Resubmissions
03-05-2022 00:20
220503-am65safgbp 10Analysis
-
max time kernel
148s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-05-2022 00:20
Static task
static1
Behavioral task
behavioral1
Sample
b6b31cca984d64c13dac5c4fbdd1a13217cb628843718926b4447ff7d14471b0.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
b6b31cca984d64c13dac5c4fbdd1a13217cb628843718926b4447ff7d14471b0.dll
-
Size
277KB
-
MD5
0af2557a722f8a703f5d2944690aa2b6
-
SHA1
9a9334d0c42b9a78a0a9e67d87ef4a5dcc839755
-
SHA256
b6b31cca984d64c13dac5c4fbdd1a13217cb628843718926b4447ff7d14471b0
-
SHA512
43565af0596fed1b63f7c62f4adead0d7b54d0ae8d641a89860d63bbeaf8c9bb010fb9630e6e11a665a53c2dc36bc65308dbe05a7e4ae9822240c921b36e88dd
Malware Config
Extracted
Family
icedid
Extracted
Family
icedid
Botnet
951045417
C2
nazamoskaotp.xyz
49vodysf.club
Attributes
-
auth_var
1
-
url_path
/audio/
Signatures
-
IcedID Second Stage Loader 2 IoCs
resource yara_rule behavioral1/memory/864-56-0x0000000074F10000-0x0000000074F60000-memory.dmp IcedidSecondLoader behavioral1/memory/864-57-0x0000000074F10000-0x0000000074F16000-memory.dmp IcedidSecondLoader -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2024 wrote to memory of 864 2024 rundll32.exe 28 PID 2024 wrote to memory of 864 2024 rundll32.exe 28 PID 2024 wrote to memory of 864 2024 rundll32.exe 28 PID 2024 wrote to memory of 864 2024 rundll32.exe 28 PID 2024 wrote to memory of 864 2024 rundll32.exe 28 PID 2024 wrote to memory of 864 2024 rundll32.exe 28 PID 2024 wrote to memory of 864 2024 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b6b31cca984d64c13dac5c4fbdd1a13217cb628843718926b4447ff7d14471b0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b6b31cca984d64c13dac5c4fbdd1a13217cb628843718926b4447ff7d14471b0.dll,#12⤵PID:864
-