icedid | 5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9 | Triage

Analysis

max time kernel
4294182s
max time network
126s
platform
windows7_x64
resource
win7-20220310-en
submitted
19-03-2022 11:29

Sharing

Report Analysis Logs

General

Target

5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9.dll
Size

188KB
MD5

28e2fd15957f7e681c309ea3f322b6fb
SHA1

107cc5d441c8f03ecb94086ce448cd14dbf52470
SHA256

5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9
SHA512

6df7900a3de3c2b0192f541a33491e32de2d27371dd49639a488f580d77574aa7b001da877b0213f53c047f43402f237756125cbb862fc918c98e6a7dafb5dbc

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1880-55-0x0000000010000000-0x0000000010009000-memory.dmp	IcedidFirstLoader
behavioral1/memory/1880-56-0x0000000010000000-0x0000000010041000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1804 wrote to memory of 1880	1804	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 1880	1804	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 1880	1804	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 1880	1804	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 1880	1804	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 1880	1804	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 1880	1804	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9.dll,#1
2⤵
PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1880-55-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1880-57-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1880-56-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download