icedid | 11477570729[.]zip

General

Target

11477570729.zip
Size

4KB
MD5

9f9ca91d63271130d823a56a7b3a6c8a
SHA1

c89108715d3c04120b1b40be59b1926074ada9a4
SHA256

ce761d26a1e719f03e1df0ffb16bbe155be54913b9b3908d3d77e180c679c045
SHA512

b3113e552a8d8cd19a0f1fa62da251ac8a601aff245f92094be26fc3f1d55680467d753f4ff2a0c5c7e63a739ef21b830bcee199f9e3d812f8bcfb7814daeafb
SSDEEP

96:KKqHRpeRMGQ23HwhtmnX/vfxPMW7Hup0fuSGT8SJH/y2EoxTz+4LTrqFT:mURMd23HGYX/vfuW4B8sBd+4LST

Score

10^/10

loader 2258898682 icedid

Malware Config

Extracted

Family

icedid

Botnet

2258898682

C2

enricowilli.top

lagunaway.top

Attributes

auth_var
1
url_path
/audio/

Signatures

IcedID Second Stage Loader 1 IoCs

loader

resource	yara_rule
static1/unpack001/13722a792fb9e2fa442f7d27a90af6104dc3fedd50971dace25c08f91a3de68b	IcedidSecondLoader

Icedid family
icedid

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/13722a792fb9e2fa442f7d27a90af6104dc3fedd50971dace25c08f91a3de68b

Files

11477570729.zip
.zip

Password: infected
13722a792fb9e2fa442f7d27a90af6104dc3fedd50971dace25c08f91a3de68b
.exe windows x86

6ef9fc3b824d44b454eb43ca834c20b8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

GetUserNameA

shell32

SHGetFolderPathA

winhttp

WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpSetOption
WinHttpOpenRequest
WinHttpReadData
WinHttpQueryHeaders
WinHttpOpen
WinHttpReceiveResponse
WinHttpConnect

kernel32

HeapReAlloc
MultiByteToWideChar
ExitProcess
lstrcpyA
Sleep
VirtualAlloc
VirtualProtect
GetModuleFileNameA
CreateDirectoryA
lstrcatA
lstrlenA
GetFileSize
HeapAlloc
CloseHandle
CreateFileA
HeapFree
GetProcessHeap
ReadFile
WriteFile

user32

wsprintfA

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

bss
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 592B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 196B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

6ef9fc3b824d44b454eb43ca834c20b8

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

shell32

winhttp

kernel32

user32

Sections

.text Size: 4KB - Virtual size: 3KB

bss Size: - Virtual size: 4B

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 1024B - Virtual size: 592B

.reloc Size: 512B - Virtual size: 196B

.text
Size: 4KB - Virtual size: 3KB

bss
Size: - Virtual size: 4B

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 1024B - Virtual size: 592B

.reloc
Size: 512B - Virtual size: 196B