IcedID: 07.07.21

Ransomware attack news collage

Email-borne pathogens frequently commence with the inclusion of a malicious document. This long-running trend continues to pose a serious threat to the security of organizations and users. Criminals are constantly improving their methods and looking for new ways to compromise victims. Payload trends change over time, with Ransomware being one that is capturing many headlines.

However, the initial intrusion point remains mostly unchanged… Phishing attacks targeting users. In this article, we’ll take a look at the timeline behind an IcedID mailing campaign.

IcedID is a malicious program that steals the bank details of victims in order to steal money. It was first described in 2017 by a team from IBM. Criminals are constantly improving their arsenal and techniques for infecting companies. The program has the ability to deploy its own server with its own certificate using also a browser patch in order to collect all connections, including banking carrying out an attack man-in-the-browser (MITB). This is very well described in this article from IBGroup. IcedID: When ice burns through bank accounts

This short article will describe the new method of infecting users as well as some indicators provided.

File TypeMicrosoft Windows Document
SHA256 at InQuest Labs b17fa8ad0f315c1c6e28bafc5a97969728402510e2d7dc31a7960bd48de3fcb6 
    Image 1: A lure that is abused by many companies.

Interestingly, attackers often choose rather primitive and simple image lures. We have a whole collection of such lures, you can see them here in InQuest’s Malware Lures Gallery 

But we see that the sample in question looks elegant and is abused by many companies, including pharmaceutical companies.

Image 2: VirusTotal report shows very low detection, 2 of 61 vendors.

Image 3: Garbage strings 

The program contains many superfluous strings. The URL to which the library will be loaded can be found in clear text in the document.

The document pivots to the next stage binary payload through the loading of a DLL from the following recently registered domain name (2021-07-05, 15 days ago as of this writing).

hxxps://docusignsecpro[.]com/data/int64/sup/ crv[.]dll

This domain name choice is a clever move by the threat actors, a very believable variant of that resolves to an Amazon IP address (75.2.115[.]196), one that is home to thousands of other domains.

File TypePE x64 DLL
SHA256  33cc3816f98fa22354559711326a5ce1352d819c180be4328a72618d20a78632 
Image 4: Information about the certificate on VT.

The Virustotal service marks this library as one with a valid signature. Most likely the signing certificate is involved with a malicious signer, as the quantity of related, signed malware is quite high. 

   Image 6: Detection Graph in VirusTotal.

If we start analyzing the library that is being loaded, we will see that it has a large block of packed data, this is immediately noticeable based on the entropy of the data. An experienced analyst will recognize this directly from viewing the hex bytes, it’s visually apparent in the following hex dump.

Image 6: Unpacked Data in Dll.

Image 7: Pseudocode decryption function.

The payload of this library was encrypted with its own algorithm.

  Image 8: Unpacked DLL IcedID 

Here is a custom decryptor to unpack the payload.

def Searchciphertext (dump):
  for i in range (len(dump)):
    comsize = len(dump)
    symb = dump[i]
    if symb == 0x37:
      symb = dump[i+1]
      if symb == 0x63:
        symb = dump[i+2]
        if symb == 0x36:
          symb = dump[i+3]
          if symb == 0x69:
            offset = i
            print("Success ciphertext ICEDID 07.2021 was found")
  i = offset
  while i< 100000:
    if dump[i] == 0:
      symb = dump[i+1]
      if symb == 0:
        symb = dump[i+2]
        if symb == 0:
          symb = dump[i+3]
          if symb == 0:
            size = i
    i += 1
  return offset, size
def decrypt(offset, size, dump, result):
  cont = 0x5C
  r = 0
  i = 0
  loop = size - offset - 1
  while i < loop:
    n1 = dump[i] - 0x36
    n2 = dump[i+1] - 0x62
    n1 = n1 << 4
    n3 = n1 | n2
    n3 = cont ^ n3
    cont = cont + 1
    if cont == 0x100:
        cont = 0
    result[r] += n3
    r += 1
    i += 2
  print("Decryption was successful")
if __name__ == '__main__':
  file = open("malware.dll_","rb")
  dump = bytearray(
  offset,size = Searchciphertext(dump)
  dump =,0)
  dump = bytearray(
  result = bytearray(15000)
  opendata = decrypt(offset, size, dump, result)
  new = open("unpack.dll_","wb")

The executable library decrypts another library from its data. 

File TypePE x64 DLL
Sha 256  c4a1485fdd8b3c79a2a76d79a07f8f288b21f640073e9909ff0d1787e44d18a7 

First, the library will check the system’s internet connection. Calling the address ““. 

Image 9: Test connection.

Depending on the received response from the server, the program falls asleep and tries to connect again. This is done for the purpose of anti-analysis. Since the sample needs the system to be connected to the network. If there is no connection to the network, then it does not perform its malicious functions.

If there is a connection, the program decrypts the URL address and connects to it.

The program collects information about the system and generates a unique identification number for each bot and each system.

The program uses the SID as a unique attribute. A SID is a number used to identify user, group, and computer accounts in Windows,  created when accounts are first made in Windows; no two SIDs on a computer are ever the same

The program also receives information about the network adapter of the system. The bot sends all this information to a remote server.

Image 10: Server connection.


registered 6/24 (27 days ago as of the time of writing), updated on 7/8. Not resolving to an IP address at the moment.

Image 11: Connection address.
Image 12: Connection types.

Having transferred all data to the remote server, the bot continues to wait for a connection. The bot has the ability to both transfer and receive data. This can be seen in the picture above.

In response to a remote connection, the server sends an encrypted shellcode, which is decrypted and launched.

After the supposed death of Emotet, there is no doubt that the IcedID will quickly lineup as its successor. The attackers behind this campaign have gone to great lengths to develop and deploy tools to steal bank data.


IOC TypeIOCDescription
SHA256c4a1485fdd8b3c79a2a76d79a07f8f288b21f640073e9909ff0d1787e44d18a7 Unpacked DLL
Payloadhxxps://docusignsecpro[.]com/data/int64/sup/crv[.]dll 2nd Stage Payload
C2 Domain

Free On-Demand Webinar: Think Before You Click

Whether sent as an email attachment, sitting in your cloud or traversing the Web, file-borne threats have become a proven favorite for delivering malware and phishing campaigns. View our webinar on-demand and get firsthand tips about how to safeguard your cybersecurity stack with File Detection and Response (FDR) and stop file-borne threats in their tracks.

View the Webinar On-Demand