icedid | ebd821b85532d1e09858188467ec143c62a463098d2eaeb3e613ecbce8b18d6a

Resubmissions

22-02-2022 16:13

220222-tpe9macaaq 10

15-12-2021 15:13

211215-slsj4sagcq 10

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

core.bat
Size

188B
MD5

a1550b458ee5d98525dbdb544cb3a183
SHA1

a0672371da258190c2b4bc6aade702ee8db4a23c
SHA256

933793ba688465b30736a07fc9505a49c0a0053d88dc96ad8d5aa3e29a8768de
SHA512

91422eafa8072bd02d3ea371cfd0bd6570151f9eb9506649c3fd38175652be63921e0c6f125dd66771e66125b014a2cff3bdac63f40a33ab284dff81ed0ab061

Score

10^/10

icedid 3026272684 banker trojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3026272684

hashingold.top

asperuguz.store

loppidoaster.site

ndmarkrepo.top

Attributes

auth_var
1
url_path
/posts/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

54 4472 rundll32.exe
56 4472 rundll32.exe
60 4472 rundll32.exe
62 4472 rundll32.exe
77 4472 rundll32.exe

flow	pid	process
54	4472	rundll32.exe
56	4472	rundll32.exe
60	4472	rundll32.exe
62	4472	rundll32.exe
77	4472	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe
4472	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 2756 wrote to memory of 4472 2756 cmd.exe rundll32.exe
PID 2756 wrote to memory of 4472 2756 cmd.exe rundll32.exe

description	pid	process	target process
PID 2756 wrote to memory of 4472	2756	cmd.exe	rundll32.exe
PID 2756 wrote to memory of 4472	2756	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\relief-x64.dat,DllMain /i="license.dat"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\license.dat

MD5
c7c45636ca690acdab7fba1e9d126f8b

SHA1
61376304cd90786813a80680a92cef03fedb6484

SHA256
cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705

SHA512
9e6c7df9f70017b9eeb5868a358bc9eaf50de65dad04640220f380ff72e80bc303f034cb62929abb0c35d951b751732a131ae828c4c01cd1826610423f784db8

Download Submit
memory/4472-131-0x0000022312CB0000-0x0000022312D09000-memory.dmp

Filesize
356KB

Download
memory/4472-132-0x0000022310FF0000-0x0000022311027000-memory.dmp

Filesize
220KB

Download