icedid | 4261a1a3538cb26fa745dd998aa00ba61ff0ee89e805530d986ada312cb59404 | Triage

Analysis

max time kernel
187s
max time network
195s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 00:21

Sharing

Report Analysis Logs

General

Target

4261a1a3538cb26fa745dd998aa00ba61ff0ee89e805530d986ada312cb59404.dll
Size

297KB
MD5

ab3ba25d3a12e6b33a02ef6173ef29df
SHA1

7c9efbd2a29633e095f6b8e55ff784937108bbff
SHA256

4261a1a3538cb26fa745dd998aa00ba61ff0ee89e805530d986ada312cb59404
SHA512

aa223e47cfb0083de0c2992f5f6347848a7fb37dc899addcffa01c8dd34910fa1a01f9997178ed5fa8d05f35ad55b2a8d314cc83da1a5905929809c9a9ce9f65

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

filopipilo.top

fihokiliopo.pw

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1092-56-0x0000000074A80000-0x0000000074A86000-memory.dmp	IcedidSecondLoader
behavioral1/memory/1092-57-0x0000000074A80000-0x0000000074AD7000-memory.dmp	IcedidSecondLoader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 940 wrote to memory of 1092	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1092	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1092	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1092	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1092	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1092	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 1092	940	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4261a1a3538cb26fa745dd998aa00ba61ff0ee89e805530d986ada312cb59404.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4261a1a3538cb26fa745dd998aa00ba61ff0ee89e805530d986ada312cb59404.dll,#1
2⤵
PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-54-0x0000000000000000-mapping.dmp

Download
memory/1092-55-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1092-56-0x0000000074A80000-0x0000000074A86000-memory.dmp

Filesize
24KB

Download
memory/1092-57-0x0000000074A80000-0x0000000074AD7000-memory.dmp

Filesize
348KB

Download