icedid | 82a6d212f086dd24fc5aacb8632020f459aa64783aec9bb9a33275e5aaf58353 | Triage

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 16:29

Sharing

Report Analysis Logs

General

Target

run.bat
Size

53B
MD5

af3982e63bd6117a6da9735eaf3961c3
SHA1

81e9edb76f4dd178df7c0d79a0a1cbc875b0113f
SHA256

fb31610299ecc6455c4832c8d355b08d9cdeb57ebf3f780e376feaf6956739b8
SHA512

6d2216f375cd42ec2fa1559f487b410ba90b0514ab74c9678ef4f71d28c64444679ba45d27e11267f596ef390f881dfb1f5c6c159e53f63a16418736ee9f87fa

Score

10^/10

icedid 998075300 banker core_loader trojan

Malware Config

Extracted

Family

icedid

Botnet

998075300

C2

blomskavino.com

alishaskainz.com

Attributes

auth_var
22
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 1996 wrote to memory of 4448 1996 cmd.exe rundll32.exe
PID 1996 wrote to memory of 4448 1996 cmd.exe rundll32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\rundll32.exe
rundll32.exe hockey32.tmp,init --olquwo="license.dat"
2⤵
PID:4448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4448-133-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4448-137-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4448-138-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/4448-139-0x0000016365C00000-0x0000016365C01000-memory.dmp

Filesize
4KB

Download