icedid | 435aedd53caa65976f6ca7084a477895c67733218b955bfd8dad04da66ba7f6e

Analysis

max time kernel
68s
max time network
72s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-04-2022 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fromware.dll.4.dll
Size

1.8MB
MD5

989a47b62f1014d6d937119326ca67a1
SHA1

416fcfb222e5224c487bda6eb011fa6f42d96186
SHA256

2948d545b8901e331c14faa2def87766e8241360e0595fa8a273c9d0028a3692
SHA512

6960e4f345fa4c37632438bd20ae98a281511e34e4febf1af7637b7061c1ba864a0c77bce878860a8a079665197237d608899cc81fadabf62dd1450c66ef00be

Score

10^/10

icedid 2544198788 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2544198788

yellwells.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

3 1940 rundll32.exe
4 1952 rundll32.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1952 rundll32.exe
1952 rundll32.exe
1952 rundll32.exe
1940 rundll32.exe
1940 rundll32.exe
1940 rundll32.exe
1940 rundll32.exe
1952 rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1940 rundll32.exe
1940 rundll32.exe
1952 rundll32.exe
1952 rundll32.exe

flow	pid	process
3	1940	rundll32.exe
4	1952	rundll32.exe

pid	process
1952	rundll32.exe
1952	rundll32.exe
1952	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1952	rundll32.exe

pid	process
1940	rundll32.exe
1940	rundll32.exe
1952	rundll32.exe
1952	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 632 wrote to memory of 1940	632	rundll32.exe	rundll32.exe
PID 632 wrote to memory of 1940	632	rundll32.exe	rundll32.exe
PID 632 wrote to memory of 1940	632	rundll32.exe	rundll32.exe
PID 632 wrote to memory of 1952	632	rundll32.exe	rundll32.exe
PID 632 wrote to memory of 1952	632	rundll32.exe	rundll32.exe
PID 632 wrote to memory of 1952	632	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Fromware.dll.4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\pycharmer.dll,PluginInit
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\pycharmer.dll,PluginInit
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
\Users\Admin\pycharmer.dll
Filesize
228KB

MD5
6778da0b8948af96459178dda709c8d0

SHA1
972dbcdf4cb58a595a85b4371d66d9ef0988ae57

SHA256
22cc183573ae8d4149574ed98ade211829331dabdb9c329845c71e13a9144244

SHA512
33a92e618a9ef1065af287b901aa5e6a6b1ed60771c3cd896d64c17b8af117c1ec8a7926407a1ff0fc0b82b9a8ce0fea00ab98191cb1d7bc2ccbae0999d134a8

Download Submit
memory/1940-54-0x0000000000000000-mapping.dmp

Download
memory/1952-55-0x0000000000000000-mapping.dmp

Download
memory/1952-65-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download