b79b53002
eeceb341ae4dffbfc1b2ac9fc6c28dc93e6072ee0084e0bc607dd8cc56f36899
75d7cd302267dd6c086c49b0d08009e44436f957242649efe35c13dcb4dc11b2
034ecd36a2287866d9f85204f02476437dcbc252428c41e3b839b30a1d9020c0
Domains
oferialerkal.online
zojecurf.store
munipalis.top
portedauthenticati.ink
showsyouthe.top
porimoksin.ink
bedogilas.top
actuallyobligat.ink
endofyour.ink
enticationmetho.ink
aucespoo.ink
actuallyobligat.info
onlyadheres.com
tiplifid.top
statsgo.bar
sisipiciliko.pro
grendafolz.com
zanokiryq.com
houghthepl.ink
sauceson.ink
URLs
http://trentonkaizerfak.com/
http://promtrainmoping.com/
http://prasketfostert.com/
http://mineskateroff.com/
http://vrondafarih.com/
http://filtaferamoza.com/
http://ehonlionetodo.com/
http://restorahlith.com/
http://sajimadurop.com/
http://druidfenixis.com/
http://qsertopinajil.com/
http://ahilacarstrupert.com/
http://gromsdaxert.com/
http://trolspeaksunt.com/
http://anisamnatyrel.com/
http://salimjizita.com/
http://hoftpaeers.com/
http://alconauytor.com/
http://tracksupernova.com/
http://kicknocisd.com/
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 148
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 158
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1628
comments 0

What is IcedID?

IcedID is a banking trojan-type malware that allows attackers to utilize it to steal the banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver other viruses or download additional modules.

Researchers identified IcedID for the first time in Autumn 2017 when the first victims suffered from attacks by this malware. Upon further investigation, researchers revealed that IcedID is a modular virus that carries very advanced functions. In addition, it was initially reported that IcedID does not seem to feature any borrowed or stolen code from other trojans which is atypical for more developed malware samples like the one we are dealing with today.

General description of IcedID malware

It is thought that IcedID is being operated by a group of threat actors with connections to Eastern European cyber-bands. In addition, criminals behind IcedID are known to collaborate with creators or distributors of Emotet and TrickBot.

IcedID attacks are targeted mostly at banks in North America and a few select banking organizations in the United Kingdom. This malware targets mostly corporate bank accounts, payment card providers, mobile services providers, payroll, webmail, and e-commerce sites. We were not able to find any information about attacks directed at private users at this point.

However, this very well might change at some point in the future as evidence suggests that the criminals behind IcedID are preparing new and, possibly, bigger campaigns. There have appeared several removal tools, so it's no wonder hackers try to level the game up. As a matter of fact, network propagation functionality was added to this malware, giving it the ability to move across various endpoints.

Speaking of additions, IcedID is being actively maintained and upgraded by its authors despite several removal tools. For example, the second version of the virus significantly reworked the code and made the IcedID modular, giving it the ability to fetch plugins on-demand after the execution of the base file. This made the virus much harder to detect and defend against. While it is generally believed that this virus relies 100% on code created from scratch, some researchers suggest that the malware does, in fact, reuse code from version 2.0 of Pony malware. Apparently, the borrowed function is in charge of stealing data from email accounts although Pony code may have been used for other applications within the virus.

Unfortunately, constant upgrades are most likely one of the leading factors that contributed to the rising popularity of this trojan. This is bad news especially considering that this trojan is already using extremely advanced techniques as complex web injects.

Once the execution process is complete, IcedID creates a local proxy to intercept and control all web traffic of the infected user.

When the malware detects that a victim is navigating to the bank's website, IcedID can redirect the user to a replica of the webpage located on the server that is controlled by the attackers. Threat actors carefully reconstruct the webpage and make the experience as seamless as possible for the victim by maintaining an active connection with the real website all the time. This allows IcedID to use the correct URL in the address bar and even display a legit SSL certificate.

Of course, from this point on every action of the user is being recorded and social engineering is used to retrieve as many credentials and administrative information as possible.

IcedID malware analysis

A video recorded in the ANY.RUN interactive malware hunting service shows the execution process of IcedID. Users can utilize this information to take a deep dive into how this malware functions under the hood.

icedid execution process graph Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the IcedID analysis Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

IcedID execution process

IcedID authors constantly make changes to the malware, so its execution process can dramatically vary from one version to another.

Our example was distributed in the form of a malicious Microsoft Office document with macro. Maldocs macro dropped an obfuscated command-line file and started its execution. Wscript.exe was started through the command-line execution process to download the payload which was, in turn, executed by cmd.exe. After the payload started its execution, it injected into the svchost.exe process which, then, activated malicious activities such as stealing personal data, establishing a connection with the C2 server, creating scheduled tasks, and more.

Distribution of IcedID malware

IcedID uses a typical delivery method for banking trojans — attackers distribute it in malicious Microsoft Office documents that prompt the users to enable macros and, once it is done, activate the download of the executable to the victim's machine.

The unique aspect of IcedID distribution campaigns lies in the meticulous approach to email crafting that threat actors employ. While most malware types that use email campaigns as the mains distribution channel tend to target the broadest audience they can, IcedID authors choose to work with much narrower focus groups and craft every email with greater detail than the usual standard in the industry.

While any email with a malicious attachment is designed to lower your guard and make you download and open the file, usually attackers pick very general topics with little to no personalization.

IcedID authors use spear-phishing techniques, meaning that they learn details about their victims and use them to increase the effectiveness of their emails. If a latter carrying IcedID is directed at a car dealer from Arizona, it is likely to contain information about a car dealership in Arizona, references to local companies or even colleagues of the victim.

The creation of such targeted campaigns requires hackers to devote time to investigative work in preparation for each bunch of emails, but it is guaranteed to make messages look less like a scam and more like legit business communication.

It should be noted that in some cases IcedID may infect the system in tandem with other malware samples. It can download and can be downloaded by malware such as Emotet or TrickBot trojans.

How to detect IcedID?

This malware creates files that allow analysts to detect it with a high degree of certainty. To detect IcedID, Open the "Files" tab in the lower part of the task's window and take a look at the created files. If you see folders with names such as "lchej" and "ydmfipkzqfsb" within C:\Users\admin\AppData\Local\ directory and files with names "pczapabclgpba", "mtkdonmlmxelaa", "ozwzefgpkzmzba", and "zcnejolyretaa", as shown on the figure below, be sure that it is IcedID in front of you.

how to detect icedid Figure 3: File created by IcedID malware

Summary

IcedID trojan is one of the examples of the new generation of malware. Although it was built from the ground up by its creators, it uses a lot of unique code and has functions not much inferior to those found in the most advanced older viruses such as Trickbot.

However, what makes IcedID potentially even more dangerous is the evolved mentality of its authors, who use spear-phishing to increase the effectiveness of their distribution campaigns.

Before, we could secure ourselves from a lot of threats by removal tools and raising awareness about the dangers of suspicious emails and infected documents. With IcedID we need to rely more on technological lines of defense since some email templates that authors have used and will use again are indistinguishable from real professional communication.

Here, at ANY.RUN it is our job to provide cybersecurity researchers with all the necessary tools to study and neutralize threats like IcedID and we hope that you will find these tools extremely useful in your line of work!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy