Overview

overview

10

Static

static

iced/Documents.lnk

windows7-x64

10

iced/Documents.lnk

windows10-2004-x64

10

iced/askgo...ng.dll

windows7-x64

3

iced/askgo...ng.dll

windows10-2004-x64

3

iced/askgo...um.cmd

windows7-x64

1

iced/askgo...um.cmd

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    iced.zip

  • Size

    127KB

  • Sample

    221212-kzeamsba25

  • MD5

    706f48e4db0207fb398a39b1ca48e364

  • SHA1

    2e0f018819ffdf2ed148ff86a9cbab002f577a33

  • SHA256

    b58a31d34c5014ac5f41d7ecd5a741139595ae6d05ac850a41314ff03260e4c0

  • SHA512

    fccdc000f31a0f70caeff17007d194154bcea992adca082d556ccf5d4efd6f2dfe963529d9e1342f31ff17fbec82dc523f487cfd71deeb8e6010a4aaa94e9f89

  • SSDEEP

    3072:bEGLMu/KumT3NHlvWLV0OLfVkFqNIgxyuoyRPBCR:QGLjK1JFvChTIgx3oPR

Score
10/10
icedid1268412609bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1268412609

C2

ewgahskoot.com

Targets

    • Target

      iced/Documents.lnk

    • Size

      2KB

    • MD5

      4237deaa85e5e4bbd6b925dc5b83984a

    • SHA1

      740ae2cc9ed94d78607e3ddc7f83647434e5fade

    • SHA256

      61c2586653dfec082d45671296840368df356d2c8770c8e2d6221fb6fe29ecac

    • SHA512

      5117ce3f8ae987f32002c2313ff4d581a11d450eb597dc566204b98e17e33138da31da78d21a32f39ab0d3a213710bc35f48a9a132141468c930df0fcfee9622

    Score
    10/10
    icedid1268412609bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      iced/askgothogtan/forbidding.tmp

    • Size

      374KB

    • MD5

      6242b580541d24a300b10998f33af74f

    • SHA1

      091b8d919aa4d340c4872ad97488eeb7866175e6

    • SHA256

      88b2a39578b88e560fd05ec2fcd971cf63e4fbeb229026ad5c0dc3bce17ea549

    • SHA512

      c1ee8be83d598277d7db31e9aad0318e710e73c5a89a61fc7554e79470ff8fab637954038a4817e5da188be20741bab2c6302c1c1df97df90c5c5b36d4913d13

    • SSDEEP

      6144:00FOhm3Y1LfpDqnkIBwcu/oDdzr88vAHL/l7ysDPXoPcTPinEgrTytlRNKIg8ggd:00km3YYY/ohhvAHLoWPXoPcTPbgrmtlR

    Score
    3/10
    behavioral3behavioral4

    • Target

      iced/askgothogtan/ginbum.cmd

    • Size

      1KB

    • MD5

      9c5c165f68040c27ca493218e54a57ef

    • SHA1

      e18932c39422969e5908dce3260acae4e46a11ad

    • SHA256

      791ece5a1f7a84eb20786454ec917d3ef16a0a57a7d5e9ecbeb069151cdd16d4

    • SHA512

      fed35aa7628d645d20028d4c106b3899ea459480645a33c720d645dc339637e92033260a0187b33f421b74a5b1df97845bd2d6af833dc4fbfcf4c275937fc638

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks