Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10-2004_x64

10

strike64.dll

windows7_x64

10

strike64.dll

windows10-2004_x64

10

Resubmissions

07-03-2022 21:46

220307-1my3aagbh2 10

28-02-2022 09:51

220228-lvldtsdhg4 10

24-02-2022 19:51

220224-yk4hwaehap 1

Analysis

  • max time kernel
    893s
  • max time network
    1623s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    07-03-2022 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    184B

  • MD5

    59aa96fcaa1a3b7331758f7a7ae1f343

  • SHA1

    198ffe332e90207fdb7b97da04770b001c0c5cbf

  • SHA256

    5be1931accf2a90e273312b779a873e847ad965e6e11c04e9b83603d4e6e7491

  • SHA512

    c67253d6d602e150e85e121b2d8d9dedfa72c3ea1950d6a50a8e52a201f06ff9e701acee04b49e682158fb9860c77fd7ad117e20d9c4c8b03938e53e7d6e99c7

Score
10/10
icedid3560182600bankertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3560182600

C2

coolbearblunts.com

cooldogblunts.com
Attributes
  • auth_var

    2

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 15 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\strike64.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1844
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {4669FE5B-789F-44F5-88A4-3B67E2420D8A} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\{26640C5F-652C-2F51-31DF-798094065A5F}\{F2E5F9E6-7FD4-D45C-0BCC-62CE685D5308}\Eriskm.dll",DllMain --kaifye="license.dat"
      2⤵
      • Loads dropped DLL
      PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1544-66-0x00000000001B0000-0x0000000000209000-memory.dmp

    Filesize

    356KB

    Download

  • memory/1544-71-0x00000000000A0000-0x00000000000A5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1844-55-0x0000000001B80000-0x0000000001BD9000-memory.dmp

    Filesize

    356KB

    Download

  • memory/1844-60-0x0000000000190000-0x0000000000195000-memory.dmp

    Filesize

    20KB

    Download