icedid | 46e78b5423fccf1ddbf06a891e5b045e1d4fd866edad642c72f32ca5bf047a6c | Triage

Resubmissions

31-08-2023 15:41

230831-s48n2sga35 10

09-08-2023 15:31

230809-syhwfaea51 10

Sharing

General

Target

icedid.7z
Size

444KB
Sample

230809-syhwfaea51
MD5

4e12f1449f1418af598af4093547bca9
SHA1

1c9cd03b330156c01eb19259a1720ca7e51b1dc3
SHA256

46e78b5423fccf1ddbf06a891e5b045e1d4fd866edad642c72f32ca5bf047a6c
SHA512

bd7c89bd2de46f6eca2ac3fea79adabe22c5816839170f20a1dfb834165d037977efa045f20014501cd8da6693cfeb6dd13d3573803f3760518fb0e358c1b466
SSDEEP

12288:8XL9Gr+UbHTXOdNA9gGHoElYqmV4SSrLF9M16TS3:4xboO7AbHoEmV4SU4Q0

Score

10^/10

icedid 2646410796 banker core_loader core_payload spyware stealer trojan

Malware Config

Extracted

Family

icedid

Botnet

2646410796

C2

abigelofraj.com

yhorneedminf.com

Attributes

auth_var
16
url_path
/news/

Extracted

Family

icedid

rsa_pubkey.plain

Targets

- Target
  
  run.bat
- Size
  
  113B
- MD5
  
  ff87147c511387b378277ce81b53e788
- SHA1
  
  2ee95ab4c950efd247d54556ed6c96a7c183bc41
- SHA256
  
  8c8e43712d252ccbcde1ea70b3c76386858c53ab7ebbfd4ea696976f2a728fa5
- SHA512
  
  8d6e46006d7be571b528194b655135c39a3e45ae22119b3f7f1bdc60b4c4371385fb5dadd87974a8be63b8241fd043f8922a2d6c7a58f87cca1059dbfc9429e1
Score

10^/10

icedid 2646410796 banker core_loader core_payload spyware stealer trojan
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

icedid2646410796bankercore_loadercore_payloadspywarestealertrojan