Overview

overview

10

Static

static

FF.vbs

windows10-2004-x64

10

data.txt

windows10-2004-x64

1

swore/darkens.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EWM89.iso

  • Size

    708KB

  • Sample

    221118-1xbpqsac35

  • MD5

    356502edab299b3d5d7e8895fef19e6c

  • SHA1

    675ee831c2d08f343e225f1a943056537486f007

  • SHA256

    b1b0b138ff7757c691d4dd1ef1e20b3eb0d05ba67f0bda3828b5c96262542c7c

  • SHA512

    820ee2923619219b9f461770f68f4e830c0a34b1b84cc25cced7d8c46e82cb076b26906dcd19e0d0a2a605985139a0ec6dcda2e2cdc9adfac6db3c3f88d3e7c3

  • SSDEEP

    6144:2K8uHMMR+laGEoSvma0lgTxwBT0kqnYMXq0lDUUTGpsmLlDF/lDdosW2HOuNb0iy:2tuHM4+9g9wBkX4Hp5uTBp

Score
10/10
icedid3822462527bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

3822462527

C2

sciiultaelinoza.com

Targets

    • Target

      FF.vbs

    • Size

      9KB

    • MD5

      882c82b38def525fec7413ec05786e62

    • SHA1

      82d00fe9c174a054f82375a34f1bf6b42f7546a3

    • SHA256

      517330eb926cfad729072ceff5fe569e2860280d77b7f2167bb3dbce114ccb82

    • SHA512

      918faca6cdd24c55154b0bb3c96e832a9d63a5820410efbd401594746dfaa8d942b334ace6a7117ac2671a95422f46e845848124bb56ea4b7cac50f7c3805a6f

    • SSDEEP

      192:reSjpUorcl/E4hp3aD/OCMhiEe1mUS1G0vdzgW20fkbsgTbpQt:a4pnrcpE4hpPCMhidmnGm80jWb4

    Score
    10/10
    icedid3822462527bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1

    • Target

      data.txt

    • Size

      3B

    • MD5

      f241176a4e2ae5d8dcdc32ef95083226

    • SHA1

      b1442fdff89f64c13a38a2d35407a315a033577a

    • SHA256

      1fc61c2a8598b892e1aba390c70cde2c695f2c81abd5eeaadef902a9cf9d777e

    • SHA512

      fbf2577597b6c861e41d419b5f1fb581b3568ab1c52c993552be1ef8881c360aa40b4c7c4fef52a6197bf46638ef71abc9989365546fc4c9c8aed381bfb0c334

    Score
    1/10
    behavioral2

    • Target

      swore/darkens.temp

    • Size

      100KB

    • MD5

      df288e522a3db3bdb3b0cce2622d159d

    • SHA1

      620d3190d05351720eff25e6d69d3fc64fc6a537

    • SHA256

      d863a2dd49523f270e630ca0223a6998e1aa2dbab38e309a2b03df2eadee1cbf

    • SHA512

      047d006e6030c94ed45cef37478fae47b3326dc2a727456f7a9a07182bf0fb903ce2629d12f13bed7621d8b63bab17a5d1063b1b5f083496c72017f00e10df08

    • SSDEEP

      1536:kZO05V58A9tXrTMMv6OHKj2luFY0xS57B3l/ApekzDsw9BM8cpmSn0l7i59:SjTMM3A6XkbfcQin

    Score
    10/10
    icedid3822462527bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks