icedid | 926210300a931253b0de69be61f4bdc881aad266c3d48d6b37c25d5b549ba3ae

Analysis

Target

default.png.dll
Size

534KB
MD5

a1bcfdb83a0ca2a70b67c20977fc8469
SHA1

845a171abcca9ec8a4c58e8b9ffce78b31af42be
SHA256

926210300a931253b0de69be61f4bdc881aad266c3d48d6b37c25d5b549ba3ae
SHA512

08e4817ed5ae894ff94def35d2daa6505ab76195e9f77af6c3e795af05e06d58a4f6db355872856c6db71109c7a3c643626f21fd4132ffc01a4f2cacbdf3dc5a

Score

10^/10

Family

icedid

Campaign

227378761

blionarywesta.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

Blocklisted process makes network request 9 IoCs

Processes:

rundll32.exerundll32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exerundll32.exerundll32.exe

pid process

4752 powershell.exe
4752 powershell.exe
2804 rundll32.exe
2804 rundll32.exe
4752 powershell.exe
4388 rundll32.exe
4388 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4752 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4752	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execmd.exe

description	pid	process	target process
PID 4752 wrote to memory of 4920	4752	powershell.exe	cmd.exe
PID 4752 wrote to memory of 4920	4752	powershell.exe	cmd.exe
PID 4920 wrote to memory of 4388	4920	cmd.exe	rundll32.exe
PID 4920 wrote to memory of 4388	4920	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4920

memory/2804-122-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/4388-193-0x0000000000000000-mapping.dmp

Download
memory/4752-128-0x00000241B68B0000-0x00000241B68D2000-memory.dmp

Filesize
136KB

Download
memory/4752-149-0x00000241B6E70000-0x00000241B6EAC000-memory.dmp

Filesize
240KB

Download
memory/4752-160-0x00000241B6F30000-0x00000241B6FA6000-memory.dmp

Filesize
472KB

Download
memory/4920-188-0x0000000000000000-mapping.dmp

Download