icedid | 8852d2161c2b591a6a1743590d1941beb659a7d4e07187627fcaff8c5ba56a76

Analysis

Target

dart.dll
Size

148KB
MD5

54c454aa55315437a8da08eacb02e1a6
SHA1

40f55903a26df3a30608e131e9352503d04adcb3
SHA256

8852d2161c2b591a6a1743590d1941beb659a7d4e07187627fcaff8c5ba56a76
SHA512

6adac5866c50840fc8ecfb7b0cd4c352a55b1b2f90d7d7f941a195283c844ab9863ac6d17d08631285990255c08f3a8c7a0ba4f4eb717c2c94629f378028ab3c

Score

10^/10

Family

icedid

Campaign

3546287305

oceriesfornot.top

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1124 1632 WerFault.exe regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1632 regsvr32.exe
1632 regsvr32.exe

pid	pid_target	process	target process
1124	1632	WerFault.exe	regsvr32.exe

pid	process
1632	regsvr32.exe
1632	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1632 wrote to memory of 1124	1632	regsvr32.exe	WerFault.exe
PID 1632 wrote to memory of 1124	1632	regsvr32.exe	WerFault.exe
PID 1632 wrote to memory of 1124	1632	regsvr32.exe	WerFault.exe

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1632 -s 244
2⤵
- Program crash
PID:1124

memory/1632-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/1632-55-0x0000000180000000-0x000000018000B000-memory.dmp

Filesize
44KB

Download