icedid | b3791ea2bce069a6a17d518c6b62e08273a0f7bcdc023536a71af7210722cccc | Triage

Resubmissions

17-03-2021 13:32

210317-se8524k21x 10

16-03-2021 11:54

210316-8z3tfq1dx6 10

Analysis

max time kernel
4s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
17-03-2021 13:32

Sharing

Report Analysis Logs

General

Target

summer.dll
Size

43KB
MD5

0c72ab9a9056aa37eaca9d0be5ee30cf
SHA1

061fe160f7b96da8f01b245425a56a9792605ed6
SHA256

b3791ea2bce069a6a17d518c6b62e08273a0f7bcdc023536a71af7210722cccc
SHA512

3262e3d43bcec777447b822fc57a202b6b10818b7d2b7c7d75ea6ab900cf8ef9733b09d6fe9fe9e206aa8a371b35cd4d480d84dce072a058dedb71f01de85730

Score

10^/10

icedid 3557290534 Photoloader banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3557290534

C2

33nachoscocso.website

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-3-0x00000000001B0000-0x00000000001B7000-memory.dmp	IcedidFirstLoader

PhotoLoader Payload 1 IoCs

IcedID downloder-Photloader.

Processes:

resource	yara_rule
behavioral1/memory/1724-3-0x00000000001B0000-0x00000000001B7000-memory.dmp	crime_win32_icedid_stage1

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1724 regsvr32.exe
1724 regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\summer.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-2-0x000007FEFC601000-0x000007FEFC603000-memory.dmp

Filesize
8KB

Download
memory/1724-3-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download