Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10_x64

10

planet64.dll

windows7_x64

1

planet64.dll

windows10_x64

1

Resubmissions

28-02-2022 09:51

220228-lvgewadhg2 10

24-02-2022 22:35

220224-2hx5vsdge4 1

Analysis

  • max time kernel
    418s
  • max time network
    1218s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    28-02-2022 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    184B

  • MD5

    4da584cc0a5ded0c902627093ab8721b

  • SHA1

    a6bb30b50718813a72cbd58ba148bc3c9a17c3f0

  • SHA256

    bcc176e2ec1bddb1518bcacb07fef99fe1812e204e990424549f11862aaa757c

  • SHA512

    d611696d95dd76f1c3f7ab90c370ccb734f1912ff340d28c5a050d0fb072c7914c3bd15ea30f8f2873fdb17f0b93da92eaa7eecc3b245e23c972c700777be804

Score
10/10
icedid3415411565bankertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3415411565

C2

antnosience.com

seaskysafe.com
Attributes
  • auth_var

    1

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\planet64.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1880
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C1E26A68-54FC-4EAF-81BF-E0E00225F0CE} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Admin\Okyomw.dll",DllMain --kaifye="license.dat"
      2⤵
      • Loads dropped DLL
      PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Admin\Okyomw.dll
    MD5

    a05501e3d5eb1263e66c6ba5f17ab2be

    SHA1

    926886373b505b35536f8fa05f59428d4470f68b

    SHA256

    32169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c

    SHA512

    c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\license.dat
    MD5

    7eb64145636d2e8343d9077f15c11022

    SHA1

    c0b221ca05431092bc1c789a33d199124c8fec1c

    SHA256

    96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

    SHA512

    53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

    Download Submit
  • \Users\Admin\AppData\Roaming\Admin\Okyomw.dll
    MD5

    a05501e3d5eb1263e66c6ba5f17ab2be

    SHA1

    926886373b505b35536f8fa05f59428d4470f68b

    SHA256

    32169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c

    SHA512

    c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb

    Download Submit
  • \Users\Admin\AppData\Roaming\Admin\Okyomw.dll
    MD5

    a05501e3d5eb1263e66c6ba5f17ab2be

    SHA1

    926886373b505b35536f8fa05f59428d4470f68b

    SHA256

    32169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c

    SHA512

    c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb

    Download Submit
  • \Users\Admin\AppData\Roaming\Admin\Okyomw.dll
    MD5

    a05501e3d5eb1263e66c6ba5f17ab2be

    SHA1

    926886373b505b35536f8fa05f59428d4470f68b

    SHA256

    32169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c

    SHA512

    c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb

    Download Submit
  • \Users\Admin\AppData\Roaming\Admin\Okyomw.dll
    MD5

    a05501e3d5eb1263e66c6ba5f17ab2be

    SHA1

    926886373b505b35536f8fa05f59428d4470f68b

    SHA256

    32169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c

    SHA512

    c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb

    Download Submit
  • memory/840-62-0x0000000001B20000-0x0000000001B79000-memory.dmp
    Filesize

    356KB

    Download
  • memory/840-63-0x0000000000290000-0x0000000000295000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1880-55-0x0000000000150000-0x00000000001A9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1880-56-0x0000000000110000-0x0000000000115000-memory.dmp
    Filesize

    20KB

    Download