Overview

overview

10

Static

static

icedid/INV.lnk

windows7-x64

10

icedid/INV.lnk

windows10-2004-x64

10

icedid/nap...eA.cmd

windows7-x64

1

icedid/nap...eA.cmd

windows10-2004-x64

1

icedid/nap...ng.dll

windows7-x64

1

icedid/nap...ng.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20230113icedid.zip

  • Size

    103KB

  • Sample

    230113-c7rxpsdg28

  • MD5

    2b1d250a1309224b0881f90cf63815c9

  • SHA1

    f5aa5c8dad28748a851ed80f0493cb75bed1adc7

  • SHA256

    e8cc09f0b8a4fa13dc11b37f0d8b3c42800224cd41ea279aba76221eb0cca674

  • SHA512

    e2da32bc7b6a18563821ac0485ec42207a44df4a68c6a8ae9c97d4fcb7a85eaf4f550d85aace4e8ce5e76ae0b0b2b7397238de74a0acb1585841173beacbc48b

  • SSDEEP

    3072:Kw1N2RxT1NssNIhXfoWDDNYEQFiE2VPQthNtgF5L:KwWRxT1GtdoWPNhozknL

Score
10/10
icedid1387823457bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1387823457

C2

allertmnemonkik.com

Targets

    • Target

      icedid/INV.lnk

    • Size

      1KB

    • MD5

      a5bf79eb941c6b46c54f1c7eeed61e0b

    • SHA1

      c3e4aaf8a1ead1b0e7839c23f39285ce6201a667

    • SHA256

      7149d908813641a2262abf5d9904879f4336b66d0e62fae49dc79465a6058d14

    • SHA512

      5754cec3462d503940593ca01408cef41624cf0186e28995a26bd49e735a0224c5285477c2fe22377b1a48b8b5eb338563a7396c75b39394a4732d2c39289985

    Score
    10/10
    icedid1387823457bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      icedid/napphipolD/chialaDeeA.cmd

    • Size

      1KB

    • MD5

      541bbab35791282acbafdedab26c1242

    • SHA1

      6c617961fe938dfa96e05ce03fedc3f0bb7e5eda

    • SHA256

      d798ce896affc7f7b35866153aeedca997ce0b4013317573338dcbf9a050efcc

    • SHA512

      a92106307aaa6c158d99ee9a418e278b3016b739398fef6d572eb202dee5bbec21f6332ec23afe9b307a42bd46ab4e776570b4f6700175b4260d7282fdca3f14

    Score
    1/10
    behavioral3behavioral4

    • Target

      icedid/napphipolD/limiting.dat

    • Size

      189KB

    • MD5

      c9f3dd6dddcd3beb7070d9f915219034

    • SHA1

      c3f080523dc1b8c444742f372b9d212743b8a503

    • SHA256

      65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984

    • SHA512

      41c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b

    • SSDEEP

      3072:ZO3mR80/ohURN3X3JKXvhuVQPSoPf1DgaibTVxC2QfRPNrNwmpPFo4:ZOWxohUrXoXvUkSo+aGTPwPNrhb

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks