icedid | 2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 02:43

Target

582ad51b14aec27c377e94075c8f7acb_JaffaCakes118.dll
Size

406KB
MD5

582ad51b14aec27c377e94075c8f7acb
SHA1

821f9c75558339044a1491db3165d5445b0a3f06
SHA256

2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236
SHA512

a25fa0130b6a78deeaa3941a513a3da8aaa60d2439f1224274d8d7f290bf7cd4463c63678e8270ad8e89c70a7927302d9da427df51dcf5fb970d195c947c2fad
SSDEEP

6144:MU/OLpMfqR6vtVIgyPFiChgkX7WOMeLpebnZgUe4A29pNwz:MU/OLCftLqPACIeoFa4A29Dwz

Score

10^/10

Family

icedid

ldrruble.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2060-1-0x0000000075040000-0x00000000750FF000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 30 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2476 wrote to memory of 2060	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 2060	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 2060	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 2060	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 2060	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 2060	2476	rundll32.exe	rundll32.exe
PID 2476 wrote to memory of 2060	2476	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\582ad51b14aec27c377e94075c8f7acb_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\582ad51b14aec27c377e94075c8f7acb_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2060

memory/2060-1-0x0000000075040000-0x00000000750FF000-memory.dmp

Filesize
764KB

Download
memory/2060-0-0x00000000750A3000-0x00000000750A7000-memory.dmp

Filesize
16KB

Download