icedid | b4871e79db266613a46a4673509d24d8791b7021fc733a893b83ac28a749d46e

Sharing

Copy URL

Twitter E-mail

General

Target

pack2.zip
Size

679KB
Sample

220803-g6dqxagab7
MD5

8e23bcd61f94e983dc3d14cf9b39bb8a
SHA1

cf6f2ac90ad5e9aed863bb885227ddaebac4423e
SHA256

b4871e79db266613a46a4673509d24d8791b7021fc733a893b83ac28a749d46e
SHA512

31bb9a5979caea1257c7bb4ef54ee8c973e4619241765be6153afd35bbe73e5b24d20827b96dc5a960633cb719429dc112abaf917fecb58b3cdfdbf087e222e8

Score

10^/10

Malware Config

Extracted

Family

icedid

Campaign

380031663

sortswiminboard.com

Extracted

Family

qakbot

Version

403.688

Botnet

obama187

Campaign

1654695312

197.164.182.46:993

70.51.135.90:2222

187.251.132.144:22

37.186.54.254:995

80.11.74.81:2222

41.84.236.245:995

24.139.72.117:443

177.94.57.126:32101

37.34.253.233:443

186.90.153.162:2222

32.221.224.140:995

208.107.221.224:443

67.165.206.193:993

63.143.92.99:995

88.232.220.207:443

189.78.107.163:32101

74.14.5.179:2222

148.0.56.63:443

40.134.246.185:995

173.21.10.71:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Targets

- Target
  
  pack2.zip
- Size
  
  679KB
- MD5
  
  8e23bcd61f94e983dc3d14cf9b39bb8a
- SHA1
  
  cf6f2ac90ad5e9aed863bb885227ddaebac4423e
- SHA256
  
  b4871e79db266613a46a4673509d24d8791b7021fc733a893b83ac28a749d46e
- SHA512
  
  31bb9a5979caea1257c7bb4ef54ee8c973e4619241765be6153afd35bbe73e5b24d20827b96dc5a960633cb719429dc112abaf917fecb58b3cdfdbf087e222e8
Score

1^/10
behavioral1 behavioral2
- Target
  
  1.bat
- Size
  
  38B
- MD5
  
  1f434861ea0659593c3e437dcb19a0bc
- SHA1
  
  8966c8c187bee3473d0b88a9a3af4575886cc017
- SHA256
  
  0c95de224223005498384a3dd58fa34f6dfb27f3f28cf0c6f296262c33b66797
- SHA512
  
  248dcb34c6005f15238406a088708852ebb4b56e8b0eb1fdf8fde941cab67b3fbfe77cf5884319837f1b3f8a1279618abb694b304d45a8b8741dc50664544463
Score

10^/10

icedid 380031663 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
behavioral3 behavioral4
- Target
  
  ScannedDocuments_8080655.lnk
- Size
  
  1KB
- MD5
  
  a43c525371ce9f2fcccba240a1fc5a33
- SHA1
  
  9ec61778e8605c7bd304f84f0867ada794a2d9f0
- SHA256
  
  89532ec32e52234cef6c82443cc08d3b9461d0a87d1cde778d8b5dfe34c54022
- SHA512
  
  c405eae2c58cbca8005a4396b8572dcc7c82ba08a91b3cb83f9892b44204dfea44a8214804ed9addff6de6c21cf70888a8afc7c98cdca35681970d387780aad4
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6
- Target
  
  documents.lnk
- Size
  
  2KB
- MD5
  
  890e24b463f18b1d0b3768ab9f591c56
- SHA1
  
  cd8247ba5494a483438c23dbfc144ba6134cb292
- SHA256
  
  2f9a1948f05e7089217fa9a2f4b6e9ad937ff23f503a68994cb0481f21699dff
- SHA512
  
  a72c653f57058bd50321fdc1a6fa92d16b3b060f7b40ddf0660da9d2821ddecc179be99a7b75ca885cd113cf92b8c0150c4eaf077a090952fc323fe47f4176eb
Score

10^/10

icedid 380031663 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral7 behavioral8
- Target
  
  kon4an.dll
- Size
  
  378KB
- MD5
  
  aa6a81e3c2c97a722eaa1c5cb1c6fa2b
- SHA1
  
  92a36928c53495335bb69d020b46d5bf742760eb
- SHA256
  
  e0b184d003bc5aa04003fcabd4bed1808ffde621bad3de321db8c03e2cca42d3
- SHA512
  
  48594731f78cd4305b8d136e094542cc9675845a48729e1fade0ab7f802e033fc0df34beb217fe67755255b313b71bfea5639daade94ab41757c45f319069de5
Score

1^/10
behavioral9 behavioral10
- Target
  
  local.dll
- Size
  
  843KB
- MD5
  
  c8407e27ce9bf51688106a1fbe3643af
- SHA1
  
  1aa5cd097a19e7134f4a1566f77d089a718dfa6e
- SHA256
  
  4ba3ad5f455f832e3190e4f64569f91d8b0ade3181e7b17249fbfeb523352be3
- SHA512
  
  1167d1b0830b31825c3b91edc78e27783729cbdd3c0f240e935e76ffbb3d6cc364317aa8a50f6b7980012ee2cee1c19584d588fdfda3645fee9bbd44d7592d39
Score

10^/10

qakbot obama187 1654695312 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

IcedID, BokBot

Blocklisted process makes network request

Checks computer location settings

IcedID, BokBot

Blocklisted process makes network request

Checks computer location settings

Qakbot/Qbot

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12