General

  • Target

    bd2faaa3e1211c9a88db69a5265b03e1.exe

  • Size

    271KB

  • Sample

    220222-r7719aabc2

  • MD5

    bd2faaa3e1211c9a88db69a5265b03e1

  • SHA1

    849b918144f5fda0226921a2b5bbaa0176662111

  • SHA256

    93c049876b916ec5034d9884338be59b11bce8a74f4d0bea329a3ed028c41b88

  • SHA512

    56c5beff62a02da78b93102411fb8ff77897b3e12d08cc52d3b6b37bfc15a882e32c0822539ab8b4a1b7e4a08d4d196cf5d289670c19183878f9d4ac1d43c298

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://pjure.at/upload/

http://puffersweiven.com/upload/

http://algrcabel.ru/upload/

http://pelangiqq99.com/upload/

http://elsaunny.com/upload/

http://korphoto.com/upload/

http://hangxachtaythodoan.com/upload/

http://pkodev.net/upload/

http://go-piratia.ru/upload/

http://piratia.su/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

1843818144

C2

grendafolz.com

Targets

    • Target

      bd2faaa3e1211c9a88db69a5265b03e1.exe

    • Size

      271KB

    • MD5

      bd2faaa3e1211c9a88db69a5265b03e1

    • SHA1

      849b918144f5fda0226921a2b5bbaa0176662111

    • SHA256

      93c049876b916ec5034d9884338be59b11bce8a74f4d0bea329a3ed028c41b88

    • SHA512

      56c5beff62a02da78b93102411fb8ff77897b3e12d08cc52d3b6b37bfc15a882e32c0822539ab8b4a1b7e4a08d4d196cf5d289670c19183878f9d4ac1d43c298

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • IcedID First Stage Loader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks