Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10-2004_x64

10

oak_32.dll

windows7_x64

10

oak_32.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file

  • Size

    680KB

  • Sample

    220217-szdm4sbdg3

  • MD5

    96617ff25f134f882a34da9ceae7f68d

  • SHA1

    2d4df158d1d740209d6620ef409fc737c725a908

  • SHA256

    8b435260be4ed4a5286c36ac8b5296d9b3b637ced5a1ad3e2704ea2fff5b20ed

  • SHA512

    8f0fc40355742c0b54a8069f708843e841c984bc03f1217d29be55a5333dfeffef7bb6af62575fe8a430a1403806e02e199e8d3dab41eac533aa925595c11bbd

Score
10/10
icedid3036889562bankercollectionspywarestealertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3036889562

C2

stooryallice.com

yellowpyrrol.com
Attributes
  • auth_var

    1

  • url_path

    /news/

Targets

    • Target

      core.bat

    • Size

      180B

    • MD5

      5abd34de9a35879df648b0fceb40e95d

    • SHA1

      b57efae330d206a933d0e92699536056ee84d7df

    • SHA256

      e3b8505a1fc778f8cb1679695e0aba51ea3feafb04901822df1bab5685178876

    • SHA512

      72db89236aae1fd29c17b6a8916eb9c4855f5ed33daa01268a4613e73b0361f51975531f46c55e93ebd0ac65d0bcd3ba1b336b920ce7573824b116533cd0e00a

    Score
    10/10
    icedid3036889562bankercollectionspywarestealertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral1behavioral2

    • Target

      oak_32.tmp

    • Size

      533KB

    • MD5

      3a154ce57e032a255a9936b92aaf996f

    • SHA1

      512e5af1b4b98c7d5a7c8d25341f31749f331273

    • SHA256

      c558309a80b460844bc23a72c49d524d299c11fc058b2b5ea150790022144ac6

    • SHA512

      e0226761df28bba51b86a9d8aac3359eba922c86b42ed3db5541fffa05e607932b39579b7fd11202ffa1ef750f9695bb696f76e9275c4a483fb049c33aa6ca5f

    Score
    10/10
    icedid3036889562bankertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

5
T1082

Query Registry

2
T1012

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks