Overview

overview

10

Static

static

bd2faaa3e1...e1.exe

windows7_x64

10

bd2faaa3e1...e1.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bd2faaa3e1211c9a88db69a5265b03e1.exe

  • Size

    271KB

  • Sample

    220222-r7719aabc2

  • MD5

    bd2faaa3e1211c9a88db69a5265b03e1

  • SHA1

    849b918144f5fda0226921a2b5bbaa0176662111

  • SHA256

    93c049876b916ec5034d9884338be59b11bce8a74f4d0bea329a3ed028c41b88

  • SHA512

    56c5beff62a02da78b93102411fb8ff77897b3e12d08cc52d3b6b37bfc15a882e32c0822539ab8b4a1b7e4a08d4d196cf5d289670c19183878f9d4ac1d43c298

Score
10/10
icedidsmokeloader1843818144backdoorbankerevasionloadertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://pjure.at/upload/

http://puffersweiven.com/upload/

http://algrcabel.ru/upload/

http://pelangiqq99.com/upload/

http://elsaunny.com/upload/

http://korphoto.com/upload/

http://hangxachtaythodoan.com/upload/

http://pkodev.net/upload/

http://go-piratia.ru/upload/

http://piratia.su/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

1843818144

C2

grendafolz.com

Targets

    • Target

      bd2faaa3e1211c9a88db69a5265b03e1.exe

    • Size

      271KB

    • MD5

      bd2faaa3e1211c9a88db69a5265b03e1

    • SHA1

      849b918144f5fda0226921a2b5bbaa0176662111

    • SHA256

      93c049876b916ec5034d9884338be59b11bce8a74f4d0bea329a3ed028c41b88

    • SHA512

      56c5beff62a02da78b93102411fb8ff77897b3e12d08cc52d3b6b37bfc15a882e32c0822539ab8b4a1b7e4a08d4d196cf5d289670c19183878f9d4ac1d43c298

    Score
    10/10
    icedidsmokeloader1843818144backdoorbankerloadertrojanevasion

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • IcedID First Stage Loader

      loader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks