Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10_x64

10

juice_64.tmp.dll

windows7_x64

10

juice_64.tmp.dll

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    04-11-2021 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    184B

  • MD5

    00d922001e1ea040454c350b63619bd3

  • SHA1

    b45abf4e6fe04d5e15514138ec4e5e020af0980d

  • SHA256

    3b06cc4363bbc2dc5ec736e73b7807ac1beedd5bb8d08076f74736df17655157

  • SHA512

    0de1ec67e3dfb55e89b309c0225da6f4db986eaa1cb4c0fd3b30526e594e74132cef82813e0201425a6aa0a8ed69dce4ca8f1ff8555433d5b68fad71b263aa6f

Score
10/10
icedid1217670233bankertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

1217670233

C2

lakogrefop.rest

hangetilin.top

follytresh.co

novemberprosse.space
Attributes
  • auth_var

    13

  • url_path

    /posts/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\juice_64.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:3068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\license.dat
    MD5

    b03af34cc11c8bd53afd958c839dd59f

    SHA1

    d9c90d8f770be66850ea0734580867c16d64b404

    SHA256

    71c9c15896b027fd830423f6226587bdad3f09681799bf3e69abb0479f18a853

    SHA512

    c33204f04a99272a1619a4fe6e3ba5e128c437968f8f570c12ffbf20a71e2b617535a70bf51f9d4ddcccc7f44804a13a4528ece4470e4ee53273ad1806313911

    Download Submit
  • memory/3068-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3068-117-0x0000021A55E40000-0x0000021A55E98000-memory.dmp
    Filesize

    352KB

    Download
  • memory/3068-118-0x0000021A541E0000-0x0000021A54217000-memory.dmp
    Filesize

    220KB

    Download