icedid | d5e57e4e2a3910ab28632471233faf5faae4e52f412a7058844683231fe1621d

General

Target

core.bat
Size

184B
MD5

00d922001e1ea040454c350b63619bd3
SHA1

b45abf4e6fe04d5e15514138ec4e5e020af0980d
SHA256

3b06cc4363bbc2dc5ec736e73b7807ac1beedd5bb8d08076f74736df17655157
SHA512

0de1ec67e3dfb55e89b309c0225da6f4db986eaa1cb4c0fd3b30526e594e74132cef82813e0201425a6aa0a8ed69dce4ca8f1ff8555433d5b68fad71b263aa6f

Score

10^/10

icedid 1217670233 banker trojan

Malware Config

Extracted

Family

icedid

Botnet

1217670233

C2

lakogrefop.rest

hangetilin.top

follytresh.co

novemberprosse.space

Attributes

auth_var
13
url_path
/posts/

Extracted

Family

icedid

rsa_pubkey.plain

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 764 rundll32.exe
5 764 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

300 rundll32.exe
300 rundll32.exe
300 rundll32.exe
300 rundll32.exe

flow	pid	process
3	764	rundll32.exe
5	764	rundll32.exe

pid	process
300	rundll32.exe
300	rundll32.exe
300	rundll32.exe
300	rundll32.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\CLSID\{2EB848D3-8A17-C434-34FA-AA70B9100F8C}\ = 9ada0d13c43abb23566acf32fd2fa4a54d60a5eaee6d38d74eb41ae10efc493de667b5bfdaff08863cf285a7bbc39d4ed4b39565cedc3ac7285a09b4454414248937b910e4692320b70d5601bf425c5757432d14d93393b5d67f71dcb3dddbc4c9151ef2f786b751bd72cc31197ccc1ff30ee1f7bb6eb47535e44a1a2c494a4ba18d3555240a83c5a017f5eae9ec78af1c7eaf806349c766abdbbe943151241fa16061ad057d288842243158c1047c3c5d444059870ae5ec73f283a10876b6c8c5726830d2e763661d02ca902ccb90026aebdc3d4c8de570a78a30095a3a445e5d59dad366968e0768ba07e3f2fc78fd92aa90926fd479ac80bd540fcf8f3ccc9007b434fd96b60b5a41b99bae1fd58196b7d5b000c4945bfe7421495079b2ee1efbe8e2ee29f15ce972a189b10743493bd80ada06e234a512f3a977b70378291ea061e2ede56da044ac2926cf850767b79e2215cefce971f18321c8164600a160e1ed652d4094c465ce095a46595ecc1b7c29de8165c9959a3d590da510773254876502d8	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\CLSID\{2EB848D3-8A17-C434-34FA-AA70B9100F8C}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe
764	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exetaskeng.exe

description	pid	process	target process
PID 1896 wrote to memory of 764	1896	cmd.exe	rundll32.exe
PID 1896 wrote to memory of 764	1896	cmd.exe	rundll32.exe
PID 1896 wrote to memory of 764	1896	cmd.exe	rundll32.exe
PID 1864 wrote to memory of 300	1864	taskeng.exe	rundll32.exe
PID 1864 wrote to memory of 300	1864	taskeng.exe	rundll32.exe
PID 1864 wrote to memory of 300	1864	taskeng.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\juice_64.tmp,DllMain /i="license.dat"
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:764

C:\Windows\system32\taskeng.exe
taskeng.exe {28D9DD5C-E5A9-40DC-9271-29724FC684B0} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\evim64\Zausks.dll",DllMain --imbauw="license.dat"
2⤵
- Loads dropped DLL
PID:300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\evim64\Zausks.dll
MD5
5bcb16eeb50d03f0f64dd32169d114e7

SHA1
728535ce1b9bc2f0a975c81096c8f849e7c84f75

SHA256
086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1

SHA512
ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011

Download Submit
C:\Users\Admin\AppData\Roaming\license.dat
MD5
b03af34cc11c8bd53afd958c839dd59f

SHA1
d9c90d8f770be66850ea0734580867c16d64b404

SHA256
71c9c15896b027fd830423f6226587bdad3f09681799bf3e69abb0479f18a853

SHA512
c33204f04a99272a1619a4fe6e3ba5e128c437968f8f570c12ffbf20a71e2b617535a70bf51f9d4ddcccc7f44804a13a4528ece4470e4ee53273ad1806313911

Download Submit
\Users\Admin\AppData\Local\evim64\Zausks.dll
MD5
5bcb16eeb50d03f0f64dd32169d114e7

SHA1
728535ce1b9bc2f0a975c81096c8f849e7c84f75

SHA256
086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1

SHA512
ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011

Download Submit
\Users\Admin\AppData\Local\evim64\Zausks.dll
MD5
5bcb16eeb50d03f0f64dd32169d114e7

SHA1
728535ce1b9bc2f0a975c81096c8f849e7c84f75

SHA256
086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1

SHA512
ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011

Download Submit
\Users\Admin\AppData\Local\evim64\Zausks.dll
MD5
5bcb16eeb50d03f0f64dd32169d114e7

SHA1
728535ce1b9bc2f0a975c81096c8f849e7c84f75

SHA256
086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1

SHA512
ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011

Download Submit
\Users\Admin\AppData\Local\evim64\Zausks.dll
MD5
5bcb16eeb50d03f0f64dd32169d114e7

SHA1
728535ce1b9bc2f0a975c81096c8f849e7c84f75

SHA256
086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1

SHA512
ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011

Download Submit
memory/300-59-0x0000000000000000-mapping.dmp

Download
memory/300-65-0x0000000001B50000-0x0000000001BA8000-memory.dmp

Filesize
352KB

Download
memory/764-55-0x0000000000000000-mapping.dmp

Download
memory/764-56-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/764-58-0x0000000001B20000-0x0000000001B78000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads