Overview

overview

10

Static

static

WSGaRIW.dll

windows7_x64

10

WSGaRIW.dll

windows10_x64

10

Resubmissions

21-01-2021 15:28

210121-qqz8wv28w6 10

19-11-2020 05:39

201119-5nq2lbgg8x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WSGaRIW.dll

  • Size

    140KB

  • Sample

    210121-qqz8wv28w6

  • MD5

    4fbee1cbb17b4a05ae5b5431a76087fb

  • SHA1

    44ffaa43eb2bba71325d406703ad82e010376cac

  • SHA256

    e02483eca255879ba6a57365dbecb56f5049283d8cd3f030dceca5c69f7af161

  • SHA512

    f1c0cf3e5f00e63d8edcb1cf171fde79b72945ab0d9bdd8a4ecb84b3a2b37d08eec0a59926b10a6cfaa97409a5bcb372805d09aab5e9248cde85bcb5b83fec93

Score
10/10
icedidbankerloadertrojan

Malware Config

Extracted

Family

icedid

C2

klopperflitter.cyou

Targets

    • Target

      WSGaRIW.dll

    • Size

      140KB

    • MD5

      4fbee1cbb17b4a05ae5b5431a76087fb

    • SHA1

      44ffaa43eb2bba71325d406703ad82e010376cac

    • SHA256

      e02483eca255879ba6a57365dbecb56f5049283d8cd3f030dceca5c69f7af161

    • SHA512

      f1c0cf3e5f00e63d8edcb1cf171fde79b72945ab0d9bdd8a4ecb84b3a2b37d08eec0a59926b10a6cfaa97409a5bcb372805d09aab5e9248cde85bcb5b83fec93

    Score
    10/10
    icedidbankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • IcedID First Stage Loader

      loader

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks