Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10_x64

10

planet64.dll

windows7_x64

1

planet64.dll

windows10_x64

1

Resubmissions

28-02-2022 09:51

220228-lvgewadhg2 10

24-02-2022 22:35

220224-2hx5vsdge4 1

Analysis

  • max time kernel
    1328s
  • max time network
    1230s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-02-2022 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    184B

  • MD5

    4da584cc0a5ded0c902627093ab8721b

  • SHA1

    a6bb30b50718813a72cbd58ba148bc3c9a17c3f0

  • SHA256

    bcc176e2ec1bddb1518bcacb07fef99fe1812e204e990424549f11862aaa757c

  • SHA512

    d611696d95dd76f1c3f7ab90c370ccb734f1912ff340d28c5a050d0fb072c7914c3bd15ea30f8f2873fdb17f0b93da92eaa7eecc3b245e23c972c700777be804

Score
10/10
icedid3415411565bankertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3415411565

C2

antnosience.com

seaskysafe.com
Attributes
  • auth_var

    1

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\planet64.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:2068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\license.dat
    MD5

    7eb64145636d2e8343d9077f15c11022

    SHA1

    c0b221ca05431092bc1c789a33d199124c8fec1c

    SHA256

    96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

    SHA512

    53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

    Download Submit
  • memory/2068-116-0x000001EA142E0000-0x000001EA14339000-memory.dmp
    Filesize

    356KB

    Download
  • memory/2068-117-0x000001EA129E0000-0x000001EA129E5000-memory.dmp
    Filesize

    20KB

    Download