Italiano
English Indonesia Türkçe Deutsch Español Português Pусский Français Italiano Nederlands Polski العربية ไทย Tiếng Việt 繁體中文 简体中文 日本語 한국어

#bokbot risultati di ricerca

sans_isc's profile picture. @sans_isc@infosec.exchange - https://t.co/8IgCGtJnZd - Global Network Security Information Sharing Community -
SANS.edu Internet Storm Center
@sans_isc
24 feb 2023

ISC diary: @malware_traffic reviews .url files and #WebDAV used for #IcedID (#Bokbot) infection i5c.us/d29578

sans_isc's tweet image. ISC diary: @malware_traffic reviews .url files and #WebDAV used for #IcedID (#Bokbot) infection i5c.us/d29578
0
24
50
6
12K
gikobookmark's profile picture. 旧:個人的なブックマーク代わりのアカウント。ポスト内容はGoogle翻訳。 現:趣味のプログラミングのメモ。
技巧@📘🖊ブックマークbot
 @gikobookmark
2 nov 2023

2023-10-31 (火曜日) - MSI ファイルから#IcedID ( #Bokbot ) に感染。通常の HTTPS C2 トラフィックに加えて、159.89.124[.]188:443 で IcedID BackConnect アクティビティが確認されました。

Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
1 nov 2023

2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
0
32
98
19
21K
0
0
0
0
114
sans_isc's profile picture. @sans_isc@infosec.exchange - https://t.co/8IgCGtJnZd - Global Network Security Information Sharing Community -
SANS.edu Internet Storm Center
@sans_isc
12 apr 2023

ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week i5c.us/d29740

sans_isc's tweet image. ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week i5c.us/d29740
0
17
39
5
11K
JAMESWT_WT's profile picture. #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
JAMESWT
 @JAMESWT_WT
12 ott 2023

#IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2

JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
1
18
47
7
9K
Myrtus0x0's profile picture. Malware Researcher | Developer | @Cryptolaemus1 | @NVIDIA bsky: myrtus@malwareindepth.com
Myrtus
 @Myrtus0x0
3 mag 2023

Very happy to share my latest podcast I recorded with @joewise34 where we discuss the evolution of #IcedID #bokbot and the reasoning behind their design decisions (mistakes) open.spotify.com/episode/4MKUam…

1
20
54
8
9K
Myrtus0x0's profile picture. Malware Researcher | Developer | @Cryptolaemus1 | @NVIDIA bsky: myrtus@malwareindepth.com
Myrtus
 @Myrtus0x0
13 feb 2023

Surprisingly old project ID for this #IcedID #bokbot campaign? Maybe new affiliate is getting lazy? or reusing builds? gist.github.com/myrtus0x0/a6f2…

Myrtus0x0's tweet card. GitHub Gist: instantly share code, notes, and snippets.
IcedID_02_13_2023.txt
Fonte: gist.github.com
2
10
20
2
5K
Myrtus0x0's profile picture. Malware Researcher | Developer | @Cryptolaemus1 | @NVIDIA bsky: myrtus@malwareindepth.com
Myrtus
 @Myrtus0x0
9 gen 2023

Thanks for the find!! Start your year off right with some #bokbot #IcedID. quite a few C2 domains involved... maybe their new years resolution is to get a respectable amount of bots :) gist.github.com/myrtus0x0/e11b…

Myrtus0x0's tweet card. IcedID_01_09_2023.txt. GitHub Gist: instantly share code, notes, and snippets.
IcedID_01_09_2023.txt
Fonte: gist.github.com
k3dg3's profile picture. Friendly NEIGHborhood Threat Researcher | Reverse Engineer
Kelsey
 @k3dg3
9 gen 2023

#IcedID "3131022508" dropped via PDFs with payloads hosted on firebasestorage\.googleapis\.com.* Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: wagringamuk\.com bazaar.abuse.ch/sample/173e5b0…

k3dg3's tweet image. #IcedID "3131022508" dropped via PDFs with payloads hosted on firebasestorage\.googleapis\.com.* Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: wagringamuk\.com bazaar.abuse.ch/sample/173e5b0…
1
26
77
12
37K
1
16
33
4
9K
phantmradar's profile picture. Independent, community-driven cyber threat intelligence project. Operated by individual researchers. Not affiliated with or funded by any for-profit entity.
Phantom Radar Project 🇺🇸 🦅
@phantmradar
4 giu 2024

1099Misc.inf file related to the sample "Tax Organizer.exe" SHA256 3afc8ef18d02bf8c40ba4fb029058c1f7d4bfb10f05d0dd281db6695091100ae virustotal.com/gui/file/3afc8… #iceid #remcos #bokbot

phantmradar's profile picture. Independent, community-driven cyber threat intelligence project. Operated by individual researchers. Not affiliated with or funded by any for-profit entity.
Phantom Radar Project 🇺🇸 🦅
@phantmradar
3 giu 2024

#iceid suspected #malware 0/72 VT virustotal.com/gui/file/08c7f…

0
0
0
0
149
1
0
0
0
92
BYILDIRIM0101's profile picture. Let the material swords be sheathed. Now the exerted effort of the century is with knowledge, persuasion, ideas, and spiritual swords.
BURHANETTIN YILDIRIM
 @BYILDIRIM0101
28 mar 2023

IcedID (also known as #BokBot ) is a type of malware that is designed to steal sensitive information, such as banking credentials, from infected systems. The malware first emerged in 2017 and has since become one of the most prevalent banking trojans.

1
0
0
0
1
Max_Mal_'s profile picture. Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Max_Malyutin
 @Max_Mal_
24 apr 2023

#IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader

Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
1
36
106
12
11K
Max_Mal_'s profile picture. Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Max_Malyutin
 @Max_Mal_
17 gen 2023

#IcedID (#BokBot), #Qakbot & #Bumblebee use Batch Obfuscation Windows Command Shell Defense Evasion🔥 [+] set environment variable: set variable=string ss64.com/nt/set.html Quick and simple de-obfuscation; Replace each %variable% with the string to get the malicious command

2
28
74
11
10K
rcwht_'s profile picture. Ipswich Town and McLaren F1 💙🧡
Rob White
 @rcwht_
4 feb 2023

This also catches the #IcedID/#Bokbot from OneNote that I've seen. H/t @James_inthe_box and @ffforward for sharing them

0
0
4
0
1K
Myrtus0x0's profile picture. Malware Researcher | Developer | @Cryptolaemus1 | @NVIDIA bsky: myrtus@malwareindepth.com
Myrtus
 @Myrtus0x0
17 gen 2023

come get ya daily #IcedID #bokbot prescription. Same thing as yesterday besides two new bot domains. If you're gonna have a new campaign at least put some effort in.... gist.github.com/myrtus0x0/ad71…

Myrtus0x0's tweet card. GitHub Gist: instantly share code, notes, and snippets.
IcedID_01_17_2023.txt
Fonte: gist.github.com
1
12
28
2
5K
SaifCaMahmoud's profile picture. Cybersecurity Engineer | SOC Analyst Tier1
Saif Mahmoud
 @SaifCaMahmoud
25 mar 2023

In 24/3/2023 #BokBot malware emulate recent activities involving the banking trojan known also as IcedID, which has been primarily focused on exfilterating data and stealing credentials. BokBot now commonly delivered using Spear Phishing. #soc lnkd.in/dmhiRW7E

0
0
1
0
86
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
30 set 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
0
0
0
0
279
Max_Mal_'s profile picture. Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Max_Malyutin
 @Max_Mal_
24 apr 2023

#IcedID (#Bokbot) sample: bazaar.abuse.ch/sample/5f5f782… Thank you @k3dg3 for uploading 🙇‍♂️

0
2
8
0
956
phantmradar's profile picture. Independent, community-driven cyber threat intelligence project. Operated by individual researchers. Not affiliated with or funded by any for-profit entity.
Phantom Radar Project 🇺🇸 🦅
@phantmradar
4 giu 2024

1099Misc.inf file related to the sample "Tax Organizer.exe" SHA256 3afc8ef18d02bf8c40ba4fb029058c1f7d4bfb10f05d0dd281db6695091100ae virustotal.com/gui/file/3afc8… #iceid #remcos #bokbot

phantmradar's profile picture. Independent, community-driven cyber threat intelligence project. Operated by individual researchers. Not affiliated with or funded by any for-profit entity.
Phantom Radar Project 🇺🇸 🦅
@phantmradar
3 giu 2024

#iceid suspected #malware 0/72 VT virustotal.com/gui/file/08c7f…

0
0
0
0
149
1
0
0
0
92
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
28 nov 2023

2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
0
31
81
13
13K
gikobookmark's profile picture. 旧:個人的なブックマーク代わりのアカウント。ポスト内容はGoogle翻訳。 現:趣味のプログラミングのメモ。
技巧@📘🖊ブックマークbot
 @gikobookmark
2 nov 2023

2023-10-31 (火曜日) - MSI ファイルから#IcedID ( #Bokbot ) に感染。通常の HTTPS C2 トラフィックに加えて、159.89.124[.]188:443 で IcedID BackConnect アクティビティが確認されました。

Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
1 nov 2023

2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
0
32
98
19
21K
0
0
0
0
114
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
1 nov 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
0
1
0
0
106
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
1 nov 2023

2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
0
32
98
19
21K
JAMESWT_WT's profile picture. #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
JAMESWT
 @JAMESWT_WT
12 ott 2023

#IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2

JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
1
18
47
7
9K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
30 set 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
0
0
0
0
279
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
29 set 2023

2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…

Unit42_Intel's tweet image. 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…
Unit42_Intel's tweet image. 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…
Unit42_Intel's tweet image. 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…
Unit42_Intel's tweet image. 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…
0
42
128
20
23K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
1 set 2023

#ln -s :malware_traffic: @Unit42_Intel Email examples and malware samples for these two waves of #IcedID (#Bokbot) are now available at: 2023-08-29: malware-traffic-analysis.net/2023/08/29/ind… 2023-08-31: malware-traffic-analysis.net/2023/08/31/ind… I wasn't able to get a full infection ru…

0
0
0
0
159
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
1 set 2023

2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence

Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
0
22
48
7
9K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
10 ago 2023

2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL

Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
0
65
157
23
26K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
29 giu 2023

2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ

Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
0
19
59
9
11K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
30 mag 2023

The answers to our latest #Wireshark tutorial are now live. Determine how well you did as we walk through the infection traffic of #IcedID (aka #BokBot) — a known vector for ransomware infections. #Unit42LovesWireshark bit.ly/3IKMIDH

Unit42_Intel's tweet image. The answers to our latest #Wireshark tutorial are now live. Determine how well you did as we walk through the infection traffic of #IcedID (aka #BokBot) — a known vector for ransomware infections. #Unit42LovesWireshark bit.ly/3IKMIDH
1
5
25
4
6K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
29 mag 2023

Do you lack access to full packet capture in your current IT environment? If you want to improve your skills analyzing #malware traffic, dive into our latest Wireshark tutorial — we investigate an infection from the banking Trojan #IcedID (aka #BokBot). bit.ly/3BUdaHp

Unit42_Intel's tweet image. Do you lack access to full packet capture in your current IT environment? If you want to improve your skills analyzing #malware traffic, dive into our latest Wireshark tutorial — we investigate an infection from the banking Trojan #IcedID (aka #BokBot). bit.ly/3BUdaHp
0
15
32
9
7K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
26 mag 2023

Our latest Wireshark tutorial walks the analyst through an #IcedID (#BokBot) infection. You’ll examine the traffic, identify the victim and enhance your #pcap analysis skills. #Unit42LovesWireshark bit.ly/3BUdaHp

Unit42_Intel's tweet image. Our latest Wireshark tutorial walks the analyst through an #IcedID (#BokBot) infection. You’ll examine the traffic, identify the victim and enhance your #pcap analysis skills. #Unit42LovesWireshark bit.ly/3BUdaHp
0
24
60
24
13K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
12 mag 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
1
0
1
0
200
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
12 mag 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
1
0
1
0
200
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
15 apr 2023

#ln -s :malware_traffic: 2023-04-14 (Friday) - Quick post: #IcedID (#Bokbot) activity - one email, 28 PDF files, 8 password-protected zips, 8 extracted EXE s for IcedID, & #pcap from an infection. This actor abusing Google's firebasestorage again to host…

0
0
0
0
150
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
11 apr 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …
0
0
0
0
92
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
9 feb 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using d…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using d…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using d…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using d…
0
0
0
1
149
JAMESWT_WT's profile picture. #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
JAMESWT
 @JAMESWT_WT
12 ott 2023

#IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2

JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
1
18
47
7
9K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
13 feb 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …
0
0
1
0
169
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
1 nov 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
0
1
0
0
106
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
12 apr 2023

