Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10-2004_x64

10

impulse_x64.dll

windows7_x64

1

impulse_x64.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    4294210s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    28-03-2022 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    190B

  • MD5

    90d45afa6d19dcdb77acbf7feb7e6acd

  • SHA1

    1d2082578ee2754f8a1832b43d34d2981e45349c

  • SHA256

    94ff05e826b154bce6b9dd22edf2d01d41fb61457a9e78943d4dba9e3e07f272

  • SHA512

    89c639562c183d1375a810378939fda3c8a08567c5a6e13eefd80ce711c8ed29e887af0dff1b845d6b44003055728048d819104f93bce3442b15cd3512905c5d

Score
10/10
icedid273095221bankercore_loadertrojan

Malware Config

Extracted

Family

icedid

Botnet

273095221

C2

qwesteresiler.top

hoseonlin.top

fallhuma.top

nefitsonyo.xyz
Attributes
  • auth_var

    3

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\impulse_x64.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\license.dat
    Filesize

    336KB

    MD5

    e9ad8fae2dd8f9d12e709af20d9aefad

    SHA1

    db7d1545c3c7e60235700af672c1d20175b380cd

    SHA256

    84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238

    SHA512

    4f652b4d2db81bd91e8a9cd8ca330748f7c98b21150ca2b640da2aad357adadeac80070177f9f253c595d683264d23e1f04701c2975c0e03caffd367d424d17f

    Download Submit

  • memory/1808-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1808-55-0x0000000180000000-0x0000000180005000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1808-60-0x00000000020E0000-0x000000000213A000-memory.dmp

    Filesize

    360KB

    Download