icedid | 2ef312bd91e56ac551bc223b1c8a1a2c170bdd402a0f4845862ad497ade8c84e | Triage

Analysis

max time kernel
92s
max time network
96s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 18:31

Sharing

Report Analysis Logs

General

Target

wifely.dll
Size

49KB
MD5

f232967433d5490c9409a4b6a7568367
SHA1

fd5760d359e597daf91cdfea7415a870547f7ad2
SHA256

2ef312bd91e56ac551bc223b1c8a1a2c170bdd402a0f4845862ad497ade8c84e
SHA512

50a6532d06e2e5154d2c85a29044db875027d9b9a7e38647727d3902744e9c0cbe3da2605c9c17af11a7485dbff5b5cadfb984e89db622af2435a53d0c2068bc
SSDEEP

768:ki9IlCuxlaboLzk8FQm5OzR4HziHF47DPh/x8bQZ2w0Nt8ASwn5:kiWl3LzPIdEzqFI7v8sZE+ASwn5

Score

10^/10

icedid 3822462527 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3822462527

C2

sciiultaelinoza.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 1724 rundll32.exe
4 1724 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1724 rundll32.exe
1724 rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\wifely.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-54-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1724-60-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download