icedid | 4bdaf91cd5f18f8acee4b05c0e1a5966e8e04ac5c697eaf3ef59e3c113a1066f | Triage

Resubmissions

09-03-2021 16:50

210309-v9yj65x5ja 10

09-03-2021 16:25

210309-t9rdq5ysya 10

Analysis

max time kernel
1628s
max time network
1629s
platform
windows10_x64
resource
win10v20201028
submitted
09-03-2021 16:50

Sharing

Report Analysis Logs

General

Target

541.jpg.dll
Size

148KB
MD5

6df4651ac1ac59c9984fe9fde4e18c8c
SHA1

5f57f886ad49d3b46387ea78041bf75716b866de
SHA256

4bdaf91cd5f18f8acee4b05c0e1a5966e8e04ac5c697eaf3ef59e3c113a1066f
SHA512

f802f91ae927f84f7807d135facb8c20799bcf1c554bf30d37d2141f8276a7fe5e56bf81843960a6fca63c6120581ac6edafcd8e9d59b17ad7f0a13f2b360b85

Score

10^/10

icedid 81593223 Photoloader banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

81593223

C2

fekiop3.space

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4764-2-0x0000000002670000-0x0000000002677000-memory.dmp	IcedidFirstLoader

PhotoLoader Payload 1 IoCs

IcedID downloder-Photloader.

Processes:

resource	yara_rule
behavioral1/memory/4764-2-0x0000000002670000-0x0000000002677000-memory.dmp	crime_win32_icedid_stage1

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4764 regsvr32.exe
4764 regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\541.jpg.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4764-2-0x0000000002670000-0x0000000002677000-memory.dmp

Filesize
28KB

Download