Overview

overview

10

Static

static

candyx32.dll

windows7_x64

10

candyx32.dll

windows10-2004_x64

10

core.bat

windows7_x64

10

core.bat

windows10-2004_x64

10

Resubmissions

22-02-2022 16:12

220222-tnhclaahc3 10

17-01-2022 15:06

220117-sgt75sagf7 10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    22-02-2022 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    184B

  • MD5

    8e8c8dd91722dd16c50d410e921dfca2

  • SHA1

    62524925b4f9c124d244aa9c42109877f36ff3fe

  • SHA256

    4e46bcf388758863f9938fb095521c0bfb5c8f41942341f3a6aa0e0e48e7672d

  • SHA512

    90de5ed56e2fdaa1d69315a19e1d6242b0ff5f6e41347893f98d02bf3f78a31cc954f8a193ca94e93942178928ddc5dc303bbce9bd4fde869032ea32831c6a4e

Score
10/10
icedid302245654bankertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

302245654

C2

imilarquestio.top

heywanted.top

minimike.quest

alsohavethis.top
Attributes
  • auth_var

    5

  • url_path

    /posts/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\candyx32.dat,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Admin\ized\Duzoaxce.dll",DllMain --ceok="license.dat"
        3⤵
        • Loads dropped DLL
        PID:2320
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\candyx32.dat,update /i="license.dat"
      2⤵
        PID:3560

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Admin\ized\Duzoaxce.dll
      MD5

      de12075e6057a5e3c5533563124f9d1e

      SHA1

      83ae24664a05df7f8bf5051ce10d4993e5beb521

      SHA256

      3eb204f20e1367e934980f8d10c6bcedea22a1837f1eeda221c0c390c1c6dc38

      SHA512

      5cac45ffeb155d16ca8cc8b0d065a8ff309b937730a466eafc38237b3164fce072b4dbfd82e726b07f3d925d7ed6e81472e5168c8e730d2d8b01084aad4153c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Admin\ized\Duzoaxce.dll
      MD5

      de12075e6057a5e3c5533563124f9d1e

      SHA1

      83ae24664a05df7f8bf5051ce10d4993e5beb521

      SHA256

      3eb204f20e1367e934980f8d10c6bcedea22a1837f1eeda221c0c390c1c6dc38

      SHA512

      5cac45ffeb155d16ca8cc8b0d065a8ff309b937730a466eafc38237b3164fce072b4dbfd82e726b07f3d925d7ed6e81472e5168c8e730d2d8b01084aad4153c3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\license.dat
      MD5

      7eb64145636d2e8343d9077f15c11022

      SHA1

      c0b221ca05431092bc1c789a33d199124c8fec1c

      SHA256

      96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

      SHA512

      53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\license.dat
      MD5

      c7c45636ca690acdab7fba1e9d126f8b

      SHA1

      61376304cd90786813a80680a92cef03fedb6484

      SHA256

      cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705

      SHA512

      9e6c7df9f70017b9eeb5868a358bc9eaf50de65dad04640220f380ff72e80bc303f034cb62929abb0c35d951b751732a131ae828c4c01cd1826610423f784db8

      Download Submit

    • memory/2320-136-0x0000023869040000-0x0000023869099000-memory.dmp

      Filesize

      356KB

      Download

    • memory/2320-137-0x0000023867330000-0x0000023867367000-memory.dmp

      Filesize

      220KB

      Download

    • memory/4080-131-0x0000023A70FE0000-0x0000023A71039000-memory.dmp

      Filesize

      356KB

      Download

    • memory/4080-132-0x0000023A6F7A0000-0x0000023A6F7D7000-memory.dmp

      Filesize

      220KB

      Download