icedid | 9f8ff8da154960d17a3225675a85372e7a70aca93df8bdfb887eb22c16b4dfe3

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 17:02

Target

af7676dc809a385c9084b18121b56560_JaffaCakes118.dll
Size

211KB
MD5

af7676dc809a385c9084b18121b56560
SHA1

5e338c4b9355c7e78639857647fa3c7af63fed49
SHA256

9f8ff8da154960d17a3225675a85372e7a70aca93df8bdfb887eb22c16b4dfe3
SHA512

8093abff8e988f0563fa30ac8ca0158b6bf7a870180163d2c7e7b922998714775674fc5f1e497bc82db9f7b1702905d73584bafea18c4ac80b44e859437f1f4a
SSDEEP

6144:6ZLwpyyWMa3NIBkL6LDW8dTZdw702edvxiuYOO6umz4:6ZLwpyyHadIBkLIi8dTL2SvguYOO1mk

Score

10^/10

Family

icedid

ldrstar.casa

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

resource	yara_rule
behavioral1/memory/2976-1-0x00000000749D0000-0x0000000074A5C000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2976	2980	rundll32.exe	28
PID 2980 wrote to memory of 2976	2980	rundll32.exe	28
PID 2980 wrote to memory of 2976	2980	rundll32.exe	28
PID 2980 wrote to memory of 2976	2980	rundll32.exe	28
PID 2980 wrote to memory of 2976	2980	rundll32.exe	28
PID 2980 wrote to memory of 2976	2980	rundll32.exe	28
PID 2980 wrote to memory of 2976	2980	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af7676dc809a385c9084b18121b56560_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\af7676dc809a385c9084b18121b56560_JaffaCakes118.dll,#1
  2⤵
  PID:2976

memory/2976-1-0x00000000749D0000-0x0000000074A5C000-memory.dmp

Filesize
560KB

Download
memory/2976-0-0x0000000074A03000-0x0000000074A07000-memory.dmp

Filesize
16KB

Download