icedid | 59ddf7fd2901ffddc12d730d41a59ef51a0cf834145bcf883d8c1106b6aad0c7

Analysis

Target

vGhhsvfLkp.ps1
Size

61B
MD5

8436a7bea697c48edaf67b93f46d02b0
SHA1

6f61548db8a87df80e2ca4f37fd02d70edae3e16
SHA256

7431c53295cf5952fc32ad1da45022c644d54578ed0ae55c0837b8b25e005e19
SHA512

b22ff1716ee34789f7ca168c93e768d37c05d4ce37345799645ced25e5742b44c79741a05db73995028bb7be6219f03b9b5670bff569a6281ef5fb33b78d654c

Score

10^/10

Family

icedid

Campaign

3239568078

carbrownleger.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 844 rundll32.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exerundll32.exe

pid process

1852 powershell.exe
844 rundll32.exe
844 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1852 powershell.exe

flow	pid	process
2	844	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1852	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1852 wrote to memory of 844	1852	powershell.exe	rundll32.exe
PID 1852 wrote to memory of 844	1852	powershell.exe	rundll32.exe
PID 1852 wrote to memory of 844	1852	powershell.exe	rundll32.exe

memory/844-59-0x0000000000000000-mapping.dmp

Download
memory/844-62-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1852-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/1852-55-0x000007FEF3720000-0x000007FEF4143000-memory.dmp

Filesize
10.1MB

Download
memory/1852-56-0x000007FEF2BC0000-0x000007FEF371D000-memory.dmp

Filesize
11.4MB

Download
memory/1852-57-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1852-58-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1852-60-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1852-61-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download