Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    24-03-2022 19:22

General

  • Target

    5367acae0dec8ceae1de5d8f617d61ab486715c0b4f9c7b5350513b021fac508.dll

  • Size

    209KB

  • MD5

    bce3f6df2481cc576f243dd2a8b46c54

  • SHA1

    c0e7211cd87ff2d7cfa40fac1f564d6081aab3ab

  • SHA256

    5367acae0dec8ceae1de5d8f617d61ab486715c0b4f9c7b5350513b021fac508

  • SHA512

    101c88d4ac961daa1ed8db10fda43f55142c69d789795a77677432f815044a66a354f44102863bd77c881c2de31a1b43164913406ac902ebe9f6e35331bf83f3

Malware Config

Extracted

Family

icedid

C2

singularitty.best

zolerasiop.club

�t ��nEQ���!� m�g�҄U� h� �{tCѡ&˹�'D�D1����)re<(�d '������ �b ��24�R��������Ǽa�*�"��U���mpW\v��v�1��c\1��QN�Q��~�u��l1�q4pQ̽��^�d����IP{g ��Fk.<�~��y��7�O#�/7�Q˻ ��`���vK��q��V��7���t���t���T`�ϰ�%���9�*�b�=���r@��N�.9�J��

r@��N�.9�J��

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • IcedID Second Stage Loader 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5367acae0dec8ceae1de5d8f617d61ab486715c0b4f9c7b5350513b021fac508.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5367acae0dec8ceae1de5d8f617d61ab486715c0b4f9c7b5350513b021fac508.dll,#1
      2⤵
        PID:2216

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2216-130-0x0000000000000000-mapping.dmp
    • memory/2216-131-0x0000000074910000-0x0000000074916000-memory.dmp
      Filesize

      24KB

    • memory/2216-132-0x0000000074910000-0x000000007495C000-memory.dmp
      Filesize

      304KB