icedid | da0921c1e416b3734272dfa619f88c8cd32e9816cdcbeeb81d9e2b2e8a95af4c | Triage

Submit
Reports

Overview

overview

Static

static

7

test

windows7_x64

Sharing

General

Target

da0921c1e416b3734272dfa619f88c8cd32e9816cdcbeeb81d9e2b2e8a95af4c.dll
Size

3.4MB
Sample

210302-rbr1r85846
MD5

1a3d0fddf65f7cca188499edb6355192
SHA1

1717402591b663767b37b3ce0635d991ace08432
SHA256

da0921c1e416b3734272dfa619f88c8cd32e9816cdcbeeb81d9e2b2e8a95af4c
SHA512

5a46ca0a9079a1ac6c205805a65df737d81fc438b1f6d172aec55f68c1964895d2ad1e41e1d2b309b5ddc7d7cce3d21df932293c25be2aa0fb8ff45b5d26b534

Score

10^/10

icedid 1820688957 3059128432 banker evasion spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

da0921c1e416b3734272dfa619f88c8cd32e9816cdcbeeb81d9e2b2e8a95af4c.dll

Resource

win7v20201028

icedid 1820688957 3059128432 banker evasion spyware stealer themida trojan

windows7_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

icedid

Botnet

1820688957

Campaign

3059128432

C2

timerework.fun

pexxota.space

Attributes

auth_var
6
url_path
/news/

Targets

- Target
  
  da0921c1e416b3734272dfa619f88c8cd32e9816cdcbeeb81d9e2b2e8a95af4c.dll
- Size
  
  3.4MB
- MD5
  
  1a3d0fddf65f7cca188499edb6355192
- SHA1
  
  1717402591b663767b37b3ce0635d991ace08432
- SHA256
  
  da0921c1e416b3734272dfa619f88c8cd32e9816cdcbeeb81d9e2b2e8a95af4c
- SHA512
  
  5a46ca0a9079a1ac6c205805a65df737d81fc438b1f6d172aec55f68c1964895d2ad1e41e1d2b309b5ddc7d7cce3d21df932293c25be2aa0fb8ff45b5d26b534
Score

10^/10

icedid 1820688957 3059128432 banker evasion spyware stealer themida trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

icedid18206889573059128432bankerevasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy