icedid | f31cbfe50f6b800f6911e47e9784e3a7ade35538c514248d01efd310a9b060a3

Analysis

Target

core.bat
Size

186B
MD5

5acb1a1562189471386f35e8d857671f
SHA1

1a613777a8af69159de7ea50959a67265c00f524
SHA256

5f037bbe5ebfe76ddb18bf9864f2747ef46e5083b7ce3d8c4694b8fdf228f51c
SHA512

11a89de54632b8daf09853456fafd7580c9eb46e310c495c3e5b1e52d338e68bf92a31c371d55eb47ac8e94661caefbed1265e1351c448836ddef465f49c00e1

Score

10^/10

Family

icedid

Botnet

3415411565

antnosience.com

seaskysafe.com

otectagain.top

dilimoretast.com

Attributes

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

3 1980 rundll32.exe
5 1980 rundll32.exe
7 1980 rundll32.exe
9 1980 rundll32.exe
11 1980 rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 956 wrote to memory of 1980	956	cmd.exe	rundll32.exe
PID 956 wrote to memory of 1980	956	cmd.exe	rundll32.exe
PID 956 wrote to memory of 1980	956	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\license.dat
MD5
e9ad8fae2dd8f9d12e709af20d9aefad

SHA1
db7d1545c3c7e60235700af672c1d20175b380cd

SHA256
84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238

SHA512
4f652b4d2db81bd91e8a9cd8ca330748f7c98b21150ca2b640da2aad357adadeac80070177f9f253c595d683264d23e1f04701c2975c0e03caffd367d424d17f

Download Submit
memory/1980-54-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/1980-59-0x0000000001C30000-0x0000000001C8A000-memory.dmp

Filesize
360KB

Download