icedid | icedlicense[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

icedlicense.dll
Size

352KB
MD5

11965662e146d97d3fa3288e119aefb2
SHA1

b63d7ad26df026f6cca07eae14bb10a0ddb77f41
SHA256

d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5
SHA512

06594c479e2291afd92a0c65c41045304284c46105b28a5ef66f0c82c5842e5dd7d257a7a291ea72846307ece18fd36376488b2f35a6c14b71d2bd2fbe808c64
SSDEEP

6144:tlKrvv+ji9a/DvJiasRASnilvy1fj2YbOe1sOPKW+8kRLWZrL:ur+jsa/Dv8asRBnid+fjjbMOPKW+zRLG

Score

10^/10

core_payload icedid

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Signatures

Icedid family
icedid

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
icedlicense.dll

Files

icedlicense.dll
.dll windows:6 windows x64 arch:x64

a8fc15ab07f233aa3f87f33c0fe09875

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

gdiplus

GdipSaveImageToFile
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdiplusStartup

netapi32

NetWkstaGetInfo
NetGetJoinInformation
NetApiBufferFree

user32

ReleaseDC
GetWindowDC
GetDesktopWindow
GetForegroundWindow
CharLowerA
wsprintfW
wsprintfA
GetCursorPos
GetWindowRect

shlwapi

StrStrIW
StrCmpNIW
StrToIntA
StrToIntExA
StrCmpNIA
StrStrIA
StrStrA
SHSetValueA
StrCmpIW
PathFindFileNameA
StrChrW
StrChrA

crypt32

CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertControlStore
CertGetIntendedKeyUsage
CertGetNameStringA
CertCreateSelfSignCertificate
CertGetCertificateContextProperty
CryptSignAndEncodeCertificate
CryptEncodeObject
CryptExportPublicKeyInfoEx
CertStrToNameA
CryptUnprotectData
CertCloseStore
CertFreeCertificateContext
CertDuplicateCertificateContext
CertCreateCertificateContext
CertSetCertificateContextProperty
CertOpenStore

gdi32

GetStockObject
SelectObject
Ellipse
DeleteObject
DeleteDC
CreatePen
CreateCompatibleBitmap
BitBlt
CreateCompatibleDC

ntdll

ZwQuerySystemInformation
RtlGetVersion
NtWriteVirtualMemory
NtProtectVirtualMemory
RtlTimeToSecondsSince1970
RtlDecompressBuffer
NtAllocateVirtualMemory

winhttp

WinHttpCrackUrl
WinHttpQueryOption
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpSetOption
WinHttpOpenRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpSetStatusCallback
WinHttpConnect
WinHttpCloseHandle

rpcrt4

UuidFromStringW
UuidFromStringA

ws2_32

accept
WSAGetLastError
setsockopt
send
select
closesocket
inet_ntoa
WSAStartup
connect
ioctlsocket
listen
bind
recv
socket
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
gethostbyname
WSASetLastError
shutdown
inet_addr

advapi32

LookupAccountNameW
RegOpenKeyExA
RegQueryValueExA
CryptAcquireContextA
CredFree
CredEnumerateW
RegQueryValueExW
RegEnumKeyExA
RegCreateKeyExA
CryptGenKey
CryptVerifySignatureA
InitiateSystemShutdownExA
CryptImportKey
CryptDestroyKey
LookupPrivilegeValueA
AdjustTokenPrivileges
RegEnumValueA
RegDeleteValueA
RegSetValueExA
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyA
ConvertSidToStringSidA
CryptAcquireContextW
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
OpenProcessToken
GetUserNameW
GetUserNameA
CryptDestroyHash
CryptReleaseContext
CryptGetHashParam
RegCloseKey
CryptCreateHash
CryptHashData

oleaut32

SysAllocStringLen
SysStringLen
SysFreeString

shell32

ShellExecuteExA
SHGetFolderPathW
SHGetFolderPathA

secur32

InitSecurityInterfaceA

ole32

CoInitializeEx
CoInitialize
CoCreateInstance
CoTaskMemFree

kernel32

GetWindowsDirectoryA
GetSystemDirectoryA
ResumeThread
UnregisterWait
RegisterWaitForSingleObject
CreateRemoteThread
GetFileSize
FindNextFileA
FindFirstFileA
FindClose
CreateFileW
ExpandEnvironmentStringsA
MultiByteToWideChar
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
QueueUserAPC
SleepEx
CreateEventW
CreateFileA
OpenProcess
TerminateThread
CreateThread
OpenEventA
CreateEventA
SetEvent
CopyFileA
lstrcmpiA
DeleteFileA
GetTickCount64
WideCharToMultiByte
IsWow64Process
CreateProcessA
TerminateProcess
WaitForSingleObject
HeapReAlloc
PeekNamedPipe
CreatePipe
WriteFile
SystemTimeToFileTime
FreeLibrary
LoadLibraryA
LocalAlloc
DeleteFileW
SetFilePointer
SetErrorMode
GetProcAddress
ReadFile
LocalFree
GetNativeSystemInfo
GetComputerNameExW
GetTickCount
SwitchToThread
QueryPerformanceFrequency
QueryPerformanceCounter
lstrlenW
lstrcatW
lstrcatA
GetTempPathA
GetTempPathW
CreateDirectoryW
CreateDirectoryA
lstrlenA
GetLocalTime
GetCurrentProcessId
OutputDebugStringA
lstrcpyA
GetProductInfo
ExitProcess
CreateMutexA
GetSystemTimeAsFileTime
GetSystemTime
Sleep
CloseHandle
GetModuleHandleA
GetProcessHeap
HeapFree
GetLastError
HeapAlloc
WaitForMultipleObjects

msvcrt

_vsnprintf
memset
memcpy

iphlpapi

GetAdaptersInfo

Exports

Exports

fixed_loader64.dll

Sections

.text
Size: 122KB - Virtual size: 122KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.relocs
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata1
Size: 256B - Virtual size: 256B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata2
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

a8fc15ab07f233aa3f87f33c0fe09875

Headers

DLL Characteristics

File Characteristics

Imports

gdiplus

netapi32

user32

shlwapi

crypt32

gdi32

ntdll

winhttp

rpcrt4

ws2_32

advapi32

oleaut32

shell32

secur32

ole32

kernel32

msvcrt

iphlpapi

Exports

Exports

Sections

.text Size: 122KB - Virtual size: 122KB

.relocs Size: 24KB - Virtual size: 24KB

.rdata Size: 178KB - Virtual size: 178KB

.rdata1 Size: 256B - Virtual size: 256B

.rdata2 Size: 6KB - Virtual size: 6KB

.text
Size: 122KB - Virtual size: 122KB

.relocs
Size: 24KB - Virtual size: 24KB

.rdata
Size: 178KB - Virtual size: 178KB

.rdata1
Size: 256B - Virtual size: 256B

.rdata2
Size: 6KB - Virtual size: 6KB