2020-05-01 ICEDID (BOKBOT)

YorkWaugh

下载地址：https://ww.lanzous.com/ic853le最近没来，发重了别打我

NOTES:

• I assume these password-protected zip archives containing German language Word docs are coming in as attachments from malspam to German recipients.
  

IMAGES

Shown above:  Screenshot of the XLS spreadsheet.

Shown above:  XLS macro retrieves Loader EXE.

Shown above:  Loader EXE retrieves initial IcedID EXE.

Shown above:  Pcap from an infection filtered in Wireshark.

dreams521

卡巴

1. 03.05.2020 21.20.48;检测到的对象 ( 文件 ) 已删除;C:\Users\Administrator\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\Foxems.exe;C:\Users\Administrator\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\Foxems.exe;Trojan-Banker.Win32.Cridex.mgx;木马程序;05/03/2020 21:20:48
   
2. 03.05.2020 21.20.48;检测到的对象 ( 文件 ) 已删除;C:\Users\Administrator\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\GCqLBrG.exe;C:\Users\Administrator\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\GCqLBrG.exe;Trojan.Win32.Ligooc.z;木马程序;05/03/2020 21:20:48
   
3. 03.05.2020 21.20.46;检测到的对象 ( 文件 ) 已删除;C:\Users\Administrator\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\~521792.exe;C:\Users\Administrator\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\~521792.exe;Trojan-Banker.Win32.Cridex.mgv;木马程序;05/03/2020 21:20:46
   

复制代码

救命稻草

管家

1. 2020-5-3 21:22:37 MD5:87c5c3ddcab7e03dad0384c170a94755 G:\Download\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\GCqLBrG.exe [Win32.Trojan.Ligooc.Ecuf]  [未处理]
   
2. 2020-5-3 21:22:37 MD5:049a7732ad88c6353ad4dde9808d6066 G:\Download\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\Foxems.exe [Win32.Trojan-banker.Cridex.Eyk]  [未处理]
   
3. 2020-5-3 21:22:37 MD5:7209f2d5270cf295d923d72c72379e67 G:\Download\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\1May__1.xls [Win32.Trojan-downloader.Agent.Adkj]  [未处理]
   
4. 2020-5-3 21:22:37 MD5:d14b5b9d35caf69ba8eaae98dc4e8629 G:\Download\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\~521792.exe [Win32.Trojan-banker.Cridex.Wofr]  [未处理]

复制代码

wangyuhe

亚信

小Q机器人

智量 2.61 杀4个

wuming_bpnes

大蜘蛛 kill
病毒库：05/03 PM7:16

Nocria

IKARUS

1. [03.05.2020 22:35:48] On-demand scan started: "user_defined"
   
2. [03.05.2020 22:35:48] Found, 0.15s, SigName: "Trojan.Office.Doc", SigId: 3787365, Type: "VIRUS", File: "C:\Users\promi\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\1May__1.xls"
   
3. [03.05.2020 22:35:48] Found, 0.63s, SigName: "Trojan.SuspectCRC", SigId: 299855261, Type: "VIRUS", File: "C:\Users\promi\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\Foxems.exe"
   
4. [03.05.2020 22:35:48] Found, 0.63s, SigName: "Trojan.Win32.Krypt", SigId: 299845247, Type: "VIRUS", File: "C:\Users\promi\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\GCqLBrG.exe"
   
5. [03.05.2020 22:35:48] Found, 0.47s, SigName: "Trojan.Win32.Krypt", SigId: 299855264, Type: "VIRUS", File: "C:\Users\promi\Desktop\2020-05-01-XLS-to-Loader-to-IcedID-malware-and-artifacts\~521792.exe"
   
6. [03.05.2020 22:35:48] On-demand scan FINISHED: "user_defined"
   
7. [03.05.2020 22:35:48] ----------------------------------------------------
   
8. [03.05.2020 22:35:48] Directories scanned: 1
   
9. [03.05.2020 22:35:48] Files scanned: 11
   
10. [03.05.2020 22:35:48] Virus found: 4
    
11. [03.05.2020 22:35:48] ----------------------------------------------------
    

复制代码