icedid | hxxps://www[.]fencingindia[.]co[.]in/HOLD-blog/wp-content/uploads/2021/11/cafeteria[.]php

General

Target

https://www.fencingindia.co.in/HOLD-blog/wp-content/uploads/2021/11/cafeteria.php
Sample

220706-xj23zsgadp

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://comradespoon.com/7h.hta

Extracted

Family

icedid

Campaign

1487191074

Targets

- Target
  
  https://www.fencingindia.co.in/HOLD-blog/wp-content/uploads/2021/11/cafeteria.php
Score

10^/10

icedid 1487191074 banker suricata trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- suricata: ET MALWARE Win32/IcedID Request Cookie
  suricata: ET MALWARE Win32/IcedID Request Cookie
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

IcedID, BokBot

suricata: ET MALWARE Win32/IcedID Request Cookie

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks

static1

urlscan1

behavioral1