Overview

overview

10

Static

static

81158169a9...42.exe

windows7_x64

10

81158169a9...42.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142

  • Size

    292KB

  • Sample

    220223-1yx95acgbn

  • MD5

    f556e6b16e85811de359115fa95f9fce

  • SHA1

    a055f68ab7b2d53e81aa77e3a3820319c6b25376

  • SHA256

    81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142

  • SHA512

    0e1b267c956e788ed9852f09da1b594143c7076a8b59642b88020ea68bddd2055951b97e001251ffed4225b4923dd78ba61f29d47875119c96b336ce7d5d6899

Score
10/10
icedidsmokeloader2715004312backdoorbankerevasionloadersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

2715004312

C2

badgoodreason.com

Targets

    • Target

      81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142

    • Size

      292KB

    • MD5

      f556e6b16e85811de359115fa95f9fce

    • SHA1

      a055f68ab7b2d53e81aa77e3a3820319c6b25376

    • SHA256

      81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142

    • SHA512

      0e1b267c956e788ed9852f09da1b594143c7076a8b59642b88020ea68bddd2055951b97e001251ffed4225b4923dd78ba61f29d47875119c96b336ce7d5d6899

    Score
    10/10
    icedidsmokeloader2715004312backdoorbankerloadersuricatatrojanevasion

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

      suricata

    • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

      suricata

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata

    • suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND

      suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND

      suricata

    • suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND

      suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND

      suricata

    • IcedID First Stage Loader

      loader

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Deletes itself

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks