icedid | fa57edfeba4f4a4d207ebffde89152d373de3b2c835ece3ca57c410e8292c1e8 | Triage

Analysis

max time kernel
4294181s
max time network
138s
platform
windows7_x64
resource
win7-20220311-en
submitted
24-03-2022 19:19

Sharing

Report Analysis Logs

General

Target

fa57edfeba4f4a4d207ebffde89152d373de3b2c835ece3ca57c410e8292c1e8.dll
Size

328KB
MD5

f14251e51225dffe2929eaa5e5a5ab13
SHA1

5f510c8fc39980a24310cba53a5e5c5537af17d2
SHA256

fa57edfeba4f4a4d207ebffde89152d373de3b2c835ece3ca57c410e8292c1e8
SHA512

468b0d45333e491141568e85c1f847eed2bbd338008e2fd03315e0451368abb9950585687d82f2824099c62823d6442a199a5ddb1a92ec8e8f2d2be89924d8b4

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1496-56-0x00000000747F0000-0x00000000747F9000-memory.dmp	IcedidFirstLoader
behavioral1/memory/1496-57-0x00000000747F0000-0x0000000074853000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1492 wrote to memory of 1496	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1496	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1496	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1496	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1496	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1496	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1496	1492	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa57edfeba4f4a4d207ebffde89152d373de3b2c835ece3ca57c410e8292c1e8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa57edfeba4f4a4d207ebffde89152d373de3b2c835ece3ca57c410e8292c1e8.dll,#1
2⤵
PID:1496

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-54-0x0000000000000000-mapping.dmp

Download
memory/1496-55-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1496-56-0x00000000747F0000-0x00000000747F9000-memory.dmp

Filesize
36KB

Download
memory/1496-57-0x00000000747F0000-0x0000000074853000-memory.dmp

Filesize
396KB

Download