icedid | c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859 | Triage

Submit
Reports

Overview

overview

Static

static

1

2.hta

windows7-x64

2.hta

windows10-2004-x64

Sharing

General

Target

2.hta
Size

1KB
Sample

230204-1z3w1aeg88
MD5

78b6f14f36098c269c3d03a29eb35bc8
SHA1

afd76bfe0d6ac105730b218152d0a650b6a869b7
SHA256

c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859
SHA512

57b5a24f6c2610961e5c08d64872290d5b1399a80fc4335e60b88e3d20a679576a108d313b9a710b59e604732e0ea6e91313d65e16a10eb3eda3fe4e503d9712

Score

10^/10

icedid 3954321778 banker collection loader spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

2.hta

Resource

win7-20220812-en

icedid 3954321778 banker collection loader spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

2.hta

Resource

win10v2004-20221111-en

icedid 3954321778 banker collection loader spyware stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://helthbrotthersg.com/view.png

Extracted

Language

ps1

Source

URLs

exe.dropper

https://transfer.sh/get/vpiHmi/invoice.pdf

Extracted

Family

icedid

Campaign

3954321778

C2

ehonlionetodo.com

Targets

- Target
  
  2.hta
- Size
  
  1KB
- MD5
  
  78b6f14f36098c269c3d03a29eb35bc8
- SHA1
  
  afd76bfe0d6ac105730b218152d0a650b6a869b7
- SHA256
  
  c815343206eab5b6d29bea2d12f02bf8f446944554f053203afc414acc77e859
- SHA512
  
  57b5a24f6c2610961e5c08d64872290d5b1399a80fc4335e60b88e3d20a679576a108d313b9a710b59e604732e0ea6e91313d65e16a10eb3eda3fe4e503d9712
Score

10^/10

icedid 3954321778 banker collection loader spyware stealer trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

icedid3954321778bankercollectionloaderspywarestealertrojan

behavioral2

icedid3954321778bankercollectionloaderspywarestealertrojan

© 2018-2024

Terms | Privacy