icedid | 705e14735da74b107357a676c15b07c0f0c86888b8f98ba86e1029ff4e4858df

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 05:50

Target

5d7ce2398942eb03bd0065aea3d5da15_JaffaCakes118.dll
Size

406KB
MD5

5d7ce2398942eb03bd0065aea3d5da15
SHA1

8c1977305284f6ef719d6e92f0e90f069476a62a
SHA256

705e14735da74b107357a676c15b07c0f0c86888b8f98ba86e1029ff4e4858df
SHA512

a014ab056f924d3a037df8bbdd59cc8e3f95a25c5c6fed04a5a90aa848aca5af2700b4ae1367d9a92efe7eb82265c8c5ecf5e24ba251bc752c68ba49bece9fa6
SSDEEP

6144:MU/OLpMfiR6vtVIgyPFiChgkX7WOMeLpebnZgUe4A29pNwzg:MU/OLCf1LqPACIeoFa4A29Dwzg

Score

10^/10

Family

icedid

ldrruble.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

resource	yara_rule
behavioral2/memory/3388-1-0x0000000075360000-0x000000007541F000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 14 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 3388	4412	rundll32.exe	83
PID 4412 wrote to memory of 3388	4412	rundll32.exe	83
PID 4412 wrote to memory of 3388	4412	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d7ce2398942eb03bd0065aea3d5da15_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d7ce2398942eb03bd0065aea3d5da15_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3388

memory/3388-1-0x0000000075360000-0x000000007541F000-memory.dmp

Filesize
764KB

Download
memory/3388-0-0x00000000753C3000-0x00000000753C7000-memory.dmp

Filesize
16KB

Download