icedid | e5ee7402d48cb382754c0ecb9a2479e19dbae32230c4945efee7864fc030ed6a | Triage

Resubmissions

18-10-2021 21:00

211018-ztfc3sefh8 10

Sharing

General

Target

core.zip
Size

379KB
Sample

211018-ztfc3sefh8
MD5

275ae82cce48826189bd51d9e2598cb2
SHA1

178d737e99057c14e1d282851b21ca49af549b43
SHA256

e5ee7402d48cb382754c0ecb9a2479e19dbae32230c4945efee7864fc030ed6a
SHA512

27b4a6b89248639a39a3f7903f192a15a03aca4438840163695752729b07d0996d4352e40bcdda5d58449cb8b9ba95915ae105b9f974512810952c26f9c61f5e

Score

10^/10

icedid 1217670233 banker collection spyware stealer trojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

1217670233

C2

nnelforwfin.top

viewsketplctly.fun

omersure.space

ferfreenights.site

Attributes

auth_var
3
url_path
/posts/

Targets

- Target
  
  core/cmd.bat
- Size
  
  191B
- MD5
  
  daea1c68d865761ea37be016eec39de0
- SHA1
  
  bead4866eefffdde31345135631f79facc541b70
- SHA256
  
  a5128b4a2ebe0daa72e3c426022723e55e9d759da42ffb9ce66552a54feb76d3
- SHA512
  
  c6552fe6245f1f220f7202e84cf6aad6bf201ccf66601c42d8150c944aea6160bef013916cf55612d09efd825092dc7772383050780ab93e57ff1a44b7c83291
Score

10^/10

icedid 1217670233 banker collection spyware stealer trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2
- Target
  
  core/diary_64.dat
- Size
  
  114KB
- MD5
  
  65133fbf755d46ddf03669c857ca7cb6
- SHA1
  
  d50ba0e6064550837502479f1bc98c46b98f0274
- SHA256
  
  ec70e9f9b4ab8635865f69b0a024b86bcc5483d29d5d8094365e98f349f82a29
- SHA512
  
  6957cf6963c1753469bfdd5c68abc5c08916eb306519027082afab609eb0bf5e82bb881d38c9cc37c1794babbb7110e59c70221ad58992984f9bc82cd0c21a85
Score

10^/10

icedid 1217670233 banker trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

icedid1217670233bankercollectionspywarestealertrojan

behavioral2

icedid1217670233bankercollectionspywarestealertrojan

behavioral3

icedid1217670233bankertrojan

behavioral4

icedid1217670233bankertrojan