icedid | 1430b28b39a4f495c8a88aeb49ca5b843078704d740e9860e9a0a87e2154655d | Triage

Analysis

max time kernel
82s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 15:16

Sharing

Report Analysis Logs

General

Target

d5492f1f005387e006dabd54253570e7.dll
Size

143KB
MD5

5802126f64e5edfee61f5c5b987c9dec
SHA1

bb9c06fef95abfd6a3bdf5474558d8916a901301
SHA256

1430b28b39a4f495c8a88aeb49ca5b843078704d740e9860e9a0a87e2154655d
SHA512

37f00db410b0ce0082d195b9820a5b58b580c8ac684f49ef0bd0d870140a84a09d1f9279564d41bc16718a035931faee7c60e394a5f1db9f6b0107a64f662b88

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Core Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4060-1-0x0000000004B50000-0x0000000004BF6000-memory.dmp	Icedid_core

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

16 4060 rundll32.exe
18 4060 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4004 wrote to memory of 4060	4004	rundll32.exe	rundll32.exe
PID 4004 wrote to memory of 4060	4004	rundll32.exe	rundll32.exe
PID 4004 wrote to memory of 4060	4004	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5492f1f005387e006dabd54253570e7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5492f1f005387e006dabd54253570e7.dll,#1
2⤵
- Blocklisted process makes network request
PID:4060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4060-0-0x0000000000000000-mapping.dmp

Download
memory/4060-1-0x0000000004B50000-0x0000000004BF6000-memory.dmp

Filesize
664KB

Download