Overview

overview

10

Static

static

ta578/documents.lnk

windows7_x64

10

ta578/documents.lnk

windows10-2004_x64

10

ta578/r7kom.dll

windows7_x64

10

ta578/r7kom.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ta578.zip

  • Size

    256KB

  • Sample

    220628-x68jaabhcl

  • MD5

    45d2816df1b3db1c6132d9a0936532cd

  • SHA1

    f747de13ddd1aa298df8bc895c19f3e978fc502a

  • SHA256

    653ce0a5a10034f67ee8b532c0dceff339cdabe1cef35633cface24b124b6688

  • SHA512

    79e190e74d538c469693fd6e7b78b40d970edb983f40534ba4e29a682cd8197b272a9b517e0846f72a4e5b4c560b148bcfbc0837881c1d4eba1abf76aebcfd9b

Score
10/10
icedid3568430872bankerloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

3568430872

C2

alionavon.com

Targets

    • Target

      ta578/documents.lnk

    • Size

      2KB

    • MD5

      bb31db59e05077fb9a7c3c87d1b98db9

    • SHA1

      2ea630b90c9cbb41ae50145946c1e47c499c8df2

    • SHA256

      3082534af9d5dcfbe3e2c5b02bce8fec53177ef89d9db6c116dafed1663a43f1

    • SHA512

      3e2020dfcd3154c5f3b1d907f5fc3a31d55f9e780a7a4b3b82541cabcb94478c2caafe1672493d030616265109c33f7760363ca464638b90f302119612605d21

    Score
    10/10
    icedid3568430872bankerloadersuricatatrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      ta578/r7kom.dll

    • Size

      451KB

    • MD5

      3d8babbf76ac87dd545bf7aaea428ecc

    • SHA1

      366da15a527f05dbb969535c39e727914bf471c8

    • SHA256

      5974b53f8d2c81efbe432c0df6afb20216d7a39d78d7a570160b154eb8c0c816

    • SHA512

      0d4c45be8f6a2162c4b0bccb6caf6512402bb96e7757fd3462f8583f5f8444db9bd2a4894381a0bcc6d64dad04039739a968d456aef2cfcc3d9ee8d6ba804257

    Score
    10/10
    icedid3568430872bankerloadersuricatatrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata

    • Blocklisted process makes network request

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks