{"id":2059,"date":"2024-09-25T11:11:08","date_gmt":"2024-09-25T11:11:08","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2059"},"modified":"2025-07-29T03:17:19","modified_gmt":"2025-07-29T03:17:19","slug":"analysis-of-icedid-campaign","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-icedid-campaign\/","title":{"rendered":"Analysis of IcedID campaign"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

IcedID is a banking trojan malware that allows attackers to steal victims’ banking credentials. IcedID, also known as BokBot, primarily targets businesses in order to steal payment information. It also serves as a loader and can deliver additional modules.<\/p>\n\n\n\n

This blog will provide a thorough study of a new IcedID malware sample.<\/p>\n\n\n\n

Infection Chain:<\/strong><\/h4>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The new IcedID campaign uses a spam campaign with attachment (EML) as the initial infection vectors to infect the victim machine. It includes Microsoft Office documents (.DOC) with VBA macro content. They entice the user to allow the macros to do their work. When the user enables the content, the payload file [.DLL] with an unknown extension is dropped directly. Then, using its export function, the malware will carry out the intended action and transfer the collected data to its C2C server.<\/p>\n\n\n\n

Sample Information:<\/strong><\/h4>\n\n\n\n
\"\"<\/figure>\n\n\n\n

File Metadata\/Properties:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Technical Analysis of DOC:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Sample     : edc11aa4b1212f620cc1fc0c12d79dee23511467a7fd955e9afad88ed250e765
Category  : Dropper
Campaign: IcedID<\/p>\n\n\n\n

Once the user opens the document, there\u2019s an enabled content button. There\u2019s a fake template of MS \u2013 DOC where the image is blurred, with which this malware author tricks the user to enable it to view the document.<\/p>\n\n\n\n

Macros:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In general, we can see the macro content and debug. But, for this VBA codes are hidden, and we can\u2019t view directly. It\u2019s one of the tricks used by the malware authors. Macros is a programmable pattern which translates a certain sequence of input into a preset sequence of output. Macros can make tasks less repetitive by representing a complicated sequence of keystrokes, mouse movements, commands, or other types of input.<\/p>\n\n\n\n

Export Function:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here, the VBA code is heavily obfuscated and there\u2019s loads of functions. The main purpose of this function is to drop the payload file and it may be real malware or another dropper. Usually, this process depends on the malware author.<\/p>\n\n\n\n

Enabled Content:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Upon enabled content, the malicious document executes VBA macro codes to drop IcedID on their specified location. This time, it\u2019s on the \u201cC:\\ProgramData<\/strong>\u201d.<\/p>\n\n\n\n

As we all know, that ProgramData folder is one of those important system folders. It contains all the data for Windows classic and UWP applications. It is hidden by default because it is not meant to be seen by anyone or tampered with.<\/p>\n\n\n\n

Dropped Payload file Analysis:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Entry point with export function:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

To find the exact import function of the malware, we need to check one by one and here, the command line is straight forward and using this export function and rundll32 the payload is executed.

Manual Checks:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Export Functions:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Exporting a function from a DLL is nothing more than adding the function to the symbol table. This makes it possible for code outside your DLL to call the function, because now external code can look up where the function starts.<\/p>\n\n\n\n

Signature of IcedID threat actors<\/h3>\n\n\n\n

Threat actors behind the IcedID campaign have used a few different methods to deploy the malware, and as with most cyberattacks, these methods are evolving \u2014 making IcedID more difficult to detect. However, there are a few techniques that have been observed in conjunction with IcedID campaigns.<\/p>\n\n\n\n

Presence of Cobalt Strike framework: According to threat researchers, Cobalt Strike, a popular command and control (C2) framework used legitimately by penetration testers, has been seen in multiple IcedID attacks in recent past, around January 2022. Within 20 minutes of infection, LMNTRIX CDC observed IcedID malware attempting to load Cobalt Strike. Adversaries used four different Cobalt Strike servers in the “Stolen Image Evidence” campaign, which were used to access LSASS memory and perform process injection, among other things.<\/p>\n\n\n\n

The use of ISO and DLL Files: According to LMNTRIX CDC, some variants of IcedID has abandoned office documents in favour of ISO files containing a Windows LNK file and a DLL file. Threat actors can circumvent Mark-of-the-Web controls, a security feature that prevents files from performing certain actions, by using ISO files. This allows attackers to execute malware without alerting the user.<\/p>\n\n\n\n

Using the built-in Windows binaries:  IcedID threat actors also take advantage of legitimate tools that are already present in a target environment, a strategy known as living off the land. For example, in the “Stolen Image Evidence” campaign, threat actors used Windows utilities such as net, wmic, chcp, and nltest to perform system discovery.<\/p>\n\n\n\n

Conclusion:<\/h2>\n\n\n\n

Conversation hijacking employed by IcedID variants emerges as a powerful social engineering technique, that can increase the success rate of an attempted phishing campaign. The payload has been switched from office documents to ISO files from time to time, with commodity packers and multiple stages used to conceal malicious activity. IcedID is capable of propagating throughout the network, allowing it to monitor all activity on the infected system, exfiltrate data, and conduct a man-in-the-browser attack. In specific, the man-in-the-browser attack is made up of three steps: Web-injection, Proxy Setup and Redirection.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

IOCs for Detecting IcedID malware:<\/strong><\/h3>\n\n\n\n

THREAT IDENTIFICATION:  ICEDID (Bokbot)<\/p>\n\n\n\n

SUBJECTS OBSERVED: Subject may have been from a previously stolen email thread – can’t say for sure.<\/p>\n\n\n\n

SENDERS OBSERVED: rherrera@m3rxant(.)com<\/p>\n\n\n\n

MALDOC FILE HASH<\/p>\n\n\n\n

irvineonline,document,09.26.22.doc<\/p>\n\n\n\n

7fbf23063a7dda5bfad4787a24231499<\/p>\n\n\n\n

VBA LAUNCH COMMAND<\/p>\n\n\n\n

Shell ReembroiderMormondomUnleathered(“3931245045456261″) + ” ” + BeziqueMalellaMemorise + “,PluginInit”<\/p>\n\n\n\n

(uses rundll32)<\/p>\n\n\n\n

PAYLOAD FILE HASH (Manually extracted)<\/p>\n\n\n\n

Extracted_IcedId.dll<\/p>\n\n\n\n

ed453684a0a54fee5acda4230e7cc049<\/p>\n\n\n\n

Dropped to C:\\Users\\all as:<\/p>\n\n\n\n

46273883.314<\/p>\n\n\n\n

ed453684a0a54fee5acda4230e7cc049<\/p>\n\n\n\n

ICEDID CAMPAIGN ID: 742081363<\/p>\n\n\n\n

ICEDID C2: hxxp:\/\/scainznorka(.)com\/<\/p>\n\n\n\n

SUPPORTING EVIDENCE: hxxps:\/\/tria(.)ge\/220926-yytwladadr<\/p>\n\n\n\n

Reference link: https:\/\/github.com\/executemalware\/Malware-IOCs\/blob\/main\/2022-09-26%20IcedID%20IOCs<\/a><\/p>\n\n\n\n

Based on the C2, we found the following list of hashes from our threat intel:<\/p>\n\n\n\n

SHA256<\/td><\/tr>
87684f6b5141c781f2f9bba8b6317a7138c609c00c240c09d21872eea06a06b1<\/td><\/tr>
242da7effd209f9d7c0f497b508b4f5c4ea0802c1ad45028bcaf088dc721ab4e<\/td><\/tr>
b3ed2de0e147060a7d2cd7def624976d606e7937e7b2e22e805a9961430d4fb6<\/td><\/tr>
f6c3820c214d02644fd1194eee8d3ed23eb18a2e9c85851197556f7bbc068503<\/td><\/tr>
58ce514c8b740fdfe115bc19d65ed5e2f8d0df045cdd4e5611ec213382a56e3b<\/td><\/tr>
cc42ef46da6aaeba9e41b2c5ac494f59383fec47f5736d27d4654613fe4cc610<\/td><\/tr>
e2ba042f4194826bed8a8ba388dd26755cb76d5e82811f86e418f377b6fc3791<\/td><\/tr>
994afac3be849124810bf5eac058baf805cee4fb17d9f1d74f48d645f456911e<\/td><\/tr>
58f9be151a7edb6fab36fb7ca9dfdfcd9ebd257d4d30bac1d1042c0bdd1ef38c<\/td><\/tr>
d50af70fb63188c270ec67734bc1c9de8a4120ca5088c242fbb20123f98adfdd<\/td><\/tr>
0b1b3f889461485e71868160f46aeb008d8dd68c44b7b2e2f6f2c3e8831aae8b<\/td><\/tr>
f29e633a2bc1afed5f4dbfb62d82e47754d8f0d31dd247f62febd8810e1fe881<\/td><\/tr>
b7d4e61a508f579f9758fbb34a24822f1a7882cda5437626b7fea130b8a4abf6<\/td><\/tr>
dff04640f0895983445a91d46d359606f5dbfaed3abc5593bcbe5fbfd2f1c318<\/td><\/tr>
f59f47970092e69c7fe1d8473dd57c3fd946eccd80b67ab1131a0c82c1aa025d<\/td><\/tr>
10c00de5df9f12d59e7113dfac0618f26a8b16a19312c576c616ac757e4448e5<\/td><\/tr>
28c39e238da2f920b7407370ada35aceedb457205a4dd3531e238b1f3c264b0d<\/td><\/tr>
ebaa68738173a87e2dbde383c8879facc05def85da47be4e8be6fc369e7f232f<\/td><\/tr>
151e6e9aaffbc08ecaaba6feee9868708a69a686d67a64af41f749a05c1fa220<\/td><\/tr>
f7da1b974bbb5d89b09ec477b235e50b0f3035211a969c9b09f6fcf7df9ef675<\/td><\/tr>
de2d8a887e2d5950f27287c587e0895a52774aad7e61f472be74ddfe44ea5d71<\/td><\/tr>
b86f5a1bfb1b69c4b4137d98a5c4ef46d9da5d75ea8748f52cd22758781d7369<\/td><\/tr>
8279ce959f0a6218a93336f9ce5e9cbee68e62faf40027e33acd968237acdf71<\/td><\/tr>
da08cc0f50eedb128dcd8027450329fc5f8f51c81aa24d86c79789d278918f78<\/td><\/tr>
297216dc24f4d311ab548ded700e850ed72aebcbff60e9a21574f9b651b33273<\/td><\/tr>
f0fe9a6eb424f7e7c63ff495b7576cfcf29676ae9dc5b8539808f5ffd763be5e<\/td><\/tr>
578a35e36d8e6a9328cec388852679bac9c7fc9d1cb60a6350ebd9f6a65cc563<\/td><\/tr>
a36f793145c7a775fca887e5ada691ec71137678da479a476bfe70fc1e30e57f<\/td><\/tr>
5cc55537a511195f7156af0e5ba37f4b02c124e2e2576561a50efbb23c7e1ed6<\/td><\/tr>
ebf4a084e6d4a5f9799da0d09a670ed79107193f35907a103f339471d65a9125<\/td><\/tr>
cb7b6d4c2ff89c0d673c3026033b840e8f766c11b7af0983cb0267392a01bc2d<\/td><\/tr>
5b067b3377033144b982410f226ce45007b3615446b3b72c5dc1468bb6864447<\/td><\/tr>
e0f330fce3d6e226cc531b6b943a3ca33e81ee683f3068d0ae5a8e7553e20df2<\/td><\/tr>
ab820915d00cf32c67fbaa79b4ee3ce7bf9d9d3357bea3a53b54f429e03a3c63<\/td><\/tr>
38d1be9067da72a234a872f6a3734df25a7e5b147d862d96a83618e58b2a45f7<\/td><\/tr>
365a9fc593e0f936bf27b71a27557c47cb77cd9a8d8cd8531537a1fee844b6f7<\/td><\/tr>
0ce40e119c53aed71cf0958e4b8ed239e14b3e6453b455a2c5dc616bc9b8c0b9<\/td><\/tr>
807fb8634a8e1fea7d7927dd6b00a351e51b8533009d76184a930f41ebcbcf49<\/td><\/tr>
4aed84df96bdbf16a4f5b4c2a195e9384b891b35328108aae8f3243a50e3dc25<\/td><\/tr>
1c54e6547719dd745928ee44e318e98f4b9e5603f70648c53f8efe3587e7c6bf<\/td><\/tr>
cb36ff420bbc18158dbfdf3e9068ab775043db2bc61a637ad592a4762ee71b15<\/td><\/tr>
1e4fa679abeb3f756d4be4834e7d2681e9e4a889c369722da4777e8008ce4323<\/td><\/tr>
828ba54cdeef23fac240726ae04f3768a35dc3c871c9eeaea685421916d872c1<\/td><\/tr>
26f492c47084b37acb68702cafda4256054eb8b07dbed4d215ea7844827efd4d<\/td><\/tr>
b7c2b49bc0c9fc9ce0668e24229d18f21b18b8bf7c78bc45ffb1293e833cc0ce<\/td><\/tr>
35637fabcfe49e7bf98dab87893339ed7da653369921b729ad28ccc8767b7dcc<\/td><\/tr>
f30b9c09e25075a6b67aa88252440cc0408b1d5ae3335648dc36bc441f3caacf<\/td><\/tr>
29764707bbe878fb00cd85bac9323de74328e33f48d34fbf2073c8ef4aded411<\/td><\/tr>
6cf4b6897928f8630040e5cb5db66fc6b979be1d3b8849986db9f0ac5bef1b84<\/td><\/tr>
5e65ccccf0031bd22a341a0cc2006598af2086b70a9667779001c380891d00f0<\/td><\/tr>
57d2ab6857597731cba0c9d624b35ae36eb5043b142ba3bd0867847daae6540b<\/td><\/tr>
b2b88327ebf5d1cdada40abb354b17c0b6963f60b06726bd61c1b8b38a0f5291<\/td><\/tr>
c219777c4bdd8df4f3190678b777156b2f81f734f55376a627bedcb4b3daf3dc<\/td><\/tr>
f21f2c15e99a4701452813233b3b5b8a20caf54e6185bf25d4dc733b12eb6426<\/td><\/tr>
563eba169c321af25eeefb52a0adaac9fc7006d1e8712ca2e4de6937ecef2e07<\/td><\/tr>
ae2a13c849149cc0f614e48476d56d18048d716fa2fba3fd1def3445ba4ef1f2<\/td><\/tr>
9ec7d14c58d34a094e55bfe20b7dc40c9391d53de9b7c0b6aac2fc7518748330<\/td><\/tr>
e269a681bba217da4d23d53a8cb44c19d502af3a25b37c416e0d5f273caf589e<\/td><\/tr>
8ae9e035b041deef16e87e81b3fae337f71b15d7d534b86eea1eb24a90d8b2cc<\/td><\/tr>
008ea13c67852e41ee23c26ab33ce4537d1c44441fb8ab5d8e1cb13df89f60fd<\/td><\/tr>
461e1057fcb66e15536d92acf0da35546ecc6d9c0db677b0dfb0bc23fc2bbe88<\/td><\/tr>
06f6b95cd39e770e937dcb94a0a2f11f46fa4500eeaf08e4be270e501ecf7584<\/td><\/tr>
213d3eb70ec15b26498f49724494a0d342d7af7fd491c375a0ae056b3689f77a<\/td><\/tr>
4d992810e9a05e27afabf2194cd04612dca0a738dc076778a56459cf97c6b9f1<\/td><\/tr>
212a3bd1d47d54ea3bc940531f8ca8047842970f87697f2766bcb443d6576ce2<\/td><\/tr>
ec11467a9beb27b6329e84a19e90f4563d9720ed8ec1f3c1ae013783061062fa<\/td><\/tr>
ef8d859f7a834d90814b0a4a2b323571b46244ffd5286c4bcafaaf88f787032f<\/td><\/tr>
50a281a000cf9f1fe9223ea81ccc08a6768208358846a2d32b1399325a6c64dd<\/td><\/tr>
f9938f14df5d7889b1dfd3af2d529ceadf1017aa2f83337dad71ee67379d9a3d<\/td><\/tr>
0a6b1516e40136f18f0533685991ad8be96cf485b0c638cf5e8359183647eeb2<\/td><\/tr>
ea153aab8f9073d6bc3552d78cb0d0fc57a80cbdb437d9d9ffd6e3629d63b19f<\/td><\/tr>
5bed7aa2d24f217abcbcef9ba69ea7eac2b58d2bf3921e845934c65efb7fd251<\/td><\/tr>
284250c6ed4cce821821c36bcb7782d27c3a095fd24fb761ad4d86bb454e0af3<\/td><\/tr>
4de986bc1d553823577929819c03ee508e911384119ebdb1f0d8cb190a7e381e<\/td><\/tr>
7fc1d7ba1c77dc2d93a982ea92db6c81d2af658d5ba5116c7167fa82614d114b<\/td><\/tr>
ac16d8858e342ed0cba480f808a07f7fbb7aa98472368bf0aace361c56f884f5<\/td><\/tr>
1965899f73d123cc4f4cd43f8678e3e98a60ef8b3d079e424619e06d58fd6824<\/td><\/tr>
ebc3abd89547ce79d0f33ec18ed216750317fa53cd1aab40fad24f7b19736ebd<\/td><\/tr>
31a379b1373f69bea5ca9acdd5a908d787e3f6635ecf48a15f717e3ed7f30adc<\/td><\/tr>
81c6bbed61f2ef06c3a64d623a882a9f5d83cf35aa63ee9d90b74af72122d30f<\/td><\/tr>
9bfd5599498bfad4ba9169d9bea17272dd2ee9173567de13d0488f536416c2d7<\/td><\/tr>
e32d11d7b62d509c8ada08864a4938bbf92e2b7a4f5cb93cf9a387daa20fcf5c<\/td><\/tr>
896e724fbfd187e1f588ef44d0b9ed74f60c7c1d334ef45a973ca89204d64d3a<\/td><\/tr>
cff784097a93c27539c5cd51c1ff2073fcc45a9dd72209f9c11ad14f034bbf01<\/td><\/tr>
0000cee3e4fb7de0585d4184b49f1ed6cb81b01aff38c042d1f9ac9777520bdb<\/td><\/tr>
aab35498bda5aad2c0f7485028f118fbf2a0f46faaabe8cba313b87791ace57c<\/td><\/tr>
5c14695101c90a32955e970fe35b4ed8bf8db6b7dc08682964985d0a7194ce00<\/td><\/tr>
7a584e0486038cb215525eea0dfd5375d196136bcb64f34f9fdfb8ac18eec55b<\/td><\/tr>
d698eafa3e84e1f2ddf48f0cb22c59170acea910196e773fdd3484781b5b0369<\/td><\/tr>
7778ec0e63f82e94f18b343c2ebe1950b6057a1dc3067c1aeedc0ed6cbe69355<\/td><\/tr>
abac9e6498ed2656b39f73aa3cfcc265c59c04e58c2a6e161214b6665cc36095<\/td><\/tr>
cf87fceb65b025e6f9f824496762f234ea3e043b8b4150df251d28cc80aaa1a2<\/td><\/tr>
80388e408f4208e1ddd8cf42d39ec382fe085819c4431013aeb5e609c32bb014<\/td><\/tr>
b5856a4e5db8b095f4571004b938fa09f6b67d2528e7dcb4b3e1f0d2eabeadde<\/td><\/tr>
0167b0b10dfbf982e9c3d83dc7095e1975d89d4330f3042d6ceeb4b60cff30b9<\/td><\/tr>
8ad5bdf64e1eb484a281d09a2fbdd328a08ee3c3d347a99fb64b50c2352c894d<\/td><\/tr>
d81386d5d8563af670454122752a89722a901d1aa76fd4a65b8acfe4f4a76874<\/td><\/tr>
f4273d576c6c363c06646c8c39fb5090b51289e181203d09997244b673ef899f<\/td><\/tr>
96f4b5d7a36e0beb974712736292680ab6371df4c167914fe6570fbbabf19aa0<\/td><\/tr>
a72b96afa96d377d5c24a5e10b117951502864dac4d0a301bfcfcc3f702d19bd<\/td><\/tr>
86905033625f22c13a09dbdf5332c31a1a853ca26a83dc4c5188708a5a035fff<\/td><\/tr>
16eb58ed162137bd71290883d35032cbe2f7d68fbfd3b95a9ba2f61a55112db1<\/td><\/tr>
123b4be16b0465724861d6b0ed11c42d9803acab63ed981ad377647fc6905df1<\/td><\/tr>
5202027e3353157e3865c93d0db64452cbc69283fa6d061642398b5b5141223d<\/td><\/tr>
2f8f6110054f03d8978dd027c0b22d6ad4e7e31a4b3dc181e85b3fd80ad8804d<\/td><\/tr>
80a44124ac0e7a9d5857dd15535b4353099272b1803b2029262d0e9d2b4a927d<\/td><\/tr>
ff22f8e204e940c2ce2652c5be030577782bd90274b1113a8f659d0d18abe5da<\/td><\/tr>
b223d5f24de69721464f9072d01677a8f3eae0c7908441471601add0fb5cd037<\/td><\/tr>
a586f7e99af6232f33d3b7971f4c3107c9f45d086e18a29314c082b84d332d34<\/td><\/tr>
6d8a66cddd81c9d8ab0f017bd38f72e3dd65235989ed207670fdbc9427f45db1<\/td><\/tr>
cccd5cabe6c297fe66bbf2db5d1c9f9d0afef3a2c6a09738b79ad066ae98e23b<\/td><\/tr>
e0a4572ceac68b62a9adfef1d8eab7594a6607a1cfb116b7eed59834ea75c99f<\/td><\/tr>
5b65ab24590965427d1b15ad17bb03c045283fb07c240cf4109af6be4146e252<\/td><\/tr>
d3c9ad050848a150a7fe4e03e0c5da39f1ba8337ea0abf22fdc0302ac963db0b<\/td><\/tr>
b0fcc7aa39349b93b6913d5e8d08d6df8389e654740087fa5886d5c91d727010<\/td><\/tr>
42b762dc99de727b9a266549de40dcc48cdda87485fe8f349a3119bd92b389c7<\/td><\/tr>
ce19eaf23b475b113f9fc84ac3bbaf94d474b0b806b4aad7887412120cb9110c<\/td><\/tr>
43eedb0633bf7216c1ff47b8a04c0902b669f0b90883d24d488a150af11848ed<\/td><\/tr>
f42c62d9eba4fffe26c0ee87116c53cc91610f98b9c3625819d60c8502b74986<\/td><\/tr>
bc65b9d1bdda2829ff01c3ee12803f834422ed8a209ece5c896d0c1934bd1595<\/td><\/tr>
c9284fd6a608d07c4035f24cbfe96b01afd191fe45aeb0b3c31fcebf43051b5b<\/td><\/tr>
3e8d73987b1f9063b922aa66eed77d195d350e64fb99f1e3c7c24688ce94a09c<\/td><\/tr>
218510104ec2790b67cc45d0f5ceafe1d06ebe5fd2c9a20da013c7f84f3c6554<\/td><\/tr>
55344c7adcf3e9ef0e2a4dcf330f34118c49e27112cdc0a12a8ca34033f68e00<\/td><\/tr>
d47334b943e152eef809da3d651880e1821749ad9ba2b2e08c9fd5a2db4a8e1c<\/td><\/tr>
3dd1014b11a4d4689a549145e18269ebe5c1304f6d5eaa8b766bd90aab328326<\/td><\/tr>
87a54c88923ff6436c71f1c74eef0136be386f44a7510f96344df421cdcbae9e<\/td><\/tr>
