icedid | 570cc045bb9d945ca5e66ed76c80448d2c37f9a9073737057323b6e300592180

Analysis

Target

core.bat
Size

123B
MD5

7ed83700f1db2f30269d8d7aab15fc38
SHA1

787f6c843d5b41562baceeb67d1dea686f0891eb
SHA256

2db50c09350bd707c6cd1c413f15f5360b8a9cd9145caafa07bffe29d1c6ea51
SHA512

974202b6def2cc1463452384c94f2d3d562115b7e571170f128197bd6600fffdd73feb4381bd3a647d9f473d88b15838d10e733539b009bd2d29fd2ec257d3f4

Score

10^/10

Family

icedid

Botnet

2406015698

commamimubebe.site

asredetyr.site

aszepolityu.fun

likoportio.fun

Attributes

Family

icedid

rsa_pubkey.plain

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

3 1900 rundll32.exe
5 1900 rundll32.exe
7 1900 rundll32.exe
9 1900 rundll32.exe
11 1900 rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1900	2036	cmd.exe	rundll32.exe
PID 2036 wrote to memory of 1900	2036	cmd.exe	rundll32.exe
PID 2036 wrote to memory of 1900	2036	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\license.dat
Filesize
334KB

MD5
c3db0f946699412e8f3a2775516116a2

SHA1
a01448e2760dcb2fbed70a634baaae559d3b6de0

SHA256
dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed

SHA512
50b2e9b3446463f4b02980587b3f4bd716f5b018e26085f10d38c42fd0f6e07891438d13ccc5b36f38ab9c7f1ea874814ed266f8551a970c8ca3eb73ac6b4950

Download Submit
memory/1900-54-0x0000000000000000-mapping.dmp

Download
memory/1900-55-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/1900-60-0x00000000001B0000-0x0000000000209000-memory.dmp

Filesize
356KB

Download