icedid | b7b6fd7461869a41bf7a4e3d8b55ddb3c2189c618f524b4780de4536bf24ab5b | Triage

Resubmissions

12-03-2021 16:51

210312-yt23wwh8we 10

12-03-2021 13:24

210312-4zly1ftv62 10

Analysis

max time kernel
527s
max time network
528s
platform
windows7_x64
resource
win7v20201028
submitted
12-03-2021 16:51

Sharing

Report Analysis Logs

General

Target

zfbfg.ere.dll
Size

156KB
MD5

6dafdbbcce799f332033b3498aebb8d6
SHA1

a09e3c1b36e0c543d64c1417c070b011d0b6eb23
SHA256

b7b6fd7461869a41bf7a4e3d8b55ddb3c2189c618f524b4780de4536bf24ab5b
SHA512

39652ce06dc1110da31bbf9e80196b294fabb06bbf954f429b9c3c84fca10d0376176f465de88107dfb4a40e65844f0ddc1a9d2f3f84c8532b2ad1ea7ea2712f

Score

10^/10

icedid 3590845772 Photoloader banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3590845772

C2

emanielepolikutuo1.website

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-3-0x00000000001E0000-0x00000000001E7000-memory.dmp	IcedidFirstLoader

PhotoLoader Payload 1 IoCs

IcedID downloder-Photloader.

Processes:

resource	yara_rule
behavioral1/memory/1968-3-0x00000000001E0000-0x00000000001E7000-memory.dmp	crime_win32_icedid_stage1

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1968 regsvr32.exe
1968 regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\zfbfg.ere.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1968-2-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/1968-3-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download