General

  • Target

    INV871623.iso

  • Size

    496KB

  • Sample

    220630-23yxwsbhfq

  • MD5

    7890c93fc13ca9e643c738a11054ec86

  • SHA1

    0e0f581e3b2b69d4cc139c84e2367ae5af53b5ae

  • SHA256

    daa40acf17585b2246dc1e9e6610964368f6fb854fdc16a1972c7908c23ab5cf

  • SHA512

    7eb809eee53b1dc473b3b1ac21d1c08a6d9e86515d2cc43d970b70d9ba44aa8eb29e9e95e5a0521d5c28334ff5730c80a3f2bbfd4839c3de59ad5be9c2bd09d6

Malware Config

Extracted

Family

icedid

Campaign

1825398430

C2

ciaontroni.com

Targets

    • Target

      768327532892733679.dll

    • Size

      424KB

    • MD5

      92b73d78e901480734e937cc5a6c0c9d

    • SHA1

      bc4c1a27ae6655bab4749a5fb4d5e6908ae1b563

    • SHA256

      219d1bd045d7c3328184aba4842cc0d36acae7e835564d84ee2d8ffea94e4317

    • SHA512

      85b9999a86f302b6ecf4519c1873eb20095a3700dd1d50f202cb3eae790cbeb21a36c770ae32768c9fa256168164b6b2e704a316cbcd199e31262aa2093c2bc6

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

    • Blocklisted process makes network request

    • Target

      INV871623.txt.lnk

    • Size

      1KB

    • MD5

      7c1073209e40cb0957e097eb86ae4d79

    • SHA1

      fd8b3b87f44bfef8f5a7af23adf496b5494eaf01

    • SHA256

      1202a0e6d4b0282bcade76291346b5b410f05e05c978c087147a4c2006d69b42

    • SHA512

      ac6b78c0657388119e3c7d70c3b708ffbdc643965dcd9d11240b96110559b5e24409bc34921fa700bdeb39c16d37b40b6c1b83420f302137a46c84ca66e61406

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      THjkgeCbhjm.ps1

    • Size

      69B

    • MD5

      c7f314e4db039ed46f95c7747d3ecec9

    • SHA1

      3d448506d12a2274424bb24ef9519472fdd5285c

    • SHA256

      caf8215e7e34ce4d16a2e1ee7ad3089bc815d243f84e8e8dffc190983cebc441

    • SHA512

      ce20bea4d6692996b29a9c22e5deb04fe5aa186a5235ee213dd19bdb962bff8cf618feec912b06c66b76c3830f8a36179e371680c28d89e5a865518e28161fdf

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

    • Blocklisted process makes network request

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks