icedid | e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75

General

Target

E7A7032DDAE1ADFD64C4C378C6E97BE7A2453228C7014.exe
Size

285KB
Sample

220222-2mnrzsgaeq
MD5

8bce39cd73af077e8a24360ad94cd368
SHA1

f761251b872215b0d34b76a53dd6b1452c6ca255
SHA256

e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75
SHA512

5c3d9be970deef5ea27c11758656512b49533cdbaeae432569f442c7f30c4c054c313e283b09aea282de7d93a09af143293592221014784c337626250a7b81a0

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Extracted

Family

icedid

Campaign

1843818144

C2

grendafolz.com

Extracted

Family

raccoon

Botnet

9185b8c5d1dac158cc47aef92b143671d2c3a9bf

Attributes

url4cnc
http://206.189.100.203/kernelnixbarbos

http://194.180.191.234/kernelnixbarbos

http://185.163.204.216/kernelnixbarbos

http://139.162.157.205/kernelnixbarbos

https://t.me/kernelnixbarbos

rc4.plain

Targets

- Target
  
  E7A7032DDAE1ADFD64C4C378C6E97BE7A2453228C7014.exe
- Size
  
  285KB
- MD5
  
  8bce39cd73af077e8a24360ad94cd368
- SHA1
  
  f761251b872215b0d34b76a53dd6b1452c6ca255
- SHA256
  
  e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75
- SHA512
  
  5c3d9be970deef5ea27c11758656512b49533cdbaeae432569f442c7f30c4c054c313e283b09aea282de7d93a09af143293592221014784c337626250a7b81a0
Score

10^/10

icedid smokeloader 1843818144 backdoor banker loader suricata trojan raccoon 9185b8c5d1dac158cc47aef92b143671d2c3a9bf stealer
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
  suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
  suricata
- suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
  suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
  suricata
- suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
  suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
  suricata
- suricata: ET MALWARE Win32/IcedID Request Cookie
  suricata: ET MALWARE Win32/IcedID Request Cookie
  suricata
- IcedID First Stage Loader
  loader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

IcedID, BokBot

Raccoon

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

suricata: ET MALWARE Win32/IcedID Request Cookie

IcedID First Stage Loader

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2