Overview

overview

10

Static

static

ET.lnk

windows7-x64

10

ET.lnk

windows10-1703-x64

10

ET.lnk

windows10-2004-x64

10

developer/...ng.cmd

windows7-x64

1

developer/...ng.cmd

windows10-1703-x64

1

developer/...ng.cmd

windows10-2004-x64

1

developer/inhales.cmd

windows7-x64

1

developer/inhales.cmd

windows10-1703-x64

1

developer/inhales.cmd

windows10-2004-x64

1

developer/...ss.dll

windows7-x64

3

developer/...ss.dll

windows10-1703-x64

3

developer/...ss.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CA20.vhd

  • Size

    2.0MB

  • Sample

    221208-r7jcwsdc6w

  • MD5

    c4399bd59becad5e7bdc2cfceb32e9b1

  • SHA1

    5dcab70ea4339609049e553822948614d0a07d64

  • SHA256

    4aeff5a6879a17784d3765643eec3fc70efc6cbbeb469de29cda8f9b9d3a8138

  • SHA512

    ea517cac6097e552e7ad5ec8a8a89d2082ee479a3be497e7f786984feac08686817fd2ce9e455abdd12baeafc1190edbe51e97fa1cf585bea87ff2b805f73426

  • SSDEEP

    6144:67N2DFx/kYWK4XDfAW2C//+777777Lw9oHMAqLa8F3u:65O//r777777LwmqLbF3u

Score
10/10
icedid3738574432bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

3738574432

C2

aslowigza.com

Targets

    • Target

      ET.lnk

    • Size

      1KB

    • MD5

      02f57b1af9c0719d29175743a380e724

    • SHA1

      de0f7e98cb9fffd835601f32b671778fe8e6cb7b

    • SHA256

      54ea0e71bfa44198d69f3f08e3e6a21545034922c8d42b25ac698985be076133

    • SHA512

      4ae240b7dcf6a0263bf9b7669ff52d73d3bd03e47f93c4a44785876ba57865867eceeed8fe8fdb1427ab9c65711256b81f7f51f63ec67653fa88314c57809705

    Score
    10/10
    icedid3738574432bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2behavioral3

    • Target

      developer/becoming.cmd

    • Size

      179B

    • MD5

      5c4455e3aea061007547c64dfdf4e626

    • SHA1

      548be0c159d50e29d8297b4891d392a4cd17eff2

    • SHA256

      a51e88173b9e832a814df852206975d0186dd310e2313f3fade232b4f029b152

    • SHA512

      9373a47fe306f8328fd48f88b438140a9ded37d5f151bad3d6fc9d1d5e7f9ec07a84528ccb17c90549203cd98c716c6c10b9352f007f0eab1f443b67cb6e6ca0

    Score
    1/10
    behavioral4behavioral5behavioral6

    • Target

      developer/inhales.cmd

    • Size

      299B

    • MD5

      a662b1f12e5002dff7fb755cd8c091c1

    • SHA1

      6c8dd732a29e9ebf36b2fc43a08abe4a5db922ca

    • SHA256

      a6b5db682703730d7f1a64f9cbe2386bae8c6b2af31549e83eba2458b0db9345

    • SHA512

      ed525bc09479a0c934997c53713f6d789a7cc43f18cc71424bf0d3e498d4f4c4dff64f534078e9aac165ffebc1db6e717cf50e56502ecbb0c8964235082b3102

    Score
    1/10
    behavioral7behavioral8behavioral9

    • Target

      developer/nevertheless.tmp

    • Size

      209KB

    • MD5

      bc47f431d704a935bdd20d65aceab8df

    • SHA1

      9729b10dde412058d36636a7522996651aaabe9f

    • SHA256

      4125a812e9d57cce27ab819705a96634ec91ce23cf7dc2c36e82ba15ec4fe184

    • SHA512

      96c49bd4204c7501ddc08cc39d0a7930636d22a435501fefa8d8de89a70a568ae74e76afe3575464812555f7ef8f77c31e87cb477cf4cf47a38620b453e84f59

    • SSDEEP

      6144:s7N2DFx/kYWK4XDfAW2C//+777777Lw9oHMAqLa8F3u8:s5O//r777777LwmqLbF3u8

    Score
    3/10
    behavioral10behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks