Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10_x64

10

slab-64.tmp.dll

windows7_x64

10

slab-64.tmp.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file

  • Size

    390KB

  • Sample

    211202-nzmhssagg9

  • MD5

    32185dabfe78a1b329aaa9454851631b

  • SHA1

    503d6f41c361b9e4148162e98067b962a394135c

  • SHA256

    d4f52ddbdadca2e2efc4e63e2349fdf981326136ec07df787773385d6c87b32a

  • SHA512

    2a3886291168f2eecd35c70d152d927a7601d4326a42711bfec9fa4e02f988b47968ca02f566238564bab8c5086ad641884a2aaceb84118adae035067f4db1da

Score
10/10
icedid1892568649bankercollectionspywarestealertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

1892568649

C2

baeswea.com

bersaww.com
Attributes
  • auth_var

    10

  • url_path

    /news/

Targets

    • Target

      core.bat

    • Size

      182B

    • MD5

      9971f78ab71eb0c8d677c1b523124816

    • SHA1

      12c6e3c61f4838e50e19f07f1104406b945967f2

    • SHA256

      fd567d9be6ce504ef6180c9f970c6b2f8de32ded5a0d5c59f0cc8d36ebb2caa7

    • SHA512

      104e4795fdca25f50db9a5965711551d7d201a8b4073862f97ba5ac4e21c5e3cbf6860d19885af16d1265a9b2f9ec5e047db635d251316d899b2681ac734da61

    Score
    10/10
    icedid1892568649bankertrojancollectionspywarestealer

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral1behavioral2

    • Target

      slab-64.tmp

    • Size

      124KB

    • MD5

      e53f86eb06a67783781202b471580c82

    • SHA1

      dc541cee7c0b810da890fa3ea0923599140a1561

    • SHA256

      0a795eb53d21799c975e4f4c0ca3817960d85278faec68a04882216f1e3a3020

    • SHA512

      175243cc7ec631c3128d7fc7c53244e7f8c2abe878393569746b57bea12a04005fb0734170e738384a60e14322eec1ee7ddd5d1661e62ba469a547592b4d197f

    Score
    10/10
    icedid1892568649bankertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks