Overview

overview

10

Static

static

Invoice.lnk

windows7_x64

10

Invoice.lnk

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Document.iso

  • Size

    230KB

  • Sample

    220706-wtql9sffhk

  • MD5

    ddb208d0d886b85bea48a07abdeaad84

  • SHA1

    08bcf3287af9de5e6274bdec9d1ca0267e6f1a8a

  • SHA256

    3bb0e8547e8c04387ae9cf9ea4beceb76efb5cc59fcdb750d25172b9b2efb6af

  • SHA512

    c013ce63112ec319e0ced31b6b3785662083dfb2be9ec161188e8268c68ffb881e85da7c16e15406d760b9f8825571e5acd935ef6fe1180040039b03a6c1e3b8

Score
10/10
icedid1487191074bankerloadersuricatatrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://comradespoon.com/5h.hta

Extracted

Family

icedid

Campaign

1487191074

C2

vneastruzz.com

Extracted

Language
hta
Source
URLs
hta.dropper

http://comradespoon.com/5h.hta

Targets

    • Target

      Invoice.lnk

    • Size

      178KB

    • MD5

      c29d6fc092698aafe01ece64da57254f

    • SHA1

      523e8303f8d6853ef499b742ef5e9d7485803a88

    • SHA256

      d94a96230551df45ea50a618f4ef47ab5f2cceaa612da2acdbd05a34b3e32cae

    • SHA512

      fa37a95c3eb1256bea25cc19f84de5de77f24a38938e062a08fab2073a8cc9ca480fa58fc90103f0e298958605866b1ec192971099dcaca4966bd134ac243e50

    Score
    10/10
    icedid1487191074bankerloadersuricatatrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks