General

  • Target

    IRS_Form_12-01-9.zip

  • Size

    61KB

  • Sample

    221205-g6tr5adb82

  • MD5

    6ef51e05926f07aa3cca6eb1d35516c3

  • SHA1

    84d1ff0610df09fe0904c884510b8cbad9d5651e

  • SHA256

    738cc370a87bc239568ff5f047abea91bdef59d20df8f518dba7fe4e845cd3f5

  • SHA512

    aa03ca261c6d528868116d4589243521fecfb0e1ed9a98256305c05956baf63eeab342c303399a5ae9c40eec8b7b4671b4e3663eb3193626d51257220093bcb6

  • SSDEEP

    1536:taYNv6dTkUQZo5Yb0Jv2qTsJV3UJeHX6i0J/PfjyC:cYlEhQZo5Y4Jv2qTe5XgdfD

Malware Config

Extracted

Family

icedid

Campaign

2271535685

C2

babysoftletirs.com

Targets

    • Target

      IRS_Form_12-01-9/Scan.lnk

    • Size

      2KB

    • MD5

      cd9141a0adf67b09758fea89e78ccac1

    • SHA1

      86c34a4fb3f6e045ef5744cd1093d2de0e9ca04f

    • SHA256

      1398d020e2dd025cc4821ea4432ae219fa556d1cb597287c3c85bc74802f3b61

    • SHA512

      f0a5066410ef1d5dd256df8449f11a99d6d0823278da53e8add2c6a2b4d9e5f6e6509335117b13d06c31fef4c8f56681c328c616accd5e8386829ecc73f9bcdd

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      IRS_Form_12-01-9/wiglid/foeZv.cmd

    • Size

      1KB

    • MD5

      b5459c0fe4204241778525745d7b0a4c

    • SHA1

      4e8a41c6b36fb0f3bdc9d76b231c43924bb29779

    • SHA256

      ba1f1006aa00426a49734c8964ade417880788a7dbd92ec828705ea0bbdfcdbc

    • SHA512

      41ae13b28fb583aaed892bae735817f653caa8246c435e55dc96874b04f0222b1f35065b0bd9ba9305194a297d8c752043fa916c48751cf9bc1d899d82f77067

    Score
    1/10
    • Target

      IRS_Form_12-01-9/wiglid/laborsaving.dll

    • Size

      161KB

    • MD5

      13dc944a91cffd0385e29ea899a43af2

    • SHA1

      793cfb6887fd324583ab1df77ff5e96391a3887b

    • SHA256

      af5f6f066ffc8c375d6e4d1138d63da32014d7ea21b8b7582da0cd8b97794cbe

    • SHA512

      258c0c920f0e76f2b883f967cf73114890f61abbee0824d9b2e913623feaeb53c2b1179bc34df49627fe39459e1d9b20986186015fa0168c7b452eeba7449c39

    • SSDEEP

      3072:rag+wcWn3nAVoBOSMc3NtwhGNS+4is6b2:rJwYl3S1ub2

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks