English
English Indonesia Türkçe Deutsch Español Português Pусский Français Italiano Nederlands Polski العربية ไทย Tiếng Việt 繁體中文 简体中文 日本語 한국어

#bokbot search results

Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Apr 11, 2023

2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was over TCP port 443.

Unit42_Intel's tweet image. 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was over TCP port 443.
Unit42_Intel's tweet image. 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was over TCP port 443.
Unit42_Intel's tweet image. 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was over TCP port 443.
Unit42_Intel's tweet image. 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was over TCP port 443.
0
28
76
7
13K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Feb 9, 2023

2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using domain thefirstupd[.]com. IoCs available at bit.ly/3JTbIKo

Unit42_Intel's tweet image. 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using domain thefirstupd[.]com. IoCs available at bit.ly/3JTbIKo
Unit42_Intel's tweet image. 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using domain thefirstupd[.]com. IoCs available at bit.ly/3JTbIKo
Unit42_Intel's tweet image. 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using domain thefirstupd[.]com. IoCs available at bit.ly/3JTbIKo
0
45
78
7
17K
Myrtus0x0's profile picture. Malware Researcher | Developer | @Cryptolaemus1 | @NVIDIA bsky: myrtus@malwareindepth.com
Myrtus
 @Myrtus0x0
Jan 9, 2023

Thanks for the find!! Start your year off right with some #bokbot #IcedID. quite a few C2 domains involved... maybe their new years resolution is to get a respectable amount of bots :) gist.github.com/myrtus0x0/e11b…

Myrtus0x0's tweet card. IcedID_01_09_2023.txt. GitHub Gist: instantly share code, notes, and snippets.
IcedID_01_09_2023.txt
Source: gist.github.com
k3dg3's profile picture. Friendly NEIGHborhood Threat Researcher | Reverse Engineer
Kelsey
 @k3dg3
Jan 9, 2023

#IcedID "3131022508" dropped via PDFs with payloads hosted on firebasestorage\.googleapis\.com.* Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: wagringamuk\.com bazaar.abuse.ch/sample/173e5b0…

k3dg3's tweet image. #IcedID "3131022508" dropped via PDFs with payloads hosted on firebasestorage\.googleapis\.com.* Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: wagringamuk\.com bazaar.abuse.ch/sample/173e5b0…
1
26
77
12
37K
1
16
33
4
9K
Myrtus0x0's profile picture. Malware Researcher | Developer | @Cryptolaemus1 | @NVIDIA bsky: myrtus@malwareindepth.com
Myrtus
 @Myrtus0x0
Jan 18, 2023

campaigns keep coming, I keep documenting 😤 #IcedID #bokbot campaign for the day. They took my message and actually changed things, thanks! gist.github.com/myrtus0x0/05cb…

Myrtus0x0's tweet card. GitHub Gist: instantly share code, notes, and snippets.
IcedID_01_18_2023.txt
Source: gist.github.com
2
13
34
3
5K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Aug 10, 2023

2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL

Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
0
65
157
23
26K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
May 12, 2023

2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetechnicalassistant[.]com:8081. IOCs available at bit.ly/3BlDKc2

Unit42_Intel's tweet image. 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetechnicalassistant[.]com:8081. IOCs available at bit.ly/3BlDKc2
Unit42_Intel's tweet image. 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetechnicalassistant[.]com:8081. IOCs available at bit.ly/3BlDKc2
Unit42_Intel's tweet image. 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetechnicalassistant[.]com:8081. IOCs available at bit.ly/3BlDKc2
Unit42_Intel's tweet image. 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetechnicalassistant[.]com:8081. IOCs available at bit.ly/3BlDKc2
0
47
90
12
47K
Myrtus0x0's profile picture. Malware Researcher | Developer | @Cryptolaemus1 | @NVIDIA bsky: myrtus@malwareindepth.com
Myrtus
 @Myrtus0x0
May 3, 2023

Very happy to share my latest podcast I recorded with @joewise34 where we discuss the evolution of #IcedID #bokbot and the reasoning behind their design decisions (mistakes) open.spotify.com/episode/4MKUam…

1
20
54
8
9K
JAMESWT_WT's profile picture. #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
JAMESWT
 @JAMESWT_WT
Oct 12, 2023

#IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2

JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
1
18
47
7
9K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Jun 29, 2023

2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ

Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
0
19
59
9
11K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Nov 1, 2023

2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
0
32
99
19
21K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
May 29, 2023

Do you lack access to full packet capture in your current IT environment? If you want to improve your skills analyzing #malware traffic, dive into our latest Wireshark tutorial — we investigate an infection from the banking Trojan #IcedID (aka #BokBot). bit.ly/3BUdaHp

Unit42_Intel's tweet image. Do you lack access to full packet capture in your current IT environment? If you want to improve your skills analyzing #malware traffic, dive into our latest Wireshark tutorial — we investigate an infection from the banking Trojan #IcedID (aka #BokBot). bit.ly/3BUdaHp
0
15
32
9
7K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
May 26, 2023

Our latest Wireshark tutorial walks the analyst through an #IcedID (#BokBot) infection. You’ll examine the traffic, identify the victim and enhance your #pcap analysis skills. #Unit42LovesWireshark bit.ly/3BUdaHp

Unit42_Intel's tweet image. Our latest Wireshark tutorial walks the analyst through an #IcedID (#BokBot) infection. You’ll examine the traffic, identify the victim and enhance your #pcap analysis skills. #Unit42LovesWireshark bit.ly/3BUdaHp
0
24
60
24
13K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Mar 24, 2023

2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net

Unit42_Intel's tweet image. 2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net
Unit42_Intel's tweet image. 2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net
2
44
94
7
18K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Nov 28, 2023

2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
0
31
81
13
13K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Feb 13, 2023

2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using Google Ads. IoCs available at bit.ly/3IiKHPq

Unit42_Intel's tweet image. 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using Google Ads. IoCs available at bit.ly/3IiKHPq
Unit42_Intel's tweet image. 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using Google Ads. IoCs available at bit.ly/3IiKHPq
Unit42_Intel's tweet image. 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using Google Ads. IoCs available at bit.ly/3IiKHPq
Unit42_Intel's tweet image. 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using Google Ads. IoCs available at bit.ly/3IiKHPq
1
51
89
11
22K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
May 30, 2023

The answers to our latest #Wireshark tutorial are now live. Determine how well you did as we walk through the infection traffic of #IcedID (aka #BokBot) — a known vector for ransomware infections. #Unit42LovesWireshark bit.ly/3IKMIDH

Unit42_Intel's tweet image. The answers to our latest #Wireshark tutorial are now live. Determine how well you did as we walk through the infection traffic of #IcedID (aka #BokBot) — a known vector for ransomware infections. #Unit42LovesWireshark bit.ly/3IKMIDH
1
5
25
4
6K
phantmradar's profile picture. Independent, community-driven cyber threat intelligence project. Operated by individual researchers. Not affiliated with or funded by any for-profit entity.
Phantom Radar Project🦉
@phantmradar
Jun 4, 2024

1099Misc.inf file related to the sample "Tax Organizer.exe" SHA256 3afc8ef18d02bf8c40ba4fb029058c1f7d4bfb10f05d0dd281db6695091100ae virustotal.com/gui/file/3afc8… #iceid #remcos #bokbot

phantmradar's profile picture. Independent, community-driven cyber threat intelligence project. Operated by individual researchers. Not affiliated with or funded by any for-profit entity.
Phantom Radar Project🦉
@phantmradar
Jun 3, 2024

#iceid suspected #malware 0/72 VT virustotal.com/gui/file/08c7f…

0
0
0
0
149
1
0
0
0
92
phantmradar's profile picture. Independent, community-driven cyber threat intelligence project. Operated by individual researchers. Not affiliated with or funded by any for-profit entity.
Phantom Radar Project🦉
@phantmradar
Jun 4, 2024

1099Misc.inf file related to the sample "Tax Organizer.exe" SHA256 3afc8ef18d02bf8c40ba4fb029058c1f7d4bfb10f05d0dd281db6695091100ae virustotal.com/gui/file/3afc8… #iceid #remcos #bokbot

phantmradar's profile picture. Independent, community-driven cyber threat intelligence project. Operated by individual researchers. Not affiliated with or funded by any for-profit entity.
Phantom Radar Project🦉
@phantmradar
Jun 3, 2024

#iceid suspected #malware 0/72 VT virustotal.com/gui/file/08c7f…

0
0
0
0
149
1
0
0
0
92
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Nov 28, 2023

2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-11-27 (Monday) - #TA577 pushes #IcedID (#Bokbot) variant. List of IOCs available at bit.ly/47X6kPn #Unit42ThreatIntel #TimelyThreatIntel #Wireshark
0
31
81
13
13K
gikobookmark's profile picture. 旧:個人的なブックマーク代わりのアカウント。ポスト内容はGoogle翻訳。 現:趣味のプログラミングのメモ。
技巧@📘🖊ブックマークbot
 @gikobookmark
Nov 2, 2023

2023-10-31 (火曜日) - MSI ファイルから#IcedID ( #Bokbot ) に感染。通常の HTTPS C2 トラフィックに加えて、159.89.124[.]188:443 で IcedID BackConnect アクティビティが確認されました。

Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Nov 1, 2023

2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
0
32
99
19
21K
0
0
0
0
114
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Nov 1, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
0
1
0
0
106
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Nov 1, 2023

2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark

Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
Unit42_Intel's tweet image. 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at bit.ly/3Mq0tJL #TimelyThreatIntel #Unit42ThreatIntel #Wireshark
0
32
99
19
21K
JAMESWT_WT's profile picture. #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
JAMESWT
 @JAMESWT_WT
Oct 12, 2023

#IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2

JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
1
18
47
7
9K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Sep 30, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
0
0
0
0
279
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Sep 29, 2023

2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…

Unit42_Intel's tweet image. 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…
Unit42_Intel's tweet image. 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…
Unit42_Intel's tweet image. 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…
Unit42_Intel's tweet image. 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details available at github.com/PaloAltoNetwor…
0
42
128
21
23K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Sep 1, 2023

#ln -s :malware_traffic: @Unit42_Intel Email examples and malware samples for these two waves of #IcedID (#Bokbot) are now available at: 2023-08-29: malware-traffic-analysis.net/2023/08/29/ind… 2023-08-31: malware-traffic-analysis.net/2023/08/31/ind… I wasn't able to get a full infection ru…

0
0
0
0
159
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Sep 1, 2023

2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence

Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
0
22
48
7
9K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Aug 10, 2023

2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL

Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
Unit42_Intel's tweet image. 2023-08-09 (Wednesday) — Trojanized Webex .msix installer package contains PowerShell script to install #IcedID (#Bokbot). We also saw #BackConnect traffic and #KeyholeVNC from the infection. List of indicators available at bit.ly/3s1UTpL
0
65
157
23
26K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Jun 29, 2023

2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ

Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
Unit42_Intel's tweet image. 2023-06-28 (Wednesday): #IcedID (#Bokbot) had some trouble with distribution, because initial links had a space (%20) appended to the IP address in the URL. We corrected one of those links and generated an infection. List of IoCs at bit.ly/3XAjxJJ
0
19
59
9
11K
MariaDalasio's profile picture. Club @DietCoke Member & Enthusiast Channel Partner Program Manager, Unit 42 at Palo Alto Networks
Maria Dalasio
 @MariaDalasio
May 31, 2023

The answers to Unit 42's latest #Wireshark tutorial are now live. Examine how well you did as you walk through, step-by-step, the infection traffic of #IcedID (aka #BokBot) — a known vector for #ransomware infections. #Unit42LovesWireshark #DontPanic sprou.tt/11mNrz2vX0R

MariaDalasio's tweet card. This is the follow-up post to our Wireshark quiz on an IcedID infection. We provide the answers on the traffic, victim and more in this full pcap analysis.
Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID
Source: unit42.paloaltonetworks.com
0
0
0
0
111
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
May 30, 2023

The answers to our latest #Wireshark tutorial are now live. Determine how well you did as we walk through the infection traffic of #IcedID (aka #BokBot) — a known vector for ransomware infections. #Unit42LovesWireshark bit.ly/3IKMIDH

Unit42_Intel's tweet image. The answers to our latest #Wireshark tutorial are now live. Determine how well you did as we walk through the infection traffic of #IcedID (aka #BokBot) — a known vector for ransomware infections. #Unit42LovesWireshark bit.ly/3IKMIDH
1
5
25
4
6K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
May 29, 2023

Do you lack access to full packet capture in your current IT environment? If you want to improve your skills analyzing #malware traffic, dive into our latest Wireshark tutorial — we investigate an infection from the banking Trojan #IcedID (aka #BokBot). bit.ly/3BUdaHp

Unit42_Intel's tweet image. Do you lack access to full packet capture in your current IT environment? If you want to improve your skills analyzing #malware traffic, dive into our latest Wireshark tutorial — we investigate an infection from the banking Trojan #IcedID (aka #BokBot). bit.ly/3BUdaHp
0
15
32
9
7K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
May 26, 2023

Our latest Wireshark tutorial walks the analyst through an #IcedID (#BokBot) infection. You’ll examine the traffic, identify the victim and enhance your #pcap analysis skills. #Unit42LovesWireshark bit.ly/3BUdaHp

Unit42_Intel's tweet image. Our latest Wireshark tutorial walks the analyst through an #IcedID (#BokBot) infection. You’ll examine the traffic, identify the victim and enhance your #pcap analysis skills. #Unit42LovesWireshark bit.ly/3BUdaHp
0
24
60
24
13K
JimBeasleyCA's profile picture. Regional Sales Manager at WEKA. My tweets are my own.
Jim Beasley
 @JimBeasleyCA
May 26, 2023

Unit 42's latest Wireshark tutorial walks the analyst through an #IcedID (#BokBot) infection. You’ll examine the traffic, identify the victim and enhance your #pcap analysis skills #Unit42LovesWireshark sprou.tt/1aVAaxRxctz

JimBeasleyCA's tweet card. IcedID is a known vector for ransomware. Analyze infection traffic from this banking trojan in our latest Wireshark tutorial.
Cold as Ice: Unit 42 Wireshark Quiz for IcedID
Source: unit42.paloaltonetworks.com
0
0
0
0
83
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
May 12, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
1
0
1
0
200
JAMESWT_WT's profile picture. #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
JAMESWT
 @JAMESWT_WT
Oct 12, 2023

#IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2

JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
JAMESWT_WT's tweet image. #IcedID (#Bokbot) >#KeyholeVNC => #CobaltStrike Spam Email Campaign Urls urlhaus.abuse.ch/browse/tag/pw-… Samples bazaar.abuse.ch/browse/tag/ges… Run app.any.run/tasks/3fa451b1… C2s: skrechelres[.]com jerryposter[.]com jkbarmossen[.]com evinakortu[.]com hofsaalos[.]com 1/2
1
18
47
7
9K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Apr 15, 2023

#ln -s :malware_traffic: 2023-04-14 (Friday) - Quick post: #IcedID (#Bokbot) activity - one email, 28 PDF files, 8 password-protected zips, 8 extracted EXE s for IcedID, & #pcap from an infection. This actor abusing Google's firebasestorage again to host…

0
0
0
0
150
Max_Mal_'s profile picture. Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Max_Malyutin
 @Max_Mal_
Apr 24, 2023

#IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader

Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
Max_Mal_'s tweet image. #IcedID (#Bokbot) resource section #MalwareAnalysis 2 resources with high entropy❓ [+] resources contain string pattern NtAllocateVirtualMemory [create new pages RWX] > jmp with XOR (contains string pattern + resources) [+] StringP = XOR key [+] resource decoded to DLL loader
1
36
106
12
11K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Mar 24, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-03-24 (Friday) - #IcedID (#Bokbot) infection generated #BackConnect traffic over 193.239.85[.]16:8080 led to #CobaltStrike on 31.220.50[.]207:80 using voiceinfosys[.]net
0
1
0
0
223
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Feb 9, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using d…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using d…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using d…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, we saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using d…
0
0
0
1
149
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Sep 30, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-09-28 (Thursday) - #IcedID (#Bokbot) infection led to #BackConnect traffic and #KeyholeVNC on 172.86.75[.]88:443 and HTTPS traffic for #CobaltStrike on umomrmwa[.]com using 141.98.80[.]158:443. Details avai…
0
0
0
0
279
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
May 12, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-05-10 (Wednesday): Standard variant #IcedID (#BokBot) infection led to #BackConnect activity on 139.59.33[.]128:443 with #KeyholeVNC. Also saw #CobaltStrike from this infection using HTTP traffic to thetech…
1
0
1
0
200
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Sep 1, 2023

#ln -s :malware_traffic: @Unit42_Intel Email examples and malware samples for these two waves of #IcedID (#Bokbot) are now available at: 2023-08-29: malware-traffic-analysis.net/2023/08/29/ind… 2023-08-31: malware-traffic-analysis.net/2023/08/31/ind… I wasn't able to get a full infection ru…

0
0
0
0
159
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Feb 13, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-13 (Monday) - Fake Microsoft Teams page on microsofteamsus[.]top pushing #IcedID (#Bokbot). Page established on Thursday, 2023-02-09, likely set up for the same type of #malvertising seen recently using …
0
0
1
0
169
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Apr 11, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-04-11 (Tuesday) - #IcedID (#BokBot) update: #BackConnect traffic from IcedID infection seen on 45.61.137[.]159:443. Prior to this, IcedID BackConnect traffic used TCP port 8080, but today's BackConnect was …
0
0
0
0
92
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Apr 12, 2023

