icedid | 89e881e0beb8adc93f3b45e835e68355e855d951a44d18153b7f042989b353e0

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 10:26

Target

0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll
Size

406KB
MD5

0e3d9982ef71756615d59ccd5d05abbe
SHA1

c089fb31acf2284b4c33df45696b3750d98ae19c
SHA256

89e881e0beb8adc93f3b45e835e68355e855d951a44d18153b7f042989b353e0
SHA512

241b56a8fe6af00d80d4757522eefbc9e135e878b938b8eca4b8be6aae9411629d7687e1f476e8cd7a0957d6f1fce59fc9726011185e702dc0d5c501c1457a3a
SSDEEP

6144:MU/OLpMfgR6vtVIgyPFiChgkX7WOMeLpebnZgUe4A29pNwz:MU/OLCfvLqPACIeoFa4A29Dwz

Score

10^/10

Family

icedid

ldrruble.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/3164-1-0x0000000075680000-0x000000007573F000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 13 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3828 wrote to memory of 3164	3828	rundll32.exe	rundll32.exe
PID 3828 wrote to memory of 3164	3828	rundll32.exe	rundll32.exe
PID 3828 wrote to memory of 3164	3828	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e3d9982ef71756615d59ccd5d05abbe_JaffaCakes118.dll,#1
2⤵
- Blocklisted process makes network request
PID:3164

memory/3164-0-0x00000000756E3000-0x00000000756E7000-memory.dmp

Filesize
16KB

Download
memory/3164-1-0x0000000075680000-0x000000007573F000-memory.dmp

Filesize
764KB

Download