icedid | 0732eb353df00b0073fcabd61c6bc7daa5947fdabdd31237e29adae4ce297392

Analysis

Target

0732eb353df00b0073fcabd61c6bc7daa5947fdabdd31237e29adae4ce297392.exe
Size

420KB
MD5

5f36fc87c9f0c511354babd373a4c8dd
SHA1

35c6365226d3aedd045794c182b86cd0cd145192
SHA256

0732eb353df00b0073fcabd61c6bc7daa5947fdabdd31237e29adae4ce297392
SHA512

7106855c6cd6fb6ccb8c9784ed355241de58e75539974268355f7b073f55258e34e4a2eed94518e97911897c4a43ea553ee120516c57370dcde22761b5689821

Score

10^/10

Family

icedid

aborigencredit.xyz

ideology8cum.top

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 2 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/4364-134-0x0000000000480000-0x00000000005CB000-memory.dmp	IcedidSecondLoader
behavioral2/memory/4364-136-0x0000000000480000-0x0000000000486000-memory.dmp	IcedidSecondLoader

Drops file in Windows directory 10 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT8D0.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITB33A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITB3A9.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT65C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT803.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT881.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0732eb353df00b0073fcabd61c6bc7daa5947fdabdd31237e29adae4ce297392.exe
"C:\Users\Admin\AppData\Local\Temp\0732eb353df00b0073fcabd61c6bc7daa5947fdabdd31237e29adae4ce297392.exe"
1⤵
PID:4364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:3812

memory/3812-137-0x000001FE66060000-0x000001FE66070000-memory.dmp

Filesize
64KB

Download
memory/3812-138-0x000001FE660C0000-0x000001FE660D0000-memory.dmp

Filesize
64KB

Download
memory/3812-139-0x000001FE68660000-0x000001FE68664000-memory.dmp

Filesize
16KB

Download
memory/3812-140-0x000001FE689E0000-0x000001FE689E4000-memory.dmp

Filesize
16KB

Download
memory/3812-141-0x000001FE689E0000-0x000001FE689E4000-memory.dmp

Filesize
16KB

Download
memory/3812-142-0x000001FE68A10000-0x000001FE68A14000-memory.dmp

Filesize
16KB

Download
memory/3812-143-0x000001FE68A00000-0x000001FE68A01000-memory.dmp

Filesize
4KB

Download
memory/4364-135-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/4364-134-0x0000000000480000-0x00000000005CB000-memory.dmp

Filesize
1.3MB

Download
memory/4364-136-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download