Malware Analysis Report

2024-10-18 23:49

Sample ID 231226-hpb2esaed8
Target 5ae69919b04e327eb4ee730c8b978d54
SHA256 059cf6b7fd6d318ae3a7a27fa89361cbeb11319fdd0f19352c02545ff9a88454
Tags
icedid 1741433514 banker loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

059cf6b7fd6d318ae3a7a27fa89361cbeb11319fdd0f19352c02545ff9a88454

Threat Level: Known bad

The file 5ae69919b04e327eb4ee730c8b978d54 was found to be: Known bad.

Malicious Activity Summary

icedid 1741433514 banker loader trojan

IcedID, BokBot

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-26 06:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 06:54

Reported

2024-01-06 02:32

Platform

win7-20231215-en

Max time kernel

127s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ae69919b04e327eb4ee730c8b978d54.dll

Signatures

IcedID, BokBot

trojan banker icedid

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ae69919b04e327eb4ee730c8b978d54.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 aws.amazon.com udp
US 3.162.13.154:443 aws.amazon.com tcp
US 8.8.8.8:53 ferrelosaakolo.top udp

Files

memory/2180-0-0x0000000000130000-0x0000000000184000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA085.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA0C7.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2919ab0936ebfd5fe2c19f27fce5443
SHA1 7712911348873f1c0555d854d6f52081bff4815a
SHA256 636331d8bb7a2425a72e538ed29263744225345ae4b77191f53aa59a1333c643
SHA512 78a74ccc77067f761b914a82d90cf17c47fd71ddea4991338daaed11dab62032a216921649ec7c49b8d953a2f96abc8f9e82105dbde50030ba1b46c108207ae8

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 06:54

Reported

2024-01-06 02:31

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

4s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ae69919b04e327eb4ee730c8b978d54.dll

Signatures

IcedID, BokBot

trojan banker icedid

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ae69919b04e327eb4ee730c8b978d54.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 aws.amazon.com udp
US 3.162.13.154:443 aws.amazon.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 154.13.162.3.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
N/A 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.82.154.241:443 tcp
US 8.8.8.8:53 udp
N/A 87.248.204.0:80 tcp
N/A 87.248.204.0:80 tcp
N/A 87.248.204.0:80 tcp
N/A 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.103.156.88:443 tcp
US 8.8.8.8:53 udp
N/A 51.124.78.146:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.16.110.41:443 tcp
N/A 192.229.221.95:80 tcp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 20.82.154.241:443 tcp
US 8.8.8.8:53 udp
US 4.231.128.59:443 tcp
N/A 20.114.59.183:443 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.85.23.206:443 tcp
US 8.8.8.8:53 udp
N/A 20.73.194.208:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 4.231.128.59:443 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 13.85.23.206:443 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 20.231.121.79:80 tcp
N/A 92.123.241.104:80 tcp
N/A 92.123.241.104:80 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 88.221.135.232:80 tcp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
N/A 13.85.23.206:443 tcp
US 8.8.8.8:53 udp
N/A 88.221.135.232:80 tcp
N/A 88.221.135.232:80 tcp
N/A 88.221.135.232:80 tcp
N/A 88.221.135.232:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.67:80 tcp
N/A 88.221.135.232:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.67:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.135.232:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 88.221.134.67:80 tcp
N/A 88.221.135.232:80 tcp
N/A 88.221.135.232:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 88.221.134.67:80 tcp
N/A 88.221.135.232:80 tcp
N/A 88.221.135.232:80 tcp
N/A 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 87.248.204.0:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 87.248.204.0:80 tcp
N/A 96.17.178.176:80 tcp
N/A 87.248.204.0:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
N/A 20.199.58.43:443 tcp
N/A 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.229.19:443 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
N/A 20.103.156.88:443 tcp
N/A 20.103.156.88:443 tcp
N/A 20.103.156.88:443 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 13.85.23.206:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 93.184.221.240:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.64:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.64:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 13.85.23.206:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.176:80 tcp
N/A 96.17.178.176:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp

Files

memory/4004-0-0x00000000029C0000-0x0000000002A14000-memory.dmp