icedid | 38a280fd17f5588830cbf4da894241d293caf677837d560cc8507a4bcaafa00c | Triage

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-05-2022 00:21

Sharing

Report Analysis Logs

General

Target

38a280fd17f5588830cbf4da894241d293caf677837d560cc8507a4bcaafa00c.dll
Size

297KB
MD5

dd4b3ee2e9b53ab44fa2bc852d287b16
SHA1

c0b3b34879d008ecbcd5b25b2940872336bc529b
SHA256

38a280fd17f5588830cbf4da894241d293caf677837d560cc8507a4bcaafa00c
SHA512

9cc3e035161c19283ab62ddae7456c831109040272ffc0f26df7c3e98896d9dcbdd1d994d0ce2d3be8de67e6c0f64a7c6d657e3faa46f9716f7c61d9e3b9112f

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

filopipilo.top

fihokiliopo.pw

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4032-131-0x00000000752C0000-0x00000000752C6000-memory.dmp	IcedidSecondLoader
behavioral2/memory/4032-132-0x00000000752C0000-0x0000000075317000-memory.dmp	IcedidSecondLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3772 wrote to memory of 4032	3772	rundll32.exe	rundll32.exe
PID 3772 wrote to memory of 4032	3772	rundll32.exe	rundll32.exe
PID 3772 wrote to memory of 4032	3772	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\38a280fd17f5588830cbf4da894241d293caf677837d560cc8507a4bcaafa00c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\38a280fd17f5588830cbf4da894241d293caf677837d560cc8507a4bcaafa00c.dll,#1
2⤵
PID:4032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4032-130-0x0000000000000000-mapping.dmp

Download
memory/4032-131-0x00000000752C0000-0x00000000752C6000-memory.dmp

Filesize
24KB

Download
memory/4032-132-0x00000000752C0000-0x0000000075317000-memory.dmp

Filesize
348KB

Download