icedid | 4e5b7483c9a49bf36b644f22c1c4daef732742affd15ffd20dda4de85260e581 | Triage

Analysis

max time kernel
132s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 07:05

Sharing

Report Analysis Logs

General

Target

4e5b7483c9a49bf36b644f22c1c4daef732742affd15ffd20dda4de85260e581.dll
Size

242KB
MD5

b0c76afe8c156ab68f90f1a481d180b3
SHA1

22e94a6d6b50bc8f9dd79464e2fa4eba16491049
SHA256

4e5b7483c9a49bf36b644f22c1c4daef732742affd15ffd20dda4de85260e581
SHA512

e9d3e15c45a57204b887b5cbe2ad671d76507fa273792dabe9f6eaf074ddb6ce79d69fee66e9c832eb3b83d4e7788521c1a75413470be1c726f6d3d3d97ddbec

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

goblinsdown.top

daysarecommitee.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1864-131-0x0000000074E70000-0x0000000074E76000-memory.dmp	IcedidSecondLoader
behavioral2/memory/1864-132-0x0000000074E70000-0x0000000074EBF000-memory.dmp	IcedidSecondLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 5072 wrote to memory of 1864	5072	regsvr32.exe	regsvr32.exe
PID 5072 wrote to memory of 1864	5072	regsvr32.exe	regsvr32.exe
PID 5072 wrote to memory of 1864	5072	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4e5b7483c9a49bf36b644f22c1c4daef732742affd15ffd20dda4de85260e581.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\4e5b7483c9a49bf36b644f22c1c4daef732742affd15ffd20dda4de85260e581.dll
2⤵
PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-130-0x0000000000000000-mapping.dmp

Download
memory/1864-131-0x0000000074E70000-0x0000000074E76000-memory.dmp

Filesize
24KB

Download
memory/1864-132-0x0000000074E70000-0x0000000074EBF000-memory.dmp

Filesize
316KB

Download