icedid | fbb09d953c06b75882193e0b4916e8df7f39e5f9591dca2d621c9670a1b3c4f7

Resubmissions

06-02-2023 19:19

230206-x1rnksag2x 10

06-02-2023 19:07

230206-xsxvmafd69 1

Analysis

max time kernel
268s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IcedID.dll
Size

310KB
MD5

c15f522222532867ad56db6def0b7ab0
SHA1

5556431bbd2fc48cb04a7e34ec037ddf5fb73de2
SHA256

fbb09d953c06b75882193e0b4916e8df7f39e5f9591dca2d621c9670a1b3c4f7
SHA512

85c557011e006ff7145085fdd63c92cacc70d06f26d11c6e0cbe4fdfdbb88f7a8bd3a02836c322fc79e6da38a857df776290444cddb4cab9ca1faa5ab0829945
SSDEEP

6144:bU7KTvQXacSovAunJ6dHbCVZlWXYqvEYsZN6b7UMMPr+6O3bB92o:bUOglSAJ6dHbyZlWXYqvmZ0b7Um6MB9V

Score

10^/10

icedid 1164203100 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1164203100

blodwarstayed.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

117 3672 rundll32.exe
122 3672 rundll32.exe
123 3672 rundll32.exe
124 3672 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3672 rundll32.exe
3672 rundll32.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 4868 wrote to memory of 3672 4868 cmd.exe rundll32.exe
PID 4868 wrote to memory of 3672 4868 cmd.exe rundll32.exe

flow	pid	process
117	3672	rundll32.exe
122	3672	rundll32.exe
123	3672	rundll32.exe
124	3672	rundll32.exe

pid	process
3672	rundll32.exe
3672	rundll32.exe

description	pid	process	target process
PID 4868 wrote to memory of 3672	4868	cmd.exe	rundll32.exe
PID 4868 wrote to memory of 3672	4868	cmd.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IcedID.dll,#1
1⤵
PID:3228

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868

\??\c:\Windows\System32\rundll32.exe
rundll32.exe c:\Users\Admin\AppData\Local\Temp\IcedID.dll,init
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3672-132-0x0000000000000000-mapping.dmp

Download
memory/3672-133-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3672-139-0x0000026508980000-0x0000026508984000-memory.dmp

Filesize
16KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads