icedid | 8259985eb6e39790c8b1cfc2432381c0c1ffd634b2f4813b972cff00460b67e6 | Triage

Resubmissions

22-02-2022 16:12

220222-tnm8vaahc9 10

05-01-2022 09:29

220105-lf8ktaaeaq 10

Sharing

General

Target

file
Size

342KB
Sample

220222-tnm8vaahc9
MD5

ad585cc5d21f11e56ec728ab8817d9b1
SHA1

03857ae15f1f57f3c9c5470b1e5cc22a9ce5312d
SHA256

8259985eb6e39790c8b1cfc2432381c0c1ffd634b2f4813b972cff00460b67e6
SHA512

f18bad82e5ebd4b1dafb5ad4e2e74d6f3377ee36c4fadf6dd5255922f19a077a77297dfc2114f0ba1531a368877c982481b383baac923664a85ba16ff747d527

Score

10^/10

icedid 4221486031 banker collection spyware stealer trojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

4221486031

C2

xijsry.com

zanokiryq.com

gladmitter.com

Attributes

auth_var
3
url_path
/news/

Targets

- Target
  
  core.bat
- Size
  
  184B
- MD5
  
  c40a63f025ffdeb26a72c0af1ecfd831
- SHA1
  
  978e89c344024bf9b4de242d7e51d3aa1b206979
- SHA256
  
  3b68bf86d3eea21d49861aeb33c94b6a30e52ee0bb14590f828ccce0e97e47c5
- SHA512
  
  6fab6de1bf82975afcb68a1a64c9925a97922c660bccae246e1c21e62d0f8dda594ea7d4612587b62be6f21777b5aff7f36799bffe81ed7afe6fd857d31b78ec
Score

10^/10

icedid 4221486031 banker trojan collection spyware stealer
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2
- Target
  
  syrupx64.dat
- Size
  
  31KB
- MD5
  
  051c37b2a61be7d6423f6bb0e903de24
- SHA1
  
  7ad50ed7e25b7a00416fd988e4785095a37cb534
- SHA256
  
  65f7d007aec8c9a9e7dec1e1a4325762a57d701209bdc42f219dbf93803ef238
- SHA512
  
  4c16feca4e3e2a6281b12902fd2e7c1d975fd9a666598e1e6dc65fae813f364e7f58543301cef3ab3961d3a43c369bce50903ce6e48a74acb211f1e70c164ab3
Score

10^/10

icedid 4221486031 banker trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

icedid4221486031bankertrojan

behavioral2

icedid4221486031bankercollectionspywarestealertrojan

behavioral3

icedid4221486031bankertrojan

behavioral4

icedid4221486031bankertrojan