icedid | b1964a8a4ce0872dc29df756a93bdd59815cc2ddc1d309dc2477e2ea5f34d49f

Analysis

Target

core.bat
Size

188B
MD5

56447286993548dea90eac6192049629
SHA1

c401c242991a27299072b71396e5b42a33435c4f
SHA256

3c9cfd4795a1ef24972cce5330abc85d7d85e499876d21fce112d0c98af0b968
SHA512

e424af0989cbf87375d6376ab791cc83299f81e7df2e84c3d26fded2015b179609aadedb6ee8cf4c3ba6ebcff4d10b050976a4c12e91b0966d89bdd8de54a1f3

Score

10^/10

Family

icedid

Botnet

3078948156

firstdatachannel.art

firstdatachannel.click

Attributes

Family

icedid

rsa_pubkey.plain

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

54 556 rundll32.exe
55 556 rundll32.exe
57 556 rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 4168 wrote to memory of 556 4168 cmd.exe rundll32.exe
PID 4168 wrote to memory of 556 4168 cmd.exe rundll32.exe

description	pid	process	target process
PID 4168 wrote to memory of 556	4168	cmd.exe	rundll32.exe
PID 4168 wrote to memory of 556	4168	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\Roaming\license.dat

MD5
7eb64145636d2e8343d9077f15c11022

SHA1
c0b221ca05431092bc1c789a33d199124c8fec1c

SHA256
96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

SHA512
53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

Download Submit
memory/556-134-0x0000021189FE0000-0x0000021189FE5000-memory.dmp

Filesize
20KB

Download
memory/556-135-0x000002118A340000-0x000002118A399000-memory.dmp

Filesize
356KB

Download