Overview

overview

10

Static

static

could.vbs

windows7-x64

4

could.vbs

windows10-2004-x64

7

moment_tea...15.dll

windows7-x64

10

moment_tea...15.dll

windows10-2004-x64

10

moment_tea...ry.png

windows7-x64

3

moment_tea...ry.png

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8491037158.zip

  • Size

    994KB

  • Sample

    221129-q6qj5shb9x

  • MD5

    f9e21ab15802a9e674d19506295b018a

  • SHA1

    487fb7e524abb377921004ba621c7946a1af57ab

  • SHA256

    dcefa04a78bbb563dbf248d9ff10eb55dcc918dc55fbb2bd36a1f801405e286f

  • SHA512

    27f3bf4099c92e05e82056630f0c3a1e78f7955c2e2874fbdf9df9dfa212850aa5272cc513856e2ac784d0baffdc7afd71a84742e78b187fce280e6e9a4293fa

  • SSDEEP

    24576:OxueEu8F4WojQv8H81rm4vlnWNvVrLdr7wH4II2feTg:eEu8F4Wtv8HwcvV/iYHg

Score
10/10
icedid1575907940bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1575907940

C2

autovropsanti.com

Targets

    • Target

      could.vbs

    • Size

      240B

    • MD5

      8f451657f5a4815aa48709abfc6948fa

    • SHA1

      e1951d808e943e5a529c5788dcc50a5c30a11389

    • SHA256

      e9e9cf0a48f0d66705d6c8ba39fd74a79c1169e2170e66e4dc3717ac1c379af3

    • SHA512

      23f59ec72302d547ca50c8a19240ab6a8ed991bbbd1490f1971da604b8d1afb93093c4737ddb451ad7bd1bca5bb7d4cda2783495b9819b0615b74753e1f0647f

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      moment_teach/loader_dll_64_3#001.dll15.dll

    • Size

      60KB

    • MD5

      71ee6437db507ca360a6d1017a9aa9d7

    • SHA1

      622efe9510f9863b3bbd2ef8d25cf683976ade21

    • SHA256

      962c901ef22e780ee67c5482318668ca107449e093033c069dbe2df093a6ccf2

    • SHA512

      f4e72fe5b40fc050008e2cb5eb7626973530f822da0802fd2af49f1fc9ebb952e8756f539ee32e4b9a66c3a0cf34ea93807d322a8e3da01ad00460adc2bd5f58

    • SSDEEP

      768:lUtBgKpGoGIs9LiS19/RyeGlvV0hZZL4C5A0ctAcHPfYg5:lUbgsNk9pTs64aA0cPHYU

    Score
    10/10
    icedid1575907940bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    behavioral3behavioral4

    • Target

      moment_teach/prove_dictionary.png

    • Size

      960KB

    • MD5

      9352f2a8c6ccc20ad47aa2b09950fa59

    • SHA1

      b0681f112b0b961cafe62aa800b1d88b6d5cfca2

    • SHA256

      ab06ce176a91769d0a9694612ac5943fe518794c4435e7dce290f1972dd656eb

    • SHA512

      b39c3970bfe1612c5fd2bb07696b067535825ba5d5e6935a10588dfae06ff0b89f49f0edd3866c6a022ffafd71dd5b948cc6f0bee2ee15af1c0f4c4046b20c46

    • SSDEEP

      24576:ILHOSDrlYOe3ZB8iXMYsYktqVghzT+JnlBBc6bWwF:ILHfW3ZGiXMYKt1hzT+JzJWm

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks