icedid | 2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 02:43

Target

582ad51b14aec27c377e94075c8f7acb_JaffaCakes118.dll
Size

406KB
MD5

582ad51b14aec27c377e94075c8f7acb
SHA1

821f9c75558339044a1491db3165d5445b0a3f06
SHA256

2de6bde148b9a42a65f5dae36c903811e56d702d7d319900877f2d5d74273236
SHA512

a25fa0130b6a78deeaa3941a513a3da8aaa60d2439f1224274d8d7f290bf7cd4463c63678e8270ad8e89c70a7927302d9da427df51dcf5fb970d195c947c2fad
SSDEEP

6144:MU/OLpMfqR6vtVIgyPFiChgkX7WOMeLpebnZgUe4A29pNwz:MU/OLCftLqPACIeoFa4A29Dwz

Score

10^/10

Family

icedid

ldrruble.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

resource	yara_rule
behavioral2/memory/3856-1-0x0000000075210000-0x00000000752CF000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 14 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3856	4356	rundll32.exe	83
PID 4356 wrote to memory of 3856	4356	rundll32.exe	83
PID 4356 wrote to memory of 3856	4356	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\582ad51b14aec27c377e94075c8f7acb_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\582ad51b14aec27c377e94075c8f7acb_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3856

memory/3856-0-0x0000000075273000-0x0000000075277000-memory.dmp

Filesize
16KB

Download
memory/3856-1-0x0000000075210000-0x00000000752CF000-memory.dmp

Filesize
764KB

Download