icedid | 5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9

General

Target

5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9.dll
Size

188KB
MD5

28e2fd15957f7e681c309ea3f322b6fb
SHA1

107cc5d441c8f03ecb94086ce448cd14dbf52470
SHA256

5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9
SHA512

6df7900a3de3c2b0192f541a33491e32de2d27371dd49639a488f580d77574aa7b001da877b0213f53c047f43402f237756125cbb862fc918c98e6a7dafb5dbc

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/1688-134-0x0000000010000000-0x0000000010009000-memory.dmp	IcedidFirstLoader
behavioral2/memory/1688-135-0x0000000010000000-0x0000000010041000-memory.dmp	IcedidFirstLoader

Drops file in Windows directory 40 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT3B6.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT6FB6.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BITB4E2.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BITB550.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BITBE99.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT665C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT6590.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT6870.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT9225.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\fDFnweOZvFE=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT8B7F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT8E9E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT55FE.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\FTTOLXxEZk0li+ZNE2Uo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\d9f2a302574bf135efc9dbd1a8083a336f7f52f0	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT6A07.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BITB570.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT5486.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITFB27.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITFBF4.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\6e15245aed25ee83b027521f9cf9ea812c9d016d	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BITBF17.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT9110.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT9364.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT23E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT7043.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT913A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BITB3C7.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT8D65.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT923A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2764 wrote to memory of 1688	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 1688	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 1688	2764	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b8b3ae9cb90a4ad87b06d35805f1d1cae61c2c9fc560b3020b5c6954ee7d8b9.dll,#1
2⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-134-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1688-136-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1688-135-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/3908-137-0x0000019236B60000-0x0000019236B70000-memory.dmp

Filesize
64KB

Download
memory/3908-138-0x0000019237460000-0x0000019237470000-memory.dmp

Filesize
64KB

Download
memory/3908-139-0x00000192377C0000-0x00000192377C4000-memory.dmp

Filesize
16KB

Download
memory/3908-140-0x0000019239FD0000-0x0000019239FD4000-memory.dmp

Filesize
16KB

Download
memory/3908-141-0x0000019239FD0000-0x0000019239FD4000-memory.dmp

Filesize
16KB

Download
memory/3908-142-0x000001923A030000-0x000001923A034000-memory.dmp

Filesize
16KB

Download
memory/3908-143-0x000001923A020000-0x000001923A021000-memory.dmp

Filesize
4KB

Download
memory/3908-144-0x000001923A110000-0x000001923A114000-memory.dmp

Filesize
16KB

Download
memory/3908-145-0x000001923A110000-0x000001923A114000-memory.dmp

Filesize
16KB

Download
memory/3908-146-0x000001923A150000-0x000001923A154000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads