icedid | acf84eb0e00079cf0b3601554ebd3d31b3b1b73ea212c4ac55a1d715c72759cc | Triage

Submit
Reports

Overview

overview

Static

static

ACF84EB0E0...2C.exe

windows7_x64

ACF84EB0E0...2C.exe

windows10-2004_x64

Sharing

General

Target

ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
Size

310KB
Sample

220222-wcxz1sbge3
MD5

bf6d16644fd75fc2998358a95dffface
SHA1

e2d530ef0eaf32deee0be90bf17f4b436a815f7c
SHA256

acf84eb0e00079cf0b3601554ebd3d31b3b1b73ea212c4ac55a1d715c72759cc
SHA512

a1f52e3b19a3d38e457abfcf81897047ab9db690085bd68a334372069988bea2d33b1590ecde309548e0b94de990246ce3230853894a6327de1af7e35ec17514

Score

10^/10

icedid smokeloader 1843818144 backdoor banker loader trojan

Static task

static1

Behavioral task

behavioral1

Sample

ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe

Resource

win7-en-20211208

icedid smokeloader 1843818144 backdoor banker loader trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe

Resource

win10v2004-en-20220113

icedid smokeloader 1843818144 backdoor banker loader trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

rc4.i32

rc4.i32

rc4.i32

Extracted

Family

icedid

Campaign

1843818144

C2

grendafolz.com

Targets

- Target
  
  ACF84EB0E00079CF0B3601554EBD3D31B3B1B73EA212C.exe
- Size
  
  310KB
- MD5
  
  bf6d16644fd75fc2998358a95dffface
- SHA1
  
  e2d530ef0eaf32deee0be90bf17f4b436a815f7c
- SHA256
  
  acf84eb0e00079cf0b3601554ebd3d31b3b1b73ea212c4ac55a1d715c72759cc
- SHA512
  
  a1f52e3b19a3d38e457abfcf81897047ab9db690085bd68a334372069988bea2d33b1590ecde309548e0b94de990246ce3230853894a6327de1af7e35ec17514
Score

10^/10

icedid smokeloader 1843818144 backdoor banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- IcedID First Stage Loader
  loader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

icedidsmokeloader1843818144backdoorbankerloadertrojan

behavioral2

icedidsmokeloader1843818144backdoorbankerloadertrojan

© 2018-2024

Terms | Privacy