General

  • Target

    80ed859d-c469-47f1-9988-81e86f19bd80.hta

  • Size

    1KB

  • Sample

    230206-2evwbsgb84

  • MD5

    6c443cfc616d7be31e5acde5dd448270

  • SHA1

    0ea1549ecda0b8b3dd5047f91edd86c976aaca0d

  • SHA256

    380487985ceac130b4c40b143de11ecc73aab961ade2b775975ae6b3518b9ee2

  • SHA512

    5a1aa60cde4fb89e3b354c8cbba582587d173fb9e6379e26b89e49cc0fd96ce188c0f32e69b09cd5184d973f710c109baf2fa5f2248c00e4e3da560b6bce8e4a

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://bestsdealofworld.com/twain.png

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://transfer.sh/get/vpiHmi/invoice.pdf

Extracted

Family

icedid

Campaign

3954321778

C2

ehonlionetodo.com

Targets

    • Target

      80ed859d-c469-47f1-9988-81e86f19bd80.hta

    • Size

      1KB

    • MD5

      6c443cfc616d7be31e5acde5dd448270

    • SHA1

      0ea1549ecda0b8b3dd5047f91edd86c976aaca0d

    • SHA256

      380487985ceac130b4c40b143de11ecc73aab961ade2b775975ae6b3518b9ee2

    • SHA512

      5a1aa60cde4fb89e3b354c8cbba582587d173fb9e6379e26b89e49cc0fd96ce188c0f32e69b09cd5184d973f710c109baf2fa5f2248c00e4e3da560b6bce8e4a

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

5
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks