icedid | e1acdcf523f6bf29cd553ca1a93669105152573027fbc1a0d9564b4d3aa21116

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 03:16

Target

e1acdcf523f6bf29cd553ca1a93669105152573027fbc1a0d9564b4d3aa21116.dll
Size

238KB
MD5

1baca172e73f892549e5b12dc32c6d93
SHA1

9594914e80c6cff476d4c4840ad89b86d636adfe
SHA256

e1acdcf523f6bf29cd553ca1a93669105152573027fbc1a0d9564b4d3aa21116
SHA512

3ab5866a74cadfd82ad962e83d11da9f330ea14c7d41788c105a8a1d9b95307749129975adbc27deb0736ecba481930a368d288539a295d345b212bbc2a72479
SSDEEP

3072:3cyTX/cSJmG1vE3mkBfS25wdz0ND42raiEqrR59RQjQdQNZQKM/tXQlQjmeb+xUQ:3J0Y/E3x5S26CBaiprRkGV1mebO1gl4

Score

10^/10

Family

icedid

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/4424-1-0x00000000750D0000-0x000000007511F000-memory.dmp	IcedidSecondLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4896 wrote to memory of 4424	4896	rundll32.exe	rundll32.exe
PID 4896 wrote to memory of 4424	4896	rundll32.exe	rundll32.exe
PID 4896 wrote to memory of 4424	4896	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1acdcf523f6bf29cd553ca1a93669105152573027fbc1a0d9564b4d3aa21116.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1acdcf523f6bf29cd553ca1a93669105152573027fbc1a0d9564b4d3aa21116.dll,#1
  2⤵
  PID:4424

memory/4424-1-0x00000000750D0000-0x000000007511F000-memory.dmp

Filesize
316KB

Download
memory/4424-0-0x000000007510C000-0x0000000075110000-memory.dmp

Filesize
16KB

Download