Overview

overview

10

Static

static

3

core.bat

windows7-x64

10

core.bat

windows10-2004-x64

10

planet64.dll

windows7-x64

10

planet64.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    184B

  • MD5

    4da584cc0a5ded0c902627093ab8721b

  • SHA1

    a6bb30b50718813a72cbd58ba148bc3c9a17c3f0

  • SHA256

    bcc176e2ec1bddb1518bcacb07fef99fe1812e204e990424549f11862aaa757c

  • SHA512

    d611696d95dd76f1c3f7ab90c370ccb734f1912ff340d28c5a050d0fb072c7914c3bd15ea30f8f2873fdb17f0b93da92eaa7eecc3b245e23c972c700777be804

Score
10/10
icedid3415411565bankercore_loadercore_payloadtrojan

Malware Config

Extracted

Family

icedid

Botnet

3415411565

C2

antnosience.com

seaskysafe.com
Attributes
  • auth_var

    1

  • url_path

    /news/

Extracted

Family

icedid

rsa_pubkey.plain

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Icedid family
    icedid
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\planet64.tmp,DllMain /i="license.dat"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\license.dat
    Filesize

    333KB

    MD5

    7eb64145636d2e8343d9077f15c11022

    SHA1

    c0b221ca05431092bc1c789a33d199124c8fec1c

    SHA256

    96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

    SHA512

    53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

    Download Submit

  • memory/2156-2-0x00000000002A0000-0x00000000002A5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2156-4-0x0000000001D40000-0x0000000001D99000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2156-12-0x0000000001D40000-0x0000000001D99000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2156-10-0x0000000001D40000-0x0000000001D99000-memory.dmp

    Filesize

    356KB

    Download