icedid | e2e3faccd2903f8c8a9006222089cc0150bd405a8f2159386cae470cc9fed20b | Triage

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 06:09

Sharing

Report Analysis Logs

General

Target

core.bat
Size

73B
MD5

b8f2d8e526026d4a189eeca714b5dfc0
SHA1

ab74f4367561ce11c38377923d9d26f8d23de262
SHA256

b66fa4afd421fc5acd6e1a6855857209e37b2cd18703831a85b286da5f685fbf
SHA512

3c99b4da1e4e085aba8044d57e3f58695fecbcceb670f9f4cf59e7d1cf641f1a740daad4a9bcf2055f6c28709425301563c36f6046bd0e15f6876b7a2b70feb2

Score

10^/10

icedid 2406015698 banker core_loader trojan

Malware Config

Extracted

Family

icedid

Botnet

2406015698

C2

commamimubebe.site

asredetyr.site

aszepolityu.fun

likoportio.fun

Attributes

auth_var
6
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 2024	1784	cmd.exe	rundll32.exe
PID 1784 wrote to memory of 2024	1784	cmd.exe	rundll32.exe
PID 1784 wrote to memory of 2024	1784	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\clutch-32.tmp,Bjaskkas /i="license.dat"
2⤵
PID:2024

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-54-0x0000000000000000-mapping.dmp

Download
memory/2024-55-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download