Hot Topics

IcedID

CapLoader 1.9.6

CapLoader 1.9.6 Released

| | 104.21.7.13:80, 104.223.118.109:443, 104.248.81.48:443, 151.236.9.107:443, 159.89.124.188:443, a85be79f7b569f1df5e6087b69deb493, aptekoagraliy, BackConnect XOR, CapLoader, GzipLoader, IcedID, JA3, JA4, joekairbos, lazirusairnaf, Loda, regex, Remcos, seedkraproboy, t13i010400_0f2cb44170f4_1b583af8cc09, t13i010400_0f2cb44170f4_5c4c70b73fa0, ThreatFox, win.loda
CapLoader now detects even more malicious protocols and includes several new features such as JA4 fingerprints, API support for sharing IOCs to ThreatFox and OSINT lookups of malware families on Malpedia. The ...
NETRESEC Network Security Blog
Cookie parameters from GzipLoader request in NetworkMiner 2.8.1

Forensic Timeline of an IcedID Infection

| | BackConnect, Cobalt Strike, CobaltStrike, ec74a5c51106f0419184d0dd08fb05bc, GzipLoader, IcedID, JA3S, Keyhole, Keylog, NetworkMiner, VNC, Windows Sandbox
The BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace the steps of an attacker with help of captured network traffic from a hacked computer ...
NETRESEC Network Security Blog
NetworkMiner 2.8.1

NetworkMiner 2.8.1 Released

| | 165.232.175.216, BackConnect, IcedID, NetworkMiner, njrat, RFB, RFC5626, RFC6143, VNC
I am happy to announce the release of NetworkMiner 2.8.1 today! This new release brings a VNC parser to NetworkMiner, so that screenshots, keystrokes and clipboard data can be extracted from unencrypted ...
NETRESEC Network Security Blog

How to Identify IcedID Network Traffic

| | a0e9f5d64349fb13191bc781f81f42e1, b523e3d33e7795de49268ce7744d7414aa37d1db, beacon, CapLoader, ec74a5c51106f0419184d0dd08fb05bc, GzipLoader, IcedID, Periodic connections, periodicity, video
Brad Duncan published IcedID (Bokbot) from fake Microsoft Teams page earlier this week. In this video I take a closer look at the PCAP file in that blog post. The video cannot ...
NETRESEC Network Security Blog
IdedID and Cobalt Strike

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

| | 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6, 104.236.115.181, 11965662e146d97d3fa3288e119aefb2, 1580103814, 172.67.188.12, 1768.py, 185.141.26.140, 1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3, 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c, 449c1967d1708d7056053bedb9e45781, 45.147.229.157, 452e969c51882628dac65e38aff0f8e5ebee6e6b, 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8, 83.97.20.176, 8da75e1f974d1011c91ed3110a4ded38, 96a535122aba4240e2c6370d0c9a09d3, ameripermanentno.website, b63d7ad26df026f6cca07eae14bb10a0ddb77f41, banusdona.top, c2bdc885083696b877ab6f0e05a9d968fd7cc2bb, c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3, CapLoader, Cobalt Strike, CobaltStrike, d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5, Didier Stevens, e9b5e549363fa9fcb362b606b75d131dec6c020e, f98711dfeeab9c8b4975b2f9a88d8fea, IcedID, IceID, JA3, lesti.net, mazzappa.fun, momenturede.fun, Network Forensics, NetworkMiner, odichaly.space, pcap, SSLBL, training, vaccnavalcod.website, X.509
This network forensics walkthrough is based on two pcap files released by Brad Duncan on malware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called StolenImages_Evidence.js in a sandbox environment ...
NETRESEC Network Security Blog
TrickBot: New Injects, New Host

TrickBot: New Injects, New Host

| | 53bank, Arsh Arora, Bank of America, banking trojan, chase, citi, IcedID, pnc, TrickBot, usaa, VirusTotal, web injects, wellsfargo
What’s in the Name: Call it IcedID or TrickBot? Tell that to a security researcher (Arsh Arora in this case) and watch them RANT(Gar-note: today's blog post is a guest blog from ...
CyberCrime & Doing Time
Mapping Out a Malware Distribution Network

Mapping Out a Malware Distribution Network

| | AZORult, Breaking News, distribution, Dridex, fareit, gandcrab, gootkit, Hermes, hosting, IcedID, kasidet, Malware, Necurs, neutrino, Nymaim, threats
More than a dozen US-based web servers were used to host 10 malware families, distributed through mass phishing campaigns. Malware families include Dridex, GandCrab, Neutrino, IcedID and others. Evidence suggests the existence ...
Bromium
Magecart web

IBM Warns Retailers of Trojan Threat

| | Cybersecurity, cyberthreat, IcedID, retail, trojan
IBM has issued a cybersecurity advisory warning about an attack method originally developed for defraud banks that now is being applied to the retail sector. Limor Kessem, global executive security advisor for ...
Security Boulevard

Secure Guardrails