icedid | 5eb48f8d149e0ae549f4bb74e7cde3e294e3a64d9800f65ac062ea750ff695a8 | Triage

Analysis

max time kernel
90s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-03-2022 06:19

Sharing

Report Analysis Logs

General

Target

5eb48f8d149e0ae549f4bb74e7cde3e294e3a64d9800f65ac062ea750ff695a8.dll
Size

328KB
MD5

fc2b27ef3cfeb2f99764a957da1362c1
SHA1

a4688975da5c2ba318544ab40d227f92e13771fb
SHA256

5eb48f8d149e0ae549f4bb74e7cde3e294e3a64d9800f65ac062ea750ff695a8
SHA512

4905ab7db900d16598f97d2aff80d110489df97996b7370c883b6c10f9bf186919dc0478a45033ba74d6f5082898b5200f5442f4c7d3183a8cdaa646b48ce062

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-130-0x0000000074890000-0x000000007489A000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3732 wrote to memory of 3708	3732	regsvr32.exe	regsvr32.exe
PID 3732 wrote to memory of 3708	3732	regsvr32.exe	regsvr32.exe
PID 3732 wrote to memory of 3708	3732	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5eb48f8d149e0ae549f4bb74e7cde3e294e3a64d9800f65ac062ea750ff695a8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5eb48f8d149e0ae549f4bb74e7cde3e294e3a64d9800f65ac062ea750ff695a8.dll
2⤵
PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3708-130-0x0000000074890000-0x000000007489A000-memory.dmp

Filesize
40KB

Download