Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10_x64

10

strike64.dll

windows7_x64

1

strike64.dll

windows10_x64

1

Resubmissions

07-03-2022 21:46

220307-1my3aagbh2 10

28-02-2022 09:51

220228-lvldtsdhg4 10

24-02-2022 19:51

220224-yk4hwaehap 1

Analysis

  • max time kernel
    1200s
  • max time network
    1077s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-02-2022 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

Score
10/10
icedid3560182600bankertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3560182600

C2

coolbearblunts.com

cooldogblunts.com
Attributes
  • auth_var

    2

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 9 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\strike64.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:944
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {101F68E3-238C-4B35-A158-78175ACB2616} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Admin\Juinatct.dll",DllMain --er="license.dat"
      2⤵
      • Loads dropped DLL
      PID:736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Admin\Juinatct.dll
    MD5

    6b8b858fd157b938f44f7b969661abb6

    SHA1

    62755899e9b53417346d5dc15aa983a5707e987e

    SHA256

    e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b

    SHA512

    a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\license.dat
    MD5

    7eb64145636d2e8343d9077f15c11022

    SHA1

    c0b221ca05431092bc1c789a33d199124c8fec1c

    SHA256

    96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

    SHA512

    53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

    Download Submit
  • \Users\Admin\AppData\Local\Admin\Juinatct.dll
    MD5

    6b8b858fd157b938f44f7b969661abb6

    SHA1

    62755899e9b53417346d5dc15aa983a5707e987e

    SHA256

    e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b

    SHA512

    a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e

    Download Submit
  • \Users\Admin\AppData\Local\Admin\Juinatct.dll
    MD5

    6b8b858fd157b938f44f7b969661abb6

    SHA1

    62755899e9b53417346d5dc15aa983a5707e987e

    SHA256

    e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b

    SHA512

    a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e

    Download Submit
  • \Users\Admin\AppData\Local\Admin\Juinatct.dll
    MD5

    6b8b858fd157b938f44f7b969661abb6

    SHA1

    62755899e9b53417346d5dc15aa983a5707e987e

    SHA256

    e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b

    SHA512

    a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e

    Download Submit
  • \Users\Admin\AppData\Local\Admin\Juinatct.dll
    MD5

    6b8b858fd157b938f44f7b969661abb6

    SHA1

    62755899e9b53417346d5dc15aa983a5707e987e

    SHA256

    e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b

    SHA512

    a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e

    Download Submit
  • memory/736-62-0x0000000001CC0000-0x0000000001D19000-memory.dmp
    Filesize

    356KB

    Download
  • memory/736-63-0x00000000000A0000-0x00000000000A5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/944-55-0x0000000001BE0000-0x0000000001C39000-memory.dmp
    Filesize

    356KB

    Download
  • memory/944-56-0x0000000000290000-0x0000000000295000-memory.dmp
    Filesize

    20KB

    Download