icedid | 43ea2aa7f4415b812b5ee19642d27640e4bc49f4bf7f092f74a7b2bf6cb61898

Resubmissions

31-05-2022 13:41

220531-qy5zvsbch6 10

30-05-2022 15:37

220530-s2wxgaacg8 10

Analysis

max time kernel
60s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
31-05-2022 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81267b1f7bf58bd9e999083ccc6681cd62be16b81d3e5d2486ce8d150239c455.dll
Size

372KB
MD5

0137e3896f7d805fe348f42137cee9af
SHA1

c642729dc5714595c5eba585b48b899d2a1ddc43
SHA256

81267b1f7bf58bd9e999083ccc6681cd62be16b81d3e5d2486ce8d150239c455
SHA512

d9710614b484e5a6ca8029dc31aa119f4843d8d69bbb1f9a4eb70d37906381732881a96657551cc96f329e9ed8d221dbf08335f6bc80d4333ffdab9696c6b1ca

Score

10^/10

icedid 1501064257 banker core_loader trojan

Malware Config

Extracted

Family

icedid

Botnet

1501064257

ouldmakeithapp.top

meincarton.top

callbackhubs.com

eldingdayl.com

ganjicow.com

meanforthen.com

Attributes

auth_var
13
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

taskmgr.exe

pid process

948 taskmgr.exe
948 taskmgr.exe
948 taskmgr.exe
948 taskmgr.exe
948 taskmgr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskmgr.exe

description pid process

Token: SeDebugPrivilege 948 taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	948	taskmgr.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

rundll32.exetaskmgr.exe

pid	process
1604	rundll32.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

taskmgr.exe

pid	process
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\81267b1f7bf58bd9e999083ccc6681cd62be16b81d3e5d2486ce8d150239c455.dll,#1
1⤵
- Suspicious use of FindShellTrayWindow
PID:1604

C:\Windows\system32\taskmgr.exe
taskmgr.exe /2
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-58-0x000007FEFBCF1000-0x000007FEFBCF3000-memory.dmp

Filesize
8KB

Download
memory/948-59-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1604-54-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download