#icedID_241222

1. #IOC #OptiData #VR #icedid #BokBot #DLL
2.  
3. https://pastebin.com/vYVtngdz
4.  
5. previous_contact:
6. 14/04/2022 https://pastebin.com/X4EvL8N6
7. 23/03/2022 https://pastebin.com/LaxLgeEz
8.  
9. FAQ:
10. https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid
11.  
12. attack_vector
13. --------------
14. email > attach .zip (pwd) > .ISO > mount > .lnk > rundll32.exe \dinhub.dat,init > 143.198.92.88
15.  
16. # # # # # # # #
17. email_headers
18. # # # # # # # #
19. Return-Path: <Svetlana.Petrenko@artmotor.toyota.ua>
20. Received: from artmotor.toyota.ua (artmotor.toyota.ua [193.34.94.10])
21. From: Светлана Петренко <Svetlana.Petrenko@artmotor.toyota.ua>
22. Subject: RE: FW: АРТМОТОР 35540470
23. Date: Sat, 24 Dec 2022 13:44:42 +0000
24. Message-ID: <0f870c0ce68748a3b3025068a2cf9d5b@artmotor.toyota.ua>
25. x-originating-ip: [194.110.203.62]
26.  
27. # # # # # # # #
28. files
29. # # # # # # # #
30.  
31. SHA-256 21b53e84b59e0bc097805f7aa0595dfa68974d38c34f7421d60cb50f33ab1f19
32. File name Request_12-23#183.zip [ Zip archive data, at least v2.0 to extract ]
33. File size 398.55 KB (408118 bytes)
34.  
35. SHA-256 f3a9b733cb33c4d257589e70c8d9cf4b5136cb3932bce2ea1b31bc9d5b06a5ae
36. File name Request_12-23#183.iso [ malformed ISO ]
37. File size 2.13 MB (2228224 bytes)
38.  
39. SHA-256 001e90f2cbc6bf380154f7bc0f2f24c40d4a00fa26df29ede1520499bc2a5cf1
40. File name Scan.lnk [ MS Windows shortcut ]
41. File size 3.07 KB (3146 bytes)
42.  
43. SHA-256 f60b26151606801fa5232c46bf871eafd4d86f8c723572853f61522d48937a59
44. File name dinhub.dat [ PE32+ executable for MS Windows (DLL) (console) Mono/.Net assembly ]
45. File size 740.43 KB (758202 bytes)
46.  
47. # # # # # # # #
48. activity
49. # # # # # # # #
50.  
51. PL_SCR email_attach
52.  
53. C2 143.198.92.88:80 [trbiriumpa.co]
54.  
55. netwrk
56. --------------
57. 143.198.92.88 trbiriumpa.com 80 HTTP GET / HTTP/1.1
58.  
59. comp
60. --------------
61. rundll32.exe 2612 143.198.92.88 80 ESTABLISHED
62.  
63. proc
64. --------------
65. C:\Windows\System32\rundll32.exe \dinhub.dat,init
66.  
67. persist
68. --------------
69. n/a
70.  
71. drop
72. --------------
73. n/a
74.  
75. # # # # # # # #
76. VT & Intezer
77. # # # # # # # #
78. https://www.virustotal.com/gui/file/21b53e84b59e0bc097805f7aa0595dfa68974d38c34f7421d60cb50f33ab1f19/details
79. https://www.virustotal.com/gui/file/f3a9b733cb33c4d257589e70c8d9cf4b5136cb3932bce2ea1b31bc9d5b06a5ae/details
80. https://www.virustotal.com/gui/file/001e90f2cbc6bf380154f7bc0f2f24c40d4a00fa26df29ede1520499bc2a5cf1/details
81. https://www.virustotal.com/gui/file/f60b26151606801fa5232c46bf871eafd4d86f8c723572853f61522d48937a59/details
82. https://analyze.intezer.com/analyses/b117e4f0-9904-487a-bfa0-444841c2920d/genetic-analysis
83.  
84. VR
85.