icedid | 741331c3e6a3900fff68bb894de8a3f713446c518be84fd2379aa7210082ed85 | Triage

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 14:04

Sharing

Report Analysis Logs

General

Target

741331c3e6a3900fff68bb894de8a3f713446c518be84fd2379aa7210082ed85.dll
Size

224KB
MD5

072288accefa8457d435b21f7220deac
SHA1

81bcda74daa9f510e258e7c592588a0bc2fe9b3d
SHA256

741331c3e6a3900fff68bb894de8a3f713446c518be84fd2379aa7210082ed85
SHA512

18d6e0f33277a97597ecd033625f740e8884a89fce8d96e27e2bbaba0a3025a6b62ea05dfc9f7eda3cb5084d7705ea066d6b534c31abac2f76110568b31b1142

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

loadberlin.casa

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/868-56-0x0000000074A80000-0x0000000074A86000-memory.dmp	IcedidFirstLoader
behavioral1/memory/868-57-0x0000000074A80000-0x0000000074AC4000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 18 IoCs

Processes:

rundll32.exe

flow	pid	process
3	868	rundll32.exe
4	868	rundll32.exe
6	868	rundll32.exe
8	868	rundll32.exe
10	868	rundll32.exe
11	868	rundll32.exe
13	868	rundll32.exe
14	868	rundll32.exe
16	868	rundll32.exe
17	868	rundll32.exe
21	868	rundll32.exe
22	868	rundll32.exe
24	868	rundll32.exe
25	868	rundll32.exe
27	868	rundll32.exe
28	868	rundll32.exe
29	868	rundll32.exe
30	868	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1836 wrote to memory of 868	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 868	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 868	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 868	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 868	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 868	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 868	1836	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\741331c3e6a3900fff68bb894de8a3f713446c518be84fd2379aa7210082ed85.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\741331c3e6a3900fff68bb894de8a3f713446c518be84fd2379aa7210082ed85.dll,#1
2⤵
- Blocklisted process makes network request
PID:868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-54-0x0000000000000000-mapping.dmp

Download
memory/868-55-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/868-56-0x0000000074A80000-0x0000000074A86000-memory.dmp

Filesize
24KB

Download
memory/868-57-0x0000000074A80000-0x0000000074AC4000-memory.dmp

Filesize
272KB

Download