icedid | f51d86597b5b4ad8d8f7c13e15e6569927e243bcaf5ad0c7b26abfbb5a689792

Analysis

Target

core/cmd.bat
Size

185B
MD5

4bbdb9c9bcebb80825e556fabdde6594
SHA1

6f445bffc26058aaba8b1e7a18cfd9a54e912543
SHA256

e74a51c4c4c7c1cda6de165bd18d4eac222e3d0305e49305f30dfdf144afe1e2
SHA512

49f30deaefcc995f333d0c9b480612f5135c5aeed344df651e87e066ba1b4e88039dfff0425a5f059f09fa42583e79bc94a1526d718fea73f0b32f63b5a00577

Score

10^/10

Family

icedid

Botnet

81538452

garrozalibbo.click

disponfirules.top

mislinororv.top

twistcolseza.top

Attributes

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1032 wrote to memory of 1064	1032	cmd.exe	rundll32.exe
PID 1032 wrote to memory of 1064	1032	cmd.exe	rundll32.exe
PID 1032 wrote to memory of 1064	1032	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core\cmd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\core\time-.tmp,update /i:"license.dat"
2⤵
PID:1064

C:\Users\Admin\AppData\Roaming\license.dat
MD5
d8f2ecad59d3424d5241b29a51364442

SHA1
35fdda949114a600fe8b9c892dfcb13ae07ed8cf

SHA256
911f0e7f4b0fd6ec505ce57c03352937da7007f0d47ab589c86da018532deec1

SHA512
d4ff95879a48dfcacbb7375be1934dcf6df90d2688a6a38526faaa896298d5dece188aa149648f6d3bc1115bc3c83982e19e446948519892caf5a9f87dfe8d5a

Download Submit
memory/1064-60-0x0000000000000000-mapping.dmp

Download
memory/1064-61-0x00000000003A0000-0x00000000003A5000-memory.dmp

Filesize
20KB

Download