Overview

overview

10

Static

static

cmd.bat

windows7_x64

10

cmd.bat

windows10-2004_x64

10

Analysis

  • max time kernel
    46s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-05-2022 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cmd.bat

  • Size

    69B

  • MD5

    5e9549ff24e0488d40f20979c9e9c6e4

  • SHA1

    271430ffb14345fd1ed91d8339b60103979de8e6

  • SHA256

    2465269b1d190d38aa49ed7d70429f7d5bb2688806f932d69ae43d3a58f7854b

  • SHA512

    963ec4155f664a14f36690a2846ccdac42d62401e3397582cbe1022152e033a9e118e5af2d4618181b6fc974659e980c4894b6d5305ae925c604969905459840

Score
10/10
icedid3000901376bankerloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

3000901376

C2

yolneanz.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\cmd.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\olasius.dll,PluginInit
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1668-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1668-55-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

    Download