Resubmissions

04-05-2022 07:03

220504-hvm1wadca2 10

03-05-2022 20:59

220503-zsw97sceg2 10

Analysis

  • max time kernel
    148s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-05-2022 07:03

General

  • Target

    f95a8ceb27ce17f5d159d75690fcb1628bf9528331aef2ffe3dac02712b67e48.dll

  • Size

    148KB

  • MD5

    bd9df65ccb0f5dda832c56979a33929f

  • SHA1

    bccdaeef6f5185f8c41f9feafc743f7a5b56ed14

  • SHA256

    f95a8ceb27ce17f5d159d75690fcb1628bf9528331aef2ffe3dac02712b67e48

  • SHA512

    ab378d7910c16899f4ede8c12555d629ce4412d68ad7f1cda6e4b88f827b9f44d2438336c3db51b7705146d5ea852961dbe488281f83e4dc0faa7e67ef3af3f1

Malware Config

Extracted

Family

icedid

Botnet

1076950734

C2

justiceminister.best

fivejudgescatholic.cyou

Attributes
  • auth_var

    3

  • url_path

    /audio/

Extracted

Family

icedid

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • IcedID Second Stage Loader 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f95a8ceb27ce17f5d159d75690fcb1628bf9528331aef2ffe3dac02712b67e48.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f95a8ceb27ce17f5d159d75690fcb1628bf9528331aef2ffe3dac02712b67e48.dll,#1
      2⤵
        PID:1348

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1348-55-0x0000000076531000-0x0000000076533000-memory.dmp

      Filesize

      8KB

    • memory/1348-56-0x0000000074F40000-0x0000000074F46000-memory.dmp

      Filesize

      24KB

    • memory/1348-57-0x0000000074F40000-0x0000000074F79000-memory.dmp

      Filesize

      228KB