Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10-2004_x64

10

pistol32.dll

windows7_x64

10

pistol32.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08-03-2022 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    184B

  • MD5

    4766e3cd2f4eb06fd1563a3dd3a7704f

  • SHA1

    cdb45f46f51bce83cedf8bbd1b7be775d32bad60

  • SHA256

    61ad4c75614d2a61ffb2423125d87b56eab3bfe3046f4c41e7ce402b3e512ed2

  • SHA512

    4d4c8409cb662989c1ef490291b959928a2a5ac4e98cde4106ea6a0ea1eb8b055603edfa136bb4c0ceacb4bc651ab557eddfb9731a5776290d2e7669b7838a4c

Score
10/10
icedid273095221bankertrojan

Malware Config

Extracted

Family

icedid

Botnet

273095221

C2

loniferast.top

hoseonlin.top

fallhuma.top

nefitsonyo.xyz
Attributes
  • auth_var

    1

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\pistol32.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\license.dat
    MD5

    e9ad8fae2dd8f9d12e709af20d9aefad

    SHA1

    db7d1545c3c7e60235700af672c1d20175b380cd

    SHA256

    84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238

    SHA512

    4f652b4d2db81bd91e8a9cd8ca330748f7c98b21150ca2b640da2aad357adadeac80070177f9f253c595d683264d23e1f04701c2975c0e03caffd367d424d17f

    Download Submit

  • memory/1048-130-0x0000000180000000-0x0000000180005000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1048-135-0x000001D8D87E0000-0x000001D8D883A000-memory.dmp

    Filesize

    360KB

    Download