icedid | 3902cf0da0a98be65271e73ca0d71edb256a5e9b085a035ae49a0b7ac34f5342 | Triage

Sharing

General

Target

11.zip
Size

162KB
Sample

220831-bc1exsefem
MD5

bb7beab952d48d6bc556e14fb18e8f06
SHA1

9e8a567b5a12e3cbc880105e4879491bdcf015a9
SHA256

3902cf0da0a98be65271e73ca0d71edb256a5e9b085a035ae49a0b7ac34f5342
SHA512

42ac8ba36344af232ecc286a4bdfd2f898dbc3aab01cc9d272890860c93c5f403ebff58205b25a2b08fa15511b323702d7e4bfcbb7d965452d251a64414dd8b1
SSDEEP

3072:ZJViJvVHOOjc7YGjdzinNesjKcvnUn/yj7HWDx27prbxI:Z3iJvx6inN/znUaj7HQxYpu

Score

10^/10

icedid 2260774107 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2260774107

C2

godenfasternow.com

Targets

- Target
  
  Invoice_Aug-29_document45_unpaid/5.bat
- Size
  
  31B
- MD5
  
  0a0cd27c010edcb08b934c40ac8cfaed
- SHA1
  
  9d8db196561e7ef52b2324560ab6e1f7ea206d62
- SHA256
  
  9e74609bc28e858af96a70ba0470efd010fe861b0af2a1a88cb8909cb1c0a879
- SHA512
  
  c8b644cdc71f5e45ca3af947f1a027479a8b5aae302b5852d382462b4bb5e29fa45a272f74eb8f89d2d5a0e466ca5f6a5ce1076ac43927ae8aa18e7cf85f5f14
Score

10^/10

icedid 2260774107 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
behavioral1 behavioral2
- Target
  
  Invoice_Aug-29_document45_unpaid/documents.lnk
- Size
  
  1KB
- MD5
  
  9629f10740cd3cb2765bb784d0e62dbc
- SHA1
  
  ef9019c89073520bdacc63bf93776fbe6a3d6aca
- SHA256
  
  e89cd1999517b47805106111e14de4a03669cac30adb3b3304655febce25955f
- SHA512
  
  094b0e4d4d7b6106e0b1cb4d32c124e62c691d3717af7b7a7bd3cb7d126adc33c79c816cc6ca00e162221804cf2b991d73159ff0b56a908fab5f7d6fa0a35e2a
Score

10^/10

icedid 2260774107 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4
- Target
  
  Invoice_Aug-29_document45_unpaid/sterli0p.dll
- Size
  
  380KB
- MD5
  
  ed4780d70c750ccb81409e30a3448c8a
- SHA1
  
  3c24e3680c3747b5c2d73d0e92d80fe9db50740b
- SHA256
  
  4cbf08c2de6c55f292c9054674c57454307d3d74d2d85ec804c35708ab013de0
- SHA512
  
  71b69d64ad1d90baea7b9b9755e81a6e3aa6530f88a509005eb22b40c849083e88f62f8d376202218f127ea6718ab7680376dca813b8c4a7cbb40c6872bc7790
- SSDEEP
  
  6144:kWV/y/2ucWBj0NM24rn2whH2paneB6W69yfue9+P024rn2XQ4LHvomnVyAy7SsBi:D/sckjp24rn2whHdneB6WXue9R24rn2b
Score

10^/10

icedid 2260774107 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

icedid2260774107bankerloadertrojan

behavioral2

icedid2260774107bankerloadertrojan

behavioral3

icedid2260774107bankerloadertrojan

behavioral4

icedid2260774107bankerloadertrojan

behavioral5

icedid2260774107bankerloadertrojan

behavioral6

icedid2260774107bankerloadertrojan