icedid | 2ecf3ed1f75c98cf8732278c4078e6cbb47c4df9f43d6e1f893c96b4018676d7

Analysis

Target

6557f5eecf1df5c7835d2ed88f99b52503873c6307b946b15d81a1e5a885c87a.dll
Size

490KB
MD5

ccc7f68d2dbd6801dde30ff57e5c0c2b
SHA1

3899e2803ec9666b17684d1cd42931bb55a8f9e1
SHA256

6557f5eecf1df5c7835d2ed88f99b52503873c6307b946b15d81a1e5a885c87a
SHA512

26c47fec58849d42b107ee9ba7c1b3326aee5339d3865e1d795dff596dc4a1458a480d4dd884306a4e884ef033240c6269cad4461d283cfb9a5bf2d703ce234f

Score

10^/10

Family

icedid

Campaign

3467965077

firenicatrible.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1204 1948 WerFault.exe regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1948 regsvr32.exe
1948 regsvr32.exe

pid	pid_target	process	target process
1204	1948	WerFault.exe	regsvr32.exe

pid	process
1948	regsvr32.exe
1948	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1948 wrote to memory of 1204	1948	regsvr32.exe	WerFault.exe
PID 1948 wrote to memory of 1204	1948	regsvr32.exe	WerFault.exe
PID 1948 wrote to memory of 1204	1948	regsvr32.exe	WerFault.exe

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1948 -s 244
2⤵
- Program crash
PID:1204

memory/1204-56-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/1948-55-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download