Overview

overview

10

Static

static

NGH39.iso

windows7-x64

3

NGH39.iso

windows10-2004-x64

3

FF.vbs

windows7-x64

10

FF.vbs

windows10-2004-x64

10

data.txt

windows7-x64

1

data.txt

windows10-2004-x64

1

swore/personalize.txt

windows7-x64

1

swore/personalize.txt

windows10-2004-x64

1

swore/pestle.txt

windows7-x64

1

swore/pestle.txt

windows10-2004-x64

1

swore/remounting.dll

windows7-x64

10

swore/remounting.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    102s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2022 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    swore/remounting.dll

  • Size

    100KB

  • MD5

    b235912cfba88b4729783cf45ffcdfec

  • SHA1

    96c2de06c29dbff408dd1503bbfb7339b51fd876

  • SHA256

    8abc47bd49bdccfc9db686068aec5732fc52fe7eb94907d96115867ab8b0d7a4

  • SHA512

    8a0a9b570442c7891ce86877a21615c794d83e7e79b2d0cadb158534d317d879d73b642a81608aa5f2bc96e4871c0fc6b93e6b7ee983ffb92cc5e0ce90de6c7c

  • SSDEEP

    1536:gZO05V5QA9tXrTMMv6OHKj2luFY0xS57B3l/ApekzDsw9BM8cpmSn0l7i59:mj/MM3A6XkbfcQin

Score
10/10
icedid3822462527bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

3822462527

C2

sciiultaelinoza.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\swore\remounting.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1612-54-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1612-60-0x0000000000120000-0x0000000000126000-memory.dmp

    Filesize

    24KB

    Download