icedid | 2811b96344264d2752dfe7fa5c0d124444a2337745bb66c3836e406c7df2b916

General

Target

给老子冲.rar
Size

10.9MB
Sample

230429-gkgwfaaa24
MD5

c65b0e8e4e78468a519bad848691ff26
SHA1

4dcac9a2024acb975310eaf26c17aaf40d093fd9
SHA256

2811b96344264d2752dfe7fa5c0d124444a2337745bb66c3836e406c7df2b916
SHA512

585c3e967a50eda2b547e84d5c5207e67768ad283c2514daf2384843845813110a227c7e2b4f4458c1996a0c3cc3edae9019bf2868980b54e8b5d7811e054feb
SSDEEP

196608:6lR10VvZGfg/XCenZEH7coQlv90BfsEtUJ3FtE73jkzAKMwzMWHnNxgtHe45ixpd:6l8VRy42PQtiBfht2w7jkcQngtHD5g9t

Score

10^/10

Malware Config

Extracted

Family

icedid

Targets

- Target
  
  给老子冲/影流之王🈹 (10).exe
- Size
  
  5.0MB
- MD5
  
  22ba843c2cfd43aaf712b80b40e8b4f0
- SHA1
  
  b8ea71676e0651b7d918a16473a030c1014b7ffd
- SHA256
  
  76dee725ec290d43a66d16054121085868030a2af49fb0c5affc471c50984bd7
- SHA512
  
  5fbae872c164e80ff042aca5d4821ff14c47f2889dce7557ee4d7a2f5a4d7a4ac7d183f3dfe6144e210fa1621080de874dd30f7a7827032ebe3ec935799f6ac1
- SSDEEP
  
  49152:NtErfhsOSMa1xYus4Q2D2TgG6hN3gSVsmqoyeBe4:NtEbfa1xNL2g3mrEBX
Score

10^/10

icedid matiex banker keylogger loader miner stealer trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Matiex
  Matiex is a keylogger and infostealer first seen in July 2020.
  stealer keylogger matiex
- Matiex Main payload
- Detectes Phoenix Miner Payload
  miner
behavioral1 behavioral2
- Target
  
  给老子冲/影流之王🈹 (5).exe
- Size
  
  1.1MB
- MD5
  
  98e247275859543e4f338a906b7a0e2d
- SHA1
  
  cbc75272194f9b96719635e5a1ad347e8aaeb972
- SHA256
  
  c4318f631e8c30ff72114876c9fb3e435941b5bf18ab969c53c26483e5699eb8
- SHA512
  
  04cd9e7fd6f36ccdb4fb64ec86fa5c38d2997849f7330c63bf0db4286cea2a8588600afdec8a56ade39c0e718d5e235e762757295e0e745503ebbb147fde1d9a
- SSDEEP
  
  24576:G2Bf9f3u+9UjIS1Nl1JPSAqn4HuuwOBJM12nYELdGCLE:G27f3kFaA6intW
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  给老子冲/影流之王🈹 (7).exe
- Size
  
  10.7MB
- MD5
  
  a090c26b4be46ffdf226a0b7a453f51f
- SHA1
  
  6a1743d359bef4ee18fdee6a6bf5199e69f07cfb
- SHA256
  
  bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef
- SHA512
  
  83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691
- SSDEEP
  
  196608:/NQqSiD+bU2fbWzTRdtMQ4GraMTsGhbgOp4m:hmfqXtMQPravGh0Oym
Score

10^/10

xmrig evasion miner themida trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral5 behavioral6