#ln -s :malware_traffic: RT @sans_isc: ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week i5c.us/d29740

cpardue09's tweet image. #ln -s :malware_traffic: RT @sans_isc: ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week i5c.us/d29740
0
0
0
0
128
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
1 set 2023

#ln -s :malware_traffic: @Unit42_Intel Email examples and malware samples for these two waves of #IcedID (#Bokbot) are now available at: 2023-08-29: malware-traffic-analysis.net/2023/08/29/ind… 2023-08-31: malware-traffic-analysis.net/2023/08/31/ind… I wasn't able to get a full infection ru…

0
0
0
0
159
sans_isc's profile picture. @sans_isc@infosec.exchange - https://t.co/8IgCGtJnZd - Global Network Security Information Sharing Community -
SANS.edu Internet Storm Center
@sans_isc
12 apr 2023

ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week i5c.us/d29740

sans_isc's tweet image. ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week i5c.us/d29740
0
17
39
5
11K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
19 gen 2023

#ln -s :malware_traffic: 2023-01-16 (Monday): An #IcedID (#Bokbot) infection I did thanks to @pr0xylife sharing a PDF on Malware Bazaar. This one has #BackConnect traffic with #VNC activity, and there's #CobaltStrike too! The #pcap was too good -not- to …

0
0
0
0
143
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
24 mar 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net
0
1
0
0
223
Max_Mal_'s profile picture. Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Max_Malyutin
 @Max_Mal_
24 apr 2023

#IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader

Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
1
36
106
12
11K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
30 set 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
0
0
0
0
279
executemalware's profile picture. #malware hunter & analyst. Opinions are my own.
ExecuteMalware
 @executemalware
16 feb 2023

Here are some #icedid #bokbot IOCs from an email that was received today. github.com/executemalware…

executemalware's tweet image. Here are some #icedid #bokbot IOCs from an email that was received today. github.com/executemalware…
0
8
36
2
6K
executemalware's profile picture. #malware hunter & analyst. Opinions are my own.
ExecuteMalware
 @executemalware
15 feb 2023

Here are some #icedid #bokbot IOCs from earlier today. These may have been stragglers from yesterday. Email subject and OneNote file attachment name have different dates. 🤷‍♂️ github.com/executemalware…

executemalware's tweet image. Here are some #icedid #bokbot IOCs from earlier today. These may have been stragglers from yesterday. Email subject and OneNote file attachment name have different dates. 🤷‍♂️ github.com/executemalware…
1
3
17
2
3K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
27 feb 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team…
0
0
0
0
330
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
11 apr 2023

#ln -s :malware_traffic: @Unit42_Intel 2023-04-11 (Tuesday) - Generated another #IcedID (#Bokbot) infection run, and saw another IP address for #BackConnect with VNC over TCP port 443 at 193.149.176[.]100:443.

0
0
0
0
115
TEAL_Technology's profile picture. Your trust in us as Trusted Advisor for Infrastructure Security has a color and a name TEAL
TEAL
 @TEAL_Technology
12 gen 2023

Mission: Set ice❄️on fire🔥! #IcedID, auch bekannt als #BokBot, tauchte erstmals Ende 2017 auf. Ursprünglich war er als Banking-Trojaner konzipiert. Zuletzt wurde er jedoch häufiger als Dropper für andere Malware-Familien und als Werkzeug für Initial-Access-Broker eingesetzt.

TEAL_Technology's tweet image. Mission: Set ice❄️on fire🔥! #IcedID, auch bekannt als #BokBot, tauchte erstmals Ende 2017 auf. Ursprünglich war er als Banking-Trojaner konzipiert. Zuletzt wurde er jedoch häufiger als Dropper für andere Malware-Familien und als Werkzeug für Initial-Access-Broker eingesetzt.
0
0
2
0
83
sans_isc's profile picture. @sans_isc@infosec.exchange - https://t.co/8IgCGtJnZd - Global Network Security Information Sharing Community -
SANS.edu Internet Storm Center
@sans_isc
24 feb 2023

ISC diary: @malware_traffic reviews .url files and #WebDAV used for #IcedID (#Bokbot) infection i5c.us/d29578

sans_isc's tweet image. ISC diary: @malware_traffic reviews .url files and #WebDAV used for #IcedID (#Bokbot) infection i5c.us/d29578
0
24
50
6
12K

Something went wrong.


Something went wrong.


United States Trends