Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10-2004_x64

10

paper_x32.dll

windows7_x64

1

paper_x32.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    4294210s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    28-03-2022 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    186B

  • MD5

    e14de7f5eba87fa6b9466f4214c4d614

  • SHA1

    25ed97a19eefa2e5d33013ceb95e386e70ac98f0

  • SHA256

    e0326bb3bf6b5c2be434b3945229be63bef06830c2ad604671b8d4dc53db0ccc

  • SHA512

    d7d7c0a6150d644147f924c85de27748d8c93aebb41fc37b6ba8f3dd4ef675cd0273d54443e4e76ee4acf3e4f9eb4a622184718f11e49d72bb39c5a68a4f29bf

Score
10/10
icedid3415411565bankercore_loadertrojan

Malware Config

Extracted

Family

icedid

Botnet

3415411565

C2

antnosience.com

seaskysafe.com

otectagain.top

dilimoretast.com
Attributes
  • auth_var

    18

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\paper_x32.dat,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\license.dat
    Filesize

    336KB

    MD5

    e9ad8fae2dd8f9d12e709af20d9aefad

    SHA1

    db7d1545c3c7e60235700af672c1d20175b380cd

    SHA256

    84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238

    SHA512

    4f652b4d2db81bd91e8a9cd8ca330748f7c98b21150ca2b640da2aad357adadeac80070177f9f253c595d683264d23e1f04701c2975c0e03caffd367d424d17f

    Download Submit

  • memory/580-54-0x0000000000000000-mapping.dmp

    Download

  • memory/580-55-0x0000000180000000-0x0000000180005000-memory.dmp

    Filesize

    20KB

    Download

  • memory/580-60-0x00000000004C0000-0x000000000051A000-memory.dmp

    Filesize

    360KB

    Download