icedid | ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 20:24

Target

4ce06b6759df2f433c1da9a8100d3c03_JaffaCakes118.dll
Size

214KB
MD5

4ce06b6759df2f433c1da9a8100d3c03
SHA1

c2468348f90f1dd05962bf93c9ab1833e7bad115
SHA256

ea1d92c3d94727066636b93e3cfe85331eb2865e15f86bc20978be99272ddb0d
SHA512

9e611a944a8f8eecf7cbbfc70c6e25904095c400db72b1f45e3028a7f187a77d2c785c7b7e25bf8733453bfa01934c3e29eb93ddde09e23ce3da3435a0404e9c
SSDEEP

6144:54+U6OuehTIXJnxeecA9ikbl4yB6ETGzM0yT:a+U6O7eh9cA/lV6ETGw0yT

Score

10^/10

Family

icedid

ldrshekel.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

resource	yara_rule
behavioral1/memory/2028-2-0x0000000074900000-0x0000000074997000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 32 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2028	2080	rundll32.exe	28
PID 2080 wrote to memory of 2028	2080	rundll32.exe	28
PID 2080 wrote to memory of 2028	2080	rundll32.exe	28
PID 2080 wrote to memory of 2028	2080	rundll32.exe	28
PID 2080 wrote to memory of 2028	2080	rundll32.exe	28
PID 2080 wrote to memory of 2028	2080	rundll32.exe	28
PID 2080 wrote to memory of 2028	2080	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ce06b6759df2f433c1da9a8100d3c03_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ce06b6759df2f433c1da9a8100d3c03_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2028

memory/2028-0-0x0000000074934000-0x0000000074938000-memory.dmp

Filesize
16KB

Download
memory/2028-1-0x0000000074900000-0x0000000074997000-memory.dmp

Filesize
604KB

Download
memory/2028-2-0x0000000074900000-0x0000000074997000-memory.dmp

Filesize
604KB

Download
memory/2028-4-0x0000000074934000-0x0000000074938000-memory.dmp

Filesize
16KB

Download