Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10-2004_x64

10

gesture-32.dll

windows7_x64

10

gesture-32.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-02-2022 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    188B

  • MD5

    56447286993548dea90eac6192049629

  • SHA1

    c401c242991a27299072b71396e5b42a33435c4f

  • SHA256

    3c9cfd4795a1ef24972cce5330abc85d7d85e499876d21fce112d0c98af0b968

  • SHA512

    e424af0989cbf87375d6376ab791cc83299f81e7df2e84c3d26fded2015b179609aadedb6ee8cf4c3ba6ebcff4d10b050976a4c12e91b0966d89bdd8de54a1f3

Score
10/10
icedid3078948156bankertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3078948156

C2

firstdatachannel.art

firstdatachannel.click
Attributes
  • auth_var

    15

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\gesture-32.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\license.dat
    MD5

    7eb64145636d2e8343d9077f15c11022

    SHA1

    c0b221ca05431092bc1c789a33d199124c8fec1c

    SHA256

    96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

    SHA512

    53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

    Download Submit

  • memory/2040-56-0x0000000001B00000-0x0000000001B59000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2040-57-0x00000000002B0000-0x00000000002B5000-memory.dmp

    Filesize

    20KB

    Download