icedid | b3d1372c49574568b70bb66817b27547024f3cceb70a4159b219096e851409ea | Triage

Submit
Reports

Overview

overview

Static

static

8

b549c1964d...5.docm

windows7-x64

b549c1964d...5.docm

windows10-2004-x64

Sharing

General

Target

baa0966b3cf54af493b2fe1186d65d48.bin
Size

1.3MB
Sample

230116-2bgjjaee24
MD5

b181959c54497870701cbea40b8e92f9
SHA1

1adb1586d95070c47ba05420985ccf71562999c0
SHA256

b3d1372c49574568b70bb66817b27547024f3cceb70a4159b219096e851409ea
SHA512

5059ae4b8c12e3054a99ff9511ea3196bcede0fc71508d160016dffb4d6d9c16377a5725abc1f4c27fee66efbfd18b7a9ad1beec8008a545a3a45b83cca80fd0
SSDEEP

24576:rBGh1UEFRL653ckyb40rEScvcKyJexApj1bCPzFGZ0+PXTZnQmiEGa0CBjcEz/QX:lGh1U2253PFL2KysQ1bPZ0+7tZ7VBjQR

Score

10^/10

icedid 1212497363 banker loader macro trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b549c1964d73074e2cc05000743ac6cdcbf6f82d1bf8b0a430beb4a368feab95.docm

Resource

win7-20221111-en

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

b549c1964d73074e2cc05000743ac6cdcbf6f82d1bf8b0a430beb4a368feab95.docm

Resource

win10v2004-20220901-en

icedid 1212497363 banker loader trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

icedid

Campaign

1212497363

C2

trbiriumpa.com

Targets

- Target
  
  b549c1964d73074e2cc05000743ac6cdcbf6f82d1bf8b0a430beb4a368feab95.docm
- Size
  
  1.3MB
- MD5
  
  baa0966b3cf54af493b2fe1186d65d48
- SHA1
  
  f003b0c3bec59255a80598cdcb870e60a46df404
- SHA256
  
  b549c1964d73074e2cc05000743ac6cdcbf6f82d1bf8b0a430beb4a368feab95
- SHA512
  
  cd45d649e7e6f76d74256df5ae7a14ba9418b877e4b565518cd7b8bdb19ed20a4acb5afa11a82167f224988b30df609af6b73c4a72156b57c33a99df3e33a0a3
- SSDEEP
  
  24576:/EpJmLOgHWi8bj11H2w5inpF7sONo/qiy7L9pvRDOG7EzqHm+Bmc0:/EpJmgf3zliFpp1KqG+U
Score

10^/10

icedid 1212497363 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

icedid1212497363bankerloadertrojan

© 2018-2024

Terms | Privacy