icedid | d4daab6448cab62e16091169f451e9b455a3607df6ceabccdd0610473d419a6c

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 06:53

Target

7842245d79fd9098b32e0897ad5f2128_JaffaCakes118.dll
Size

429KB
MD5

7842245d79fd9098b32e0897ad5f2128
SHA1

6e9d24d1a3f72432e13b1e4aa60c2619018cfe4d
SHA256

d4daab6448cab62e16091169f451e9b455a3607df6ceabccdd0610473d419a6c
SHA512

dbbfb8b3f736af2e7a95c2a67bf03c9d07d7382f4e3ed52137018b2f1526d17f3a42a2fbcc707159828f02afd4ed9ab7bfc1a72c7b8159943b2110ee841b3550
SSDEEP

6144:XuqziSlVngSzGfmQ3E13fUYHZaV9CDCOn/vZa0Vap7jx:RznlxgeG+Q3s89CD9vZa0Qpp

Score

10^/10

Family

icedid

ldrphound.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

resource	yara_rule
behavioral1/memory/788-0-0x0000000074930000-0x00000000749F1000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 788	2168	regsvr32.exe	28
PID 2168 wrote to memory of 788	2168	regsvr32.exe	28
PID 2168 wrote to memory of 788	2168	regsvr32.exe	28
PID 2168 wrote to memory of 788	2168	regsvr32.exe	28
PID 2168 wrote to memory of 788	2168	regsvr32.exe	28
PID 2168 wrote to memory of 788	2168	regsvr32.exe	28
PID 2168 wrote to memory of 788	2168	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7842245d79fd9098b32e0897ad5f2128_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\7842245d79fd9098b32e0897ad5f2128_JaffaCakes118.dll
  2⤵
  PID:788

memory/788-1-0x000000007499A000-0x000000007499E000-memory.dmp

Filesize
16KB

Download
memory/788-0-0x0000000074930000-0x00000000749F1000-memory.dmp

Filesize
772KB

Download