icedid | 9f75c6530d9926251f5ae7d387ecb8fcf1f72012267bbd96d54f63c80aa98b2f

Sharing

General

Target

9f75c6530d9926251f5ae7d387ecb8fcf1f72012267bbd96d54f63c80aa98b2f
Size

291KB
Sample

211103-ywp5macacj
MD5

5d9b8e8dc1e9f3e22f002009e4e0c04d
SHA1

bb775cc1db9c6c69a53642f9860bf7dda5a1fc8e
SHA256

9f75c6530d9926251f5ae7d387ecb8fcf1f72012267bbd96d54f63c80aa98b2f
SHA512

d1a87840e819b772db53c97e65e9437554e347d6597c8eac7027132569af132c743c5fd867da06d948d7be6a3ffda3b7baec39c9944d726ea54a559c70e882be

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey70.top/

http://wijibui00.top/

http://193.56.146.214/

https://193.56.146.214/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

icedid

Campaign

3072349713

rifyyoure.ink

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

redline

Botnet

101

185.92.73.142:52097

Extracted

Family

redline

Botnet

LOVE

91.242.229.222:21475

Extracted

Family

vidar

Version

47.8

Botnet

936

https://mas.to/@romashkin

Attributes

profile_id
936

Extracted

Family

vidar

Version

47.8

Botnet

706

https://mas.to/@romashkin

Attributes

profile_id
706

Targets

- Target
  
  9f75c6530d9926251f5ae7d387ecb8fcf1f72012267bbd96d54f63c80aa98b2f
- Size
  
  291KB
- MD5
  
  5d9b8e8dc1e9f3e22f002009e4e0c04d
- SHA1
  
  bb775cc1db9c6c69a53642f9860bf7dda5a1fc8e
- SHA256
  
  9f75c6530d9926251f5ae7d387ecb8fcf1f72012267bbd96d54f63c80aa98b2f
- SHA512
  
  d1a87840e819b772db53c97e65e9437554e347d6597c8eac7027132569af132c743c5fd867da06d948d7be6a3ffda3b7baec39c9944d726ea54a559c70e882be
Score

10^/10

icedid redline smokeloader vidar 101 706 936 love superstar 3072349713 backdoor banker collection discovery infostealer spyware stealer suricata trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Known Sinkhole Response Header
  suricata: ET MALWARE Known Sinkhole Response Header
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32/IcedID Request Cookie
  suricata: ET MALWARE Win32/IcedID Request Cookie
  suricata
- Core1 .NET packer
  Detects packer/loader used by .NET malware.
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1