icedid | ccd7754174dfdc55c49b61cbba9ed782d43b1f5fd9c5611251c7526bf83f058e | Triage

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-05-2022 21:53

Sharing

Report Analysis Logs

General

Target

b4a0138a637e4f800e62d91923dc7f77809ab6bf8f27d621502cbe82b06db485.dll
Size

13KB
MD5

e67a59efdb77392a37fdfc2c37db1391
SHA1

5599ea9e45eaeae3985bda51e35befc6c78cc098
SHA256

b4a0138a637e4f800e62d91923dc7f77809ab6bf8f27d621502cbe82b06db485
SHA512

e96cef3386767f2a00dd066f7646487a69be87388c7a1e468bb05b45ecd9172031ff87f9286545ae2bab70818e33ead255ebf63f37af97d9370320791519f961

Score

10^/10

icedid 168463318 banker core_payload suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

168463318

rsa_pubkey.plain

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe
1900	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b4a0138a637e4f800e62d91923dc7f77809ab6bf8f27d621502cbe82b06db485.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/1900-55-0x0000000000120000-0x0000000000179000-memory.dmp

Filesize
356KB

Download