icedid | 47eccb3bfd568130bdc9833be94ba9e4d101a73fa6782efdc83662297d1e6de8 | Triage

Analysis

max time kernel
4294210s
max time network
153s
platform
windows7_x64
resource
win7-20220311-en
submitted
14-04-2022 14:27

Sharing

Report Analysis Logs

General

Target

47eccb3bfd568130bdc9833be94ba9e4d101a73fa6782efdc83662297d1e6de8.dll
Size

120KB
MD5

ef2fc6976cede1a029e2a8a0de3372de
SHA1

7ed2914017b73ff0590da88a01dc909ee094dad8
SHA256

47eccb3bfd568130bdc9833be94ba9e4d101a73fa6782efdc83662297d1e6de8
SHA512

774eccb2e3cd2dadce826ce2f4c32f38c06979cfc48c014f2d575ef8be28b038f5d665ca2c8025a9dec674125641d2ed309d0a05f8f3bae587cee4cb8ab7fab8

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

lookatnice.top

littyfahren.club

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1684-56-0x0000000074AB0000-0x0000000074AB6000-memory.dmp	IcedidSecondLoader
behavioral1/memory/1684-57-0x0000000074AB0000-0x0000000074ADA000-memory.dmp	IcedidSecondLoader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1212 wrote to memory of 1684	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1684	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1684	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1684	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1684	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1684	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1684	1212	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47eccb3bfd568130bdc9833be94ba9e4d101a73fa6782efdc83662297d1e6de8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47eccb3bfd568130bdc9833be94ba9e4d101a73fa6782efdc83662297d1e6de8.dll,#1
2⤵
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-54-0x0000000000000000-mapping.dmp

Download
memory/1684-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1684-56-0x0000000074AB0000-0x0000000074AB6000-memory.dmp

Filesize
24KB

Download
memory/1684-57-0x0000000074AB0000-0x0000000074ADA000-memory.dmp

Filesize
168KB

Download