Overview

overview

10

Static

static

3

OBSESSOR/SUNLANDS.cmd

windows7-x64

1

OBSESSOR/SUNLANDS.cmd

windows10-2004-x64

1

OBSESSOR/WOOZIEST.dll

windows7-x64

3

OBSESSOR/WOOZIEST.dll

windows10-2004-x64

3

VANDALIC.lnk

windows7-x64

10

VANDALIC.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INV_Scan_32.zip

  • Size

    518KB

  • Sample

    230426-vn35qsag33

  • MD5

    3e9c64bb43373f42d7578678b76fb2f9

  • SHA1

    c1f259f72a84c79fbd04a86f119925a176602a2c

  • SHA256

    5f69e700adcba2984bc3708a55cd75f19b0d79d251e4f0e2c0d1164444160a11

  • SHA512

    2e6ace92eb4d16dbe9e02b9c5ae338f8e8fc061acb55d212297f832b12c31e45214e256ad91db80354e7a5582f6228798cb1f4734d3ec83b801aa9a887e70d53

  • SSDEEP

    12288:vyKu+sNDbIeAbJ3WslEOWMnlhx6acczLN3GGQhlHRK:qKspjAYCzWuh0aJ3glHRK

Score
10/10
icedid1691396905bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1691396905

C2

plitspiritnox.com

Targets

    • Target

      OBSESSOR/SUNLANDS.CMD

    • Size

      514B

    • MD5

      5faed7456689a1f3be114145965bf41a

    • SHA1

      0fbd2087c7dfa29bfec1bee79fffee707f1b73ae

    • SHA256

      7796913738f58c2956952616818ce6ac259848f4e0523961ad0010b1cbca4049

    • SHA512

      92a908394eed977be8d95f7aa229e77040cda9b5d085bb6f27544b89a52a00dfbfc216c65edb4b28b0f56324b79caae67cc685e9cbcd4bc156bce6ed6c15be27

    Score
    1/10
    behavioral1behavioral2

    • Target

      OBSESSOR/WOOZIEST.DAT

    • Size

      1.0MB

    • MD5

      a146dac7b641fff2c5c3c0cf320731aa

    • SHA1

      0b21a4b04e79565e26e4236772d4605fc39862e7

    • SHA256

      95ad74c1dff5293c49c955a4e77c17e6912c7b8d1fc8f5f4c6f05ac77a56a9ab

    • SHA512

      9fa32a0d1128c90b27c31080a767b6f5c34638a436c5573af9a990acab2973b7f93116509ffd4519e0a56572d2f1640f8c7dad9310153ca7c06a752ab95f9b19

    • SSDEEP

      24576:x7Vt9qfawrN27U1izzZaRbfp81L/Wm/nd6WrrUU9fQT:1BqfSU14Zadq1L/cWrrHfQ

    Score
    3/10
    behavioral3behavioral4

    • Target

      VANDALIC.LNK

    • Size

      1KB

    • MD5

      96166f754d78f1144fa55af22b5795ac

    • SHA1

      4c1927dbf486fdbd1888ca85ff2cca8680173f7d

    • SHA256

      99e23ccaeccbce27f28b52625aad17b46cf41dc1c67d427800f17c0c48f00f08

    • SHA512

      2636bfc0147ed8d473aa77aa65068d13473cdae0ca4a7c4040f4598f1eb16e30c9e09c1a8f97a7ffb8e45ec5c6bfa48f8333b51e89646cb61b96e1882baec89d

    Score
    10/10
    icedid1691396905bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks