icedid | 933819bbe631a47e9d755348e17bb47f3f2c10cde644c5a5a86e6d63fbd67299 | Triage

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:30

Sharing

Report Analysis Logs

General

Target

core.bat
Size

180B
MD5

80270eb55332f947de65daea11a7d9f4
SHA1

93e8ed14b54c3ee023958709d1947f337199e12c
SHA256

4d115964cb077eae5971f80fc37db395309af4a4cc2815710d626f4e2d2f0234
SHA512

7c0b698f2a30ada6ae94ae3e9a202cf1983df388185fe6a8db840f577271b82ba91b71eaf87d005f0dcec6d86b64904f950d54679a075a4269adf13c04a80d5b

Score

10^/10

icedid 1677997313 banker core_loader trojan

Malware Config

Extracted

Family

icedid

Botnet

1677997313

C2

asrspoe.com

aviospe.com

Attributes

auth_var
13
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Icedid family
icedid

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2512	2272	cmd.exe	31
PID 2272 wrote to memory of 2512	2272	cmd.exe	31
PID 2272 wrote to memory of 2512	2272	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\trick-.tmp,DllMain /i="license.dat"
  2⤵
  PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2512-2-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download