Introduction
On Monday, 2022-08-22, I generated an IcedID (Bokbot) infection based on Monster Libra (also known as TA551 or Shathak). See this tweet thread from @pr0xylife and @Max_Mal_ for details on Monday’s specific wave of IcedID infection. My flow chart on this activity follows.
Shown above: Flow chart from Monster Libra (TA551/Shathak) IcedID infection on Monday 2022-08-22.
Malware and Artifacts
SHA256 hash: 7d0f80026a49bdc5c9e6b6bb614b37a9edbb0ca50127c7078ff52d4fc729afa8
- File size: 285,184 bytes
- File location: hxxp://138.124.183[.]50/barkss/u2lj2R9GN67SRsb7DZYKzF1jBt-yY6AVrA~~/5B6_95Swfy8TXGHD58qeEjYyxRXTL1bqhw~~/
- File location: File location: C:Users[username]AppDataLocalTempiQG29uba.dll
- File description: 64-bit DLL installer for IcedID from Monster Libra (TA551) URL
- Run method: rundll32.exe [filename], #1
SHA256 hash: a969f17bf162032878417da351a229a3ef428cac99b485aedbded04f62291dee
- File size: 615,868 bytes
- File location: hxxp://satisfyammyz[.]com/
- File description: gzip binary from satisfyammyz[.]com used to create license.dat and persistent IcedID DLL
SHA256 hash: 1de8b101cf9f0fabc9f086bddb662c89d92c903c5db107910b3898537d4aa8e7
- File size: 342,218 bytes
- File location: C:Users[username]AppDataRoamingIslandDoselicense.dat
- File description: data binary used to run persistent DLL for IcedID
- Note: this data binary was first submitted to VirusTotal on 2020-07-15
SHA256 hash: 501c05b11d90bbcc5b9439a41a66f9a4e1704447f795ce336492eb5e25c4ef8a
- File size: 272,896 bytes
- File location: C:Users[username]AppDataRoaming[username][username]Kiroepdn3.dll
- File description: 64-bit persistent DLL for IcedID
- Run method: rundll32.exe [filename],#1 –tapeeb=”[path to license.dat]“
SHA256 hash: e4ffdbfb5878a94d27139e2e7ff3b5b91944e1434935028a3c34894988b353bf
- File size: 1,018,880 bytes
- File location: hxxps://rosiyife[.]com/je.dll
- File location: C:Users[username]AppDataLocalTempEhki64.dll
- File description: 64-bit DLL for Cobalt Strike stager
- Run method: regsvr32.exe [filename]
Infection Traffic
MONSTER LIBRA (TA551) URL FOR ICEDID INSTALLER DLL:
- hxxp://138.124.183[.]50/barkss/u2lj2R9GN67SRsb7DZYKzF1jBt-yY6AVrA~~/5B6_95Swfy8TXGHD58qeEjYyxRXTL1bqhw~~/
ICEDID INSTALLER TRAFFIC FOR GZIP BINARY:
- 164.92.65[.]3:80 – hxxp://satisfyammyz[.]com/
ICEDID C2 TRAFFIC:
- 142.93.145[.]128:443 – klareqvino[.]com – HTTPS traffic
- 46.21.153[.]211:443 – wiandukachelly[.]com – HTTPS traffic
- 146.190.24[.]131:443 – alohasockstaina[.]com – HTTPS traffic
TRAFFIC FOR COBALT STRIKE STAGER:
- 213.227.154[.]24:80 – hxxp://rosiyife[.]com/je.dll (redirects to HTTPS URL)
- 213.227.154[.]24:443 – hxxps://rosiyife[.]com/je.dll
COBALT STRIKE C2 TRAFFIC:
- 23.82.141[.]241:443 – jejonebew[.]com – HTTPS traffic
POSSIBLE COBALT STRIKE-RELATED DOMAIN:
- 64.44.135[.]116:443 – xizojize[.]com – HTTPS traffic
DARK VNC TRAFFIC:
- 135.181.175[.]108:8080 – encoded/encrypted traffic
Images from the Infection Traffic
Shown above: Traffic from the infection filtered in Wireshark (1 of 4).
Shown above: Traffic from the infection filtered in Wireshark (2 of 4).
Shown above: Traffic from the infection filtered in Wireshark (3 of 4).
Shown above: Traffic from the infection filtered in Wireshark (4 of 4).
Final Words
We expect to see more of this activity in the coming weeks.
Brad Duncan
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Photo Credit:
English: Photography of the constellation Libra, the scales
Date 16 July 2004
Source Own work, http://www.AlltheSky.com
Author Till Credner
