2021-07-07 IcedID IOCs

1. THREAT IDENTIFICATION: ICEDID / BOKBOT
2.  
3. SUBJECTS OBSERVED
4. Docusign - You documents are ready
5. Docusign has been completed
6. FWD: Documents follow up 7/08/21
7. FWD: Docusign has been completed 07-08-2021
8. Invoice 394NH IRS
9. Please Docusign - Document - 7/8/21
10. RE: Adopt Your Signature
11. RE: Documents follow up 07/8
12. RE: Docusign - You documents are ready
13. Tsheets 39550-TLZ92j
14.  
15. SENDERS OBSERVED
16. [email protected]
17. [email protected]
18. [email protected]
19. [email protected]
20. [email protected]
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25.  
26. MALDOC FILE NAMES
27. ew19598.xlsb
28. ew4257.xlsb
29. ew21999.xlsb
30. ew25355.xlsb
31. ew21563.xlsb
32.  
33. MALDOC FILE HASHES
34. 18e913202f8d4af799ee565f29c58864
35. 4865f82d1dc3a18dbf22189898f14147
36. a441609e07523bfa2fb671fd6376089f
37. da4d2687b1fc5b27b5bd42cfba9db96b
38. e39b4d9cdeb44d584a3c1937ee8fe2d8
39.  
40. ICEDID PAYLOAD DOWNLOAD URLS
41. https://docusignsecpro.com/data/int64/sup/crv.dll
42.  
43. ICEDID PAYLOAD FILE HASHES
44. crv.dll
45. 3ddeea156606b2e5d19c86cedf3dec30
46.  
47. Renamed and downloaded to:
48. C:\Users\Public\Libraries\AMD64glory.sys
49. 3ddeea156606b2e5d19c86cedf3dec30
50.  
51. ICEDID C2/STAGING SERVER
52. http://revedanstvy.bid/
53.  
54. SUPPORTING EVIDENCE
55. https://app.any.run/tasks/338e0e56-e4f8-4ef1-a271-562e041091f4/
56. https://tria.ge/210707-2dqxl3l9vx