icedid | c53e0f2ba4d0ff61ed41d31cb5671c96ba8a98afbf32f1e76cd88e5061c20370

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 04:11

Target

89543cee712497575d6bece07fe87584_JaffaCakes118.dll
Size

429KB
MD5

89543cee712497575d6bece07fe87584
SHA1

06daf697bb24d67fabff710ad530eddd4919c3c8
SHA256

c53e0f2ba4d0ff61ed41d31cb5671c96ba8a98afbf32f1e76cd88e5061c20370
SHA512

0799b91b4e63c07d76bb72e2d5cd7be8e94a1eda715ebf9b5728ab4b7bee6b02519804c957838e370e7a930862a448a03558dfb02077ccac042dcace8c3e986c
SSDEEP

6144:XuqYiSlVngSzGfmQ3E13fUYHZaV9CDCOn/vZa0Vap7jxc:RYnlxgeG+Q3s89CD9vZa0Qppc

Score

10^/10

Family

icedid

ldrphound.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1144-0-0x0000000074620000-0x00000000746E1000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1144	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1144	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1144	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1144	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1144	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1144	1088	regsvr32.exe	28
PID 1088 wrote to memory of 1144	1088	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\89543cee712497575d6bece07fe87584_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\89543cee712497575d6bece07fe87584_JaffaCakes118.dll
  2⤵
  PID:1144

memory/1144-1-0x000000007468A000-0x000000007468E000-memory.dmp

Filesize
16KB

Download
memory/1144-0-0x0000000074620000-0x00000000746E1000-memory.dmp

Filesize
772KB

Download