icedid | 5c9b6b76ea0fac9e9e6ab41a52aeec496db006ef575f6a461e9e30cac3392d07 | Triage

Sharing

General

Target

sterlip.zip
Size

157KB
Sample

220830-h3jcnadefp
MD5

432556fb0e47474b6b2ffbfe92495d90
SHA1

79477ee25159fb6561f214cc70e5664eade06a68
SHA256

5c9b6b76ea0fac9e9e6ab41a52aeec496db006ef575f6a461e9e30cac3392d07
SHA512

bce4900568b94aed8523f16978749b4205dbc0c983252546a3862011152c3c058a5c92d6a011ab324adee15075d37dafc4064ac00a039c234428343c52456f5b
SSDEEP

3072:3fxpiiey+Ltu7UNKvbIJlzADl6BgagN91CiYIql2Gvn7FJhvNmDs:3ui+Ltu7U0vcJlkl8gHN91CiYIqrP7FP

Score

10^/10

icedid 2260774107 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2260774107

C2

godenfasternow.com

Targets

- Target
  
  sterlip/5.bat
- Size
  
  31B
- MD5
  
  0a0cd27c010edcb08b934c40ac8cfaed
- SHA1
  
  9d8db196561e7ef52b2324560ab6e1f7ea206d62
- SHA256
  
  9e74609bc28e858af96a70ba0470efd010fe861b0af2a1a88cb8909cb1c0a879
- SHA512
  
  c8b644cdc71f5e45ca3af947f1a027479a8b5aae302b5852d382462b4bb5e29fa45a272f74eb8f89d2d5a0e466ca5f6a5ce1076ac43927ae8aa18e7cf85f5f14
Score

10^/10

icedid 2260774107 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
behavioral1 behavioral2
- Target
  
  sterlip/documents.lnk
- Size
  
  1KB
- MD5
  
  9629f10740cd3cb2765bb784d0e62dbc
- SHA1
  
  ef9019c89073520bdacc63bf93776fbe6a3d6aca
- SHA256
  
  e89cd1999517b47805106111e14de4a03669cac30adb3b3304655febce25955f
- SHA512
  
  094b0e4d4d7b6106e0b1cb4d32c124e62c691d3717af7b7a7bd3cb7d126adc33c79c816cc6ca00e162221804cf2b991d73159ff0b56a908fab5f7d6fa0a35e2a
Score

10^/10

icedid 2260774107 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4
- Target
  
  sterlip/sterli0p.dll
- Size
  
  380KB
- MD5
  
  d91c0d151e0b964530569e9d2536aec0
- SHA1
  
  bab1196a8549f7dd50f198f01c901ec8d185d19d
- SHA256
  
  7ea75d13428515d243e538e45ca09f58328240a201ab4b96ea917559284b8f44
- SHA512
  
  256dd7323603e54d6f419987b6e4bd37eaeb2ef0876b58aa46f0fe9d1177b8edf70c140c8083e55b27e8dea152564da105195f17cc9c04e7ba748cca36a8013d
- SSDEEP
  
  6144:6CjoQMt24rn2QQcIU9ycLHvomnVomk81Wa+V7HH2424rn2bBnHIsWrXIy4tBuu8M:vjoQMt24rn2rcI9mk8nKHD24rn2tnHfJ
Score

10^/10

icedid 2260774107 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

icedid2260774107bankerloadertrojan

behavioral2

icedid2260774107bankerloadertrojan

behavioral3

icedid2260774107bankerloadertrojan

behavioral4

icedid2260774107bankerloadertrojan

behavioral5

icedid2260774107bankerloadertrojan

behavioral6

icedid2260774107bankerloadertrojan