Overview

overview

10

Static

static

8

intelligen...21.doc

windows7_x64

10

intelligen...21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    request.zip

  • Size

    45KB

  • Sample

    211202-tqzdwsadck

  • MD5

    a9d13246b6bb52ab53e300e162e3019f

  • SHA1

    a3d1dff894996728f2bbf05321f62c648534ea98

  • SHA256

    79fa73cfba9fb4166fd901bc586dd610bf76a1827c04ce2bfb37fbb5145675b3

  • SHA512

    e5ba81db8281365142d770c07592087146c3e65a2ccb966eef039d2c2d4fb1d6342fea9552aff1e321999bc9e817f71510b5e6095492b7f748a78c132367ecf4

Score
10/10
icedid1892568649bankermacrosuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

1892568649

C2

normyils.com

Targets

    • Target

      intelligence 12.21.doc

    • Size

      33KB

    • MD5

      68cc58645c17688d9e5b6ecaa2bc458c

    • SHA1

      6bbbdf868985598822c1d656b4ee187e4ea239bb

    • SHA256

      35f2333a1ecf5b8111c1297391058d104f601f4f0e8006d672d25226ec50e9b5

    • SHA512

      7ca9b985cfec02bda405c55b39d76e529c2e80e08068fe4d3a2de8c0b5c3fe5f0c8a3c139e5a3e402755bedf72be4181a002fcc0ed5b7f1a73eb797f04913bd7

    Score
    10/10
    icedid1892568649bankersuricatatrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks