icedid | b84d2cca3a9b3a18192b5ef3a20e84790b2408bb107ac8cd8066f675e5406dd8 | Triage

Resubmissions

08-04-2021 03:34

210408-1red1fw8hn 10

07-04-2021 17:36

210407-av9n1g7z3e 10

Analysis

max time kernel
123s
max time network
64s
platform
windows7_x64
resource
win7v20201028
submitted
08-04-2021 03:34

Sharing

Report Analysis Logs

General

Target

199226a0a8ddf2138dcbc42e308269b8.dll
Size

220KB
MD5

199226a0a8ddf2138dcbc42e308269b8
SHA1

c3c4e350fec338625cca7324b7c137e74c289f24
SHA256

b84d2cca3a9b3a18192b5ef3a20e84790b2408bb107ac8cd8066f675e5406dd8
SHA512

163481b5d29e5bca5547a97b9c48a2d6132cdfbf8daf191d38e58c70582b4307882dd205abe544b629979a365b99d31546a481240a128497134ca2f994acaa2b

Score

10^/10

icedid 4126241857 Photoloader banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

4126241857

C2

hedoilir1.website

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1924-3-0x0000000000130000-0x0000000000137000-memory.dmp	IcedidFirstLoader

PhotoLoader Payload 1 IoCs

IcedID downloder-Photloader.

Processes:

resource	yara_rule
behavioral1/memory/1924-3-0x0000000000130000-0x0000000000137000-memory.dmp	crime_win32_icedid_stage1

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1924 regsvr32.exe
1924 regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\199226a0a8ddf2138dcbc42e308269b8.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-2-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

Filesize
8KB

Download
memory/1924-3-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download