icedid | d4cec5888bdcc4723be0d28197fc454ba21b926e32b94102261d0c7593c7481e | Triage

Sharing

General

Target

Scan_02_01_#234.hta
Size

23KB
Sample

230201-2lzsvsch68
MD5

06cc58468a0ece21d6c19816a453fb73
SHA1

fe5fd9576f5a2c5179d9750afdf22390197bc556
SHA256

d4cec5888bdcc4723be0d28197fc454ba21b926e32b94102261d0c7593c7481e
SHA512

079fa78797078a57fffb32b081dc9aa2ba8c087fe8eaad09b067db0b07f35b62f8ca20b365d0cc7b7e36eca8fada3f9a5259ebc4ed128f80b076436647e0e9d5
SSDEEP

384:W5EAr748f/yhahejGBOKzBFVJGPzR8t8IF4bhNuTeHUzhTIwhxc6:mfqYzyONgUTj

Score

10^/10

icedid 3230313353 banker loader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://restlomik.com/gatef.php

Extracted

Family

icedid

Campaign

3230313353

C2

prahmatorn.com

Targets

- Target
  
  Scan_02_01_#234.hta
- Size
  
  23KB
- MD5
  
  06cc58468a0ece21d6c19816a453fb73
- SHA1
  
  fe5fd9576f5a2c5179d9750afdf22390197bc556
- SHA256
  
  d4cec5888bdcc4723be0d28197fc454ba21b926e32b94102261d0c7593c7481e
- SHA512
  
  079fa78797078a57fffb32b081dc9aa2ba8c087fe8eaad09b067db0b07f35b62f8ca20b365d0cc7b7e36eca8fada3f9a5259ebc4ed128f80b076436647e0e9d5
- SSDEEP
  
  384:W5EAr748f/yhahejGBOKzBFVJGPzR8t8IF4bhNuTeHUzhTIwhxc6:mfqYzyONgUTj
Score

10^/10

icedid 3230313353 banker loader trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

icedid3230313353bankerloadertrojan

behavioral2

icedid3230313353bankerloadertrojan