icedid | 02a593571d2221f5eccdba5cbfaccba9f2a821fdc2b133895c0916b41f8cf575 | Triage

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-04-2022 18:13

Sharing

Report Analysis Logs

General

Target

02a593571d2221f5eccdba5cbfaccba9f2a821fdc2b133895c0916b41f8cf575.dll
Size

347KB
MD5

a2d191168117d47b6b198ca0cb41e3e2
SHA1

81f69c70490f4aee50ac1e5121686a2632e568bd
SHA256

02a593571d2221f5eccdba5cbfaccba9f2a821fdc2b133895c0916b41f8cf575
SHA512

af02093a3d4f40eddfa8c4060443f4b7f24c781795c41ae459ecb6f488ff39a9fa841924bc5118ceeda6f3d882fd27474c3bd3230d3980eb8885fab0da8a3ec2

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

argentinocapuccho.cyou

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1676-133-0x00000000021E0000-0x00000000021E6000-memory.dmp	IcedidFirstLoader
behavioral2/memory/1676-134-0x00000000021E1000-0x00000000021FB000-memory.dmp	IcedidFirstLoader
behavioral2/memory/1676-135-0x00000000021E0000-0x0000000002298000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 14 IoCs

Processes:

rundll32.exe

flow	pid	process
62	1676	rundll32.exe
64	1676	rundll32.exe
66	1676	rundll32.exe
68	1676	rundll32.exe
70	1676	rundll32.exe
72	1676	rundll32.exe
74	1676	rundll32.exe
76	1676	rundll32.exe
78	1676	rundll32.exe
80	1676	rundll32.exe
83	1676	rundll32.exe
85	1676	rundll32.exe
88	1676	rundll32.exe
90	1676	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4888 wrote to memory of 1676	4888	rundll32.exe	rundll32.exe
PID 4888 wrote to memory of 1676	4888	rundll32.exe	rundll32.exe
PID 4888 wrote to memory of 1676	4888	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a593571d2221f5eccdba5cbfaccba9f2a821fdc2b133895c0916b41f8cf575.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a593571d2221f5eccdba5cbfaccba9f2a821fdc2b133895c0916b41f8cf575.dll,#1
2⤵
- Blocklisted process makes network request
PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-130-0x0000000000000000-mapping.dmp

Download
memory/1676-131-0x00000000021E0000-0x0000000002298000-memory.dmp

Filesize
736KB

Download
memory/1676-133-0x00000000021E0000-0x00000000021E6000-memory.dmp

Filesize
24KB

Download
memory/1676-134-0x00000000021E1000-0x00000000021FB000-memory.dmp

Filesize
104KB

Download
memory/1676-135-0x00000000021E0000-0x0000000002298000-memory.dmp

Filesize
736KB

Download