icedid | 4798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd

Analysis

Target

1111.dll
Size

858KB
MD5

f0b052dad1a3605cd3e6d044cd315388
SHA1

fe3d8f50b494f400bd47842d580343f38be6a04b
SHA256

4798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512

c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b

Score

10^/10

Family

icedid

Campaign

3289900935

ilzenhwery.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

3 4800 rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exerundll32.exe

pid process

4648 powershell.exe
4648 powershell.exe
4648 powershell.exe
4800 rundll32.exe
4800 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4648 powershell.exe

flow	pid	process
3	4800	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4648	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execmd.exe

description	pid	process	target process
PID 4648 wrote to memory of 4156	4648	powershell.exe	cmd.exe
PID 4648 wrote to memory of 4156	4648	powershell.exe	cmd.exe
PID 4156 wrote to memory of 4800	4156	cmd.exe	rundll32.exe
PID 4156 wrote to memory of 4800	4156	cmd.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1111.dll,#1
1⤵
PID:4628

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4156

memory/4156-166-0x0000000000000000-mapping.dmp

Download
memory/4648-119-0x000002A670670000-0x000002A670692000-memory.dmp

Filesize
136KB

Download
memory/4648-140-0x000002A672C10000-0x000002A672C4C000-memory.dmp

Filesize
240KB

Download
memory/4648-151-0x000002A672CD0000-0x000002A672D46000-memory.dmp

Filesize
472KB

Download
memory/4800-169-0x0000000000000000-mapping.dmp

Download
memory/4800-170-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download