#ln -s :malware_traffic: RT @sans_isc: ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week i5c.us/d29740

cpardue09's tweet image. #ln -s :malware_traffic: RT @sans_isc: ISC Diary: @malware_traffic reviews recent #IcedID (#Bokbot) activity from this week i5c.us/d29740
0
0
0
0
128
TEAL_Technology's profile picture. Your trust in us as Trusted Advisor for Infrastructure Security has a color and a name TEAL
TEAL
 @TEAL_Technology
Jan 12, 2023

Mission: Set ice❄️on fire🔥! #IcedID, auch bekannt als #BokBot, tauchte erstmals Ende 2017 auf. Ursprünglich war er als Banking-Trojaner konzipiert. Zuletzt wurde er jedoch häufiger als Dropper für andere Malware-Familien und als Werkzeug für Initial-Access-Broker eingesetzt.

TEAL_Technology's tweet image. Mission: Set ice❄️on fire🔥! #IcedID, auch bekannt als #BokBot, tauchte erstmals Ende 2017 auf. Ursprünglich war er als Banking-Trojaner konzipiert. Zuletzt wurde er jedoch häufiger als Dropper für andere Malware-Familien und als Werkzeug für Initial-Access-Broker eingesetzt.
0
0
2
0
83
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Nov 1, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-10-31 (Tuesday) - #IcedID (#Bokbot) infection from an MSI file. Along with the regular HTTPS C2 traffic, we saw IcedID BackConnect activity on 159.89.124[.]188:443. List of indicators available at …
0
1
0
0
106
Max_Mal_'s profile picture. Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Max_Malyutin
 @Max_Mal_
Jan 9, 2023

#IcedID (#BokBot) & #Qakbot Copy-Cat 😸 #DFIR Similar TTPs & Exec flow: PDF Luring > ZIP (Pass-Protected) > ISO > LNK > CMD > Rundll32 [+] MOTW: ISO Image (T1204) [+] Malicious File: LNK (T1204.002) [+] Rundll32 (T1218.011) IcedID - Export func init Qakbot - Export func Updt

Max_Mal_'s tweet image. #IcedID (#BokBot) & #Qakbot Copy-Cat 😸 #DFIR Similar TTPs & Exec flow: PDF Luring > ZIP (Pass-Protected) > ISO > LNK > CMD > Rundll32 [+] MOTW: ISO Image (T1204) [+] Malicious File: LNK (T1204.002) [+] Rundll32 (T1218.011) IcedID - Export func init Qakbot - Export func Updt
k3dg3's profile picture. Friendly NEIGHborhood Threat Researcher | Reverse Engineer
Kelsey
 @k3dg3
Jan 9, 2023

#IcedID "3131022508" dropped via PDFs with payloads hosted on firebasestorage\.googleapis\.com.* Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: wagringamuk\.com bazaar.abuse.ch/sample/173e5b0…

k3dg3's tweet image. #IcedID "3131022508" dropped via PDFs with payloads hosted on firebasestorage\.googleapis\.com.* Thread-hijacked email -> PDF Attachment -> payload download -> Password-Protected Zip -> ISO -> LNK -> CMD -> DLL c2: wagringamuk\.com bazaar.abuse.ch/sample/173e5b0…
1
26
77
12
37K
1
32
81
10
17K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Feb 27, 2023

2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @teamcymru_S2 & @pr0xylife for previous tweets related to this activity!

Unit42_Intel's tweet image. 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @teamcymru_S2 & @pr0xylife for previous tweets related to this activity!
Unit42_Intel's tweet image. 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @teamcymru_S2 & @pr0xylife for previous tweets related to this activity!
Unit42_Intel's tweet image. 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @teamcymru_S2 & @pr0xylife for previous tweets related to this activity!
Unit42_Intel's tweet image. 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @teamcymru_S2 & @pr0xylife for previous tweets related to this activity!
2
27
81
7
12K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Sep 1, 2023

2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence

Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
Unit42_Intel's tweet image. 2023-08-29 (Tues) & 08-31 (Thu) we saw #threadhijacked emails pushing #IcedID (#Bokbot). - Some IOCs from the 08-29 wave are available at bit.ly/3PoCXPy - Some IOCs from the 08-31 wave are available at bit.ly/3P3ybFo #cybercrime #TimelyThreatIntelligence
0
22
48
7
9K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Jan 19, 2023

#ln -s :malware_traffic: 2023-01-16 (Monday): An #IcedID (#Bokbot) infection I did thanks to @pr0xylife sharing a PDF on Malware Bazaar. This one has #BackConnect traffic with #VNC activity, and there's #CobaltStrike too! The #pcap was too good -not- to …

0
0
0
0
143
Max_Mal_'s profile picture. Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Max_Malyutin
 @Max_Mal_
Jan 25, 2023

#IcedID 🧊🆔 (#BokBot) DLL Export Func Typo TA mixed DLL export func exec with ordinal number & export name 2 methods of DLL exec, Rundll32: [+] %TEMP%\outgoing.dat,init [+] \kenago.dat,init [+] startles\\racially.tmp,init [+] %TEMP%\fundraising.dat,#1 [+] 5486\integer.dat,#1

Max_Mal_'s tweet image. #IcedID 🧊🆔 (#BokBot) DLL Export Func Typo TA mixed DLL export func exec with ordinal number & export name 2 methods of DLL exec, Rundll32: [+] %TEMP%\outgoing.dat,init [+] \kenago.dat,init [+] startles\\racially.tmp,init [+] %TEMP%\fundraising.dat,#1 [+] 5486\integer.dat,#1
Max_Mal_'s tweet image. #IcedID 🧊🆔 (#BokBot) DLL Export Func Typo TA mixed DLL export func exec with ordinal number & export name 2 methods of DLL exec, Rundll32: [+] %TEMP%\outgoing.dat,init [+] \kenago.dat,init [+] startles\\racially.tmp,init [+] %TEMP%\fundraising.dat,#1 [+] 5486\integer.dat,#1
Max_Mal_'s tweet image. #IcedID 🧊🆔 (#BokBot) DLL Export Func Typo TA mixed DLL export func exec with ordinal number & export name 2 methods of DLL exec, Rundll32: [+] %TEMP%\outgoing.dat,init [+] \kenago.dat,init [+] startles\\racially.tmp,init [+] %TEMP%\fundraising.dat,#1 [+] 5486\integer.dat,#1
Max_Mal_'s tweet image. #IcedID 🧊🆔 (#BokBot) DLL Export Func Typo TA mixed DLL export func exec with ordinal number & export name 2 methods of DLL exec, Rundll32: [+] %TEMP%\outgoing.dat,init [+] \kenago.dat,init [+] startles\\racially.tmp,init [+] %TEMP%\fundraising.dat,#1 [+] 5486\integer.dat,#1
pr0xylife's profile picture. DFIR | Malware Hunter | @Cryptolaemus1
proxylife
 @pr0xylife
Jan 24, 2023

#IcedID - .pdf > .url > .zip > .iso > .lnk > .cmd > .dll Remove the # to get infected, some finger trouble today. cmd /c LUGGAGES.lnk cmd.exe /c BURGOYNE.CMD rundll32 PITCHPOT.DAT,#init c2' http://plitspiritnox.]com/ bazaar.abuse.ch/sample/2624668… IOC's github.com/pr0xylife/Iced…

pr0xylife's tweet image. #IcedID - .pdf > .url > .zip > .iso > .lnk > .cmd > .dll Remove the # to get infected, some finger trouble today. cmd /c LUGGAGES.lnk cmd.exe /c BURGOYNE.CMD rundll32 PITCHPOT.DAT,#init c2' http://plitspiritnox.]com/ bazaar.abuse.ch/sample/2624668… IOC's github.com/pr0xylife/Iced…
2
22
60
9
35K
0
19
55
5
11K
executemalware's profile picture. #malware hunter & analyst. Opinions are my own.
ExecuteMalware
 @executemalware
Feb 16, 2023

Here are some #icedid #bokbot IOCs from an email that was received today. github.com/executemalware…

executemalware's tweet image. Here are some #icedid #bokbot IOCs from an email that was received today. github.com/executemalware…
0
8
36
2
6K
cpardue09's profile picture. Look mom, I automated my twitter again!
Chris Pardue
 @cpardue09
Feb 27, 2023

#ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team

cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team…
cpardue09's tweet image. #ln -s :malware_traffic: RT @Unit42_Intel: 2023-02-24 (Friday): #IcedID (#Bokbot) --> #BackConnect on 135.148.217[.]85:8080 --> #CobaltStrike on 23.227.203[.]70:80/aspnetcenter[.]com - IoCs available at bit.ly/3J7r51f - Thanks to @drb_ra, @team…
0
0
0
0
330

Something went wrong.


Something went wrong.


United States Trends