icedid | 6571b88739b154807adbbe7b8d3ff75543887405f066489fb773a2186b862132

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 03:29

Target

7b8b3de47c3fd708b0bf453fac1ff706_JaffaCakes118.dll
Size

211KB
MD5

7b8b3de47c3fd708b0bf453fac1ff706
SHA1

ccf109d735ced74a4e45c6b6fdba0714134d3a69
SHA256

6571b88739b154807adbbe7b8d3ff75543887405f066489fb773a2186b862132
SHA512

0734d5ef4568a0fee0dd7fa2b932e4fdeaaea9737bf891805b5c09ddce52dad4e1ca01a705d3139db284b655a99283f282f8440eec237aefe16595fdce1f3b1c
SSDEEP

6144:6ZLwbyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4N:6ZLwbyyHadIBkLIi8dTL2SvguYOO1mkN

Score

10^/10

Family

icedid

ldrstar.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2292-2-0x0000000075390000-0x000000007541C000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 34 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b8b3de47c3fd708b0bf453fac1ff706_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b8b3de47c3fd708b0bf453fac1ff706_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2292

memory/2292-2-0x0000000075390000-0x000000007541C000-memory.dmp

Filesize
560KB

Download
memory/2292-1-0x00000000753C3000-0x00000000753C7000-memory.dmp

Filesize
16KB

Download