da53ec50385bd308bdae8095edde4f87b59f490ee31c91eecaeebf045a299747<\/td><\/tr>
9b00c59ed990ef0ec4b2703e1a59c2c246027054dbba766733fe9c27373f2f98<\/td><\/tr>
5c4e8b7df766ffd8ae0df06d9f568289273efd03b943e5b823d9099d8a63e3e6<\/td><\/tr>
1630d71da594875c9aa1fd50a955a8adfe02a3bb54d1aa610873cec89ca32911<\/td><\/tr>
b4f39dc3490043c899720bd63c0d59cc26c8e14844d25aba02898462aceeb089<\/td><\/tr>
2a7196d92a874e93d9c61fe521cc6d9e73f9d6f66d62c122852cf85498785683<\/td><\/tr>
99ba6d758426d6773e94eef1e0a9f8a9b0aab30ee48f8454ea5b94e95b274216<\/td><\/tr>
7d58275a08f80b689b595cabd092d8466ab645db8de60b9cfde04b89738ff778<\/td><\/tr>
edc11aa4b1212f620cc1fc0c12d79dee23511467a7fd955e9afad88ed250e765<\/td><\/tr>
44621ab1506fc576aa4a0be857e035ce1ee1d3f65443cfdc0b7e72fda97d1d4e<\/td><\/tr>
02b2c06c5f8319035f4b6e90976c80428886a23262217f347e4c2a72e3d7f17d<\/td><\/tr>
abc0382a20c86144086e39ccf107bb7702bde07dcc66a06967a01bc15f6a1432<\/td><\/tr>
768ae10d748df22e799a878c2bd5eebddd0cd331196d28e26b1a9b2e0ca989c2<\/td><\/tr>
f7bdd9ce0ef7f660e4259d70940687780702d2503cce685c4ab4c4ede90e4bab<\/td><\/tr>
f93c2c67f9daa2c1c09cf5a48a04cbfb37777f9aff9f8b7f24871b3f052d7925<\/td><\/tr>
7a4c98a8dbf9e3a9a08f431dd6ec27419e6f7996f8b2170aa3fb2efd7e6757ab<\/td><\/tr>
39af395246a555cdca505f3b7358db16b107bd186b9cbcf18fa573acb4709a5f<\/td><\/tr>
048f62452c8cc27f3e6275375122c3d5175e42849f339a41173dbbabdf076bf7<\/td><\/tr>
cbfa1b2e962bcdb0f19992d66c87fdd2c2cef4810107d4d51dd6235432e605f1<\/td><\/tr>
2811f41a5ad47e5a4482837298b2cd8bddbd635f7db6806ae6784ab0c8661ba6<\/td><\/tr>
15ef256e1ecd4e80bd081568ad4bae41f62f1bd4a95451d7af3e79f060531d7f<\/td><\/tr>
4f427b863ad4070652fbeecb31a1ef13bc4ae2e680a55dd1589915472d912d06<\/td><\/tr>
496aa0c735bbb1d22463bba633c196d111fea07254f4cbaf20e0d2c4ca4a595e<\/td><\/tr>
e2c3d8071fba84f2bf949529db0052fd01dfb911cdcd8c88eed773479d7db791<\/td><\/tr>
c7392a81e88c1e7d0b6c36c0fc3e0f36f2dd87ce8dd0069b4e08dede9283b5ac<\/td><\/tr>
3c808f5d5d5956a7cbae3bb1ee7b6c072f6dd006bb4bdbd8b4db4289dbe37670<\/td><\/tr>
1903f69d02939b390578a2143347c6d331e6e62cf7db9b6daf89949fd00dca39<\/td><\/tr>
42120051f854a177b4e08490f4bf40d7f398e4be50eaec5950c5256d292b3234<\/td><\/tr>
cb63e6a4792e32692f8dcfe70c15c8d1fbe3592c3acfff590b5762d31ff93fdf<\/td><\/tr>
196d704161da2a204e24e80f94505988096e05c99683e50718fd72bc83aa477e<\/td><\/tr>
4ef50ecd86e1d0de1b4c67247190539c0190906406d0bebee2aa6533208184db<\/td><\/tr>
0a7f377d19ba4c93d523af53cd58cbb00d05e070823d6ce6c967990d40cfcaa1<\/td><\/tr>
d5443150fb2dd12ef3d7b5e4fe1f0e9e2f70506404cf1ebb97c24a53d841fd13<\/td><\/tr>
676c6889f1119a53fb5d3fc9520757f02917bd0f5d045c27f4c4660b6990640b<\/td><\/tr>
72a1f403a8c5d7ddd2b88f3b12653f4214e8e76a33baac3684813e3fb8353425<\/td><\/tr>
665c6ee253328ee1b26c9a7119559404b93738d1ce991939aa68568a2f430783<\/td><\/tr>
48aa0dd615a8a2eded6f58bbd94ffe4f54bdd7685d67663d58c84f581185c220<\/td><\/tr>
d233b55cbaa4411d0cc03c6452ef47d11ce2f759d1784ffb964d48775c2857f0<\/td><\/tr>
93e123edf1ac9694a46e549e336b275f63ce9ceb3f27c4df0936f16027b1fb13<\/td><\/tr>
660dea4978c28bdf3bbe6f787aa542627d4806bac990fca7e1bc7f882d3bb873<\/td><\/tr>
35eb50c57424f9bb8c2055093d7c7657cbacb8b456f28374bd1cab646689927f<\/td><\/tr>
247a582f79b8ac531d5cba1e94913c212ac1a1b28545ee3ed942ed1d22ac1b72<\/td><\/tr>
03d5362113f95a23c66503be44934867f8f4d24a698571ce503b6c2b5b1826e0<\/td><\/tr>
1081a3a52a5fc8709da116cbc75e464c86df06f2dd4302db45de0f2c7733ad45<\/td><\/tr>
0296a52b9f9d974354ff716eed586ac71e2406611dc9013081846c90c05344c9<\/td><\/tr>
f6c92ff1db6bfab8dcc9bb202af11d6c5b0cbc9c780e7bb329badfd33f879481<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

IcedID is a banking trojan malware that allows attackers to steal victims’ banking credentials. IcedID, also known as BokBot, primarily targets businesses in order to steal payment information. It also serves as a loader and can deliver additional modules. This blog will provide a thorough study of a new IcedID malware sample. Infection Chain: The new IcedID campaign uses a spam campaign with attachment (EML) as the initial infection vectors to infect the victim machine. It includes Microsoft Office documents (.DOC) with VBA macro content. They entice the user to allow the macros to do their work. When the user enables the content, the payload file […]<\/p>\n","protected":false},"author":1,"featured_media":1734,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2059","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2059","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2059"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2059\/revisions"}],"predecessor-version":[{"id":4201,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2059\/revisions\/4201"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1734"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2059"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2059"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}