icedid | a7cdbc2f33354bb657f21e1652c3093ecf5a27a5736feb3fd4705408b0cba999 | Triage

Analysis

max time kernel
549s
max time network
551s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20/09/2022, 14:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

KFA5FhQN.dll
Size

452KB
MD5

3e58639c56f59ae8f2f63123a9075d6e
SHA1

157d2b671a2aabb3ec4c62984f34965ebf2f625f
SHA256

a7cdbc2f33354bb657f21e1652c3093ecf5a27a5736feb3fd4705408b0cba999
SHA512

45648332cdfb657e321ecfd9f0b1f6f047844c5d22fee7f474d81a32cdea2c971879d5a8590d81c4a7047fb7ffe4db9c7829367c409e7c9fa949175f34caa3bf
SSDEEP

6144:NGT7FWQ+IU6wOnhu8V3wflW5P1rh/F8vkQwXZ6XRTUrBFNbezWm80JZppZxnck93:Nr0BIHxwJwWtbeY0ZxN

Score

10^/10

icedid 775636601 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

775636601

C2

aviadronazhed.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	rundll32.exe
4992	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4612	3720	cmd.exe	72
PID 3720 wrote to memory of 4612	3720	cmd.exe	72

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KFA5FhQN.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\system32\rundll32.exe
  rundll32 KFA5FhQN.dll,#1
  2⤵
  PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4992-116-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/4992-122-0x00000160FE500000-0x00000160FE506000-memory.dmp

Filesize
24KB

Download