Scenario

A cyber threat group was identified for initiating widespread phishing campaigns to distribute further malicious payloads. The most frequently encountered payloads were IcedID. You have been given a hash of an IcedID sample to analyze and monitor the activities of this advanced persistent threat (APT) group.

https://cyberdefenders.org/blueteam-ctf-challenges/icedid/

hash:

d86405130184186154daa4a5132dd1364ab05d1f14034c7f0a0cda690a91116d

1- What is the name of the file associated with the given hash?

document-1982481273.xlsm

Submit in VirusTotal and go to Details → Names

2- Can you identify the filename of the GIF file that was deployed?

3003.gif

in Behavior → File system actions → File Dropped

Despite its .gif extension, the file is identified as a malicious DLL designed to be downloaded and executed as part of the malware's infection process.

3- How many domains does the malware look to download the additional payload file in Q2?

5

In Relations → Contacted URLs we count the domains that has gif file

4- From the domains mentioned in Q3, a DNS registrar was predominantly used by the threat actor to host their harmful content, enabling the malware's functionality. Can you specify the Registrar INC?

NAMECHEAP