IcedId Malware Family.txt

What is the sha256 hash for the malspam attachment?
{cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1}

What is the child process command line when the user enabled the Macro?
{explorer.exe collectionboxconst.hta}

What is the HTML Application file's sha256 hash from previous question?
{b25865183c5cd2c5e550aca8476e592b62ed3e37e6b628f955bbed454fdbb100}
Based on the previous question, what is the DLL run method?
{"c:\windows\system32\rundll32.exe" c:\users\public\collectionboxconst.jpg,plugininit}
What is the image file dll installer sha256 hash from previous question?
{51658887e46c88ed6d5861861a55c989d256a7962fb848fe833096ed6b049441}
What are the IP address and its domain name hosted installer DLL?
{45.142.213.105, coursemcclurez.com}
What is the full URL for the DLL installer?
{http://coursemcclurez.com/adda/t/5xbonokaqixwy7/jqnizzltut6bvv0xrecckvvhaar6pkggripn/sose5?user=anrsikfbv&time=0qobcg4dyux11zlf5yhrievfn&page=1k2n8ij&i9y9swju=yvactz9s0gufn&q=hj9xwh4i6pddxopdey&id=vr4pf&user=mhmod292t&search=uzvgg21lyvrfdd2fabgzvqlnkm90&q=dwc1s67mbwc24tgoojmxc}
What are the two IP addresses identified as C2 servers?
{185.33.85.35, 194.5.249.46}
What are the four C2 domains identified in the PCAP file?
{arhannexa5.top, extrimefigim.top, fimlubindu.top, kilodaser4.fit}
After the DLL installer being executed, what are the two domains that were being contacted by the installer DLL?
{aws.amazon.com, supplementik.top}
The malware generated traffic to an IP address over port 8080 with two SYN requests, what is the IP address?
{38.135.122.194}
The license.dat file was used to create persistance on the user's machine, what is the dll run method for the persistance?
{C:\Users\user1\AppData\Local\user1\Tetoomdu64.dll",update /i:"ComicFantasy\license.dat}
With OSINT, what is the malware family name used in this PCAP capture?
{IcedId}
Based on Palo Alto Unit 42, what is the APT Group name?
{Ta551}
What is the Mitre Attack code for the initial access in this campaign?
{t1566.001}