Overview

overview

10

Static

static

3

clutch-32.dll

windows7-x64

10

clutch-32.dll

windows10-2004-x64

10

core.bat

windows7-x64

10

core.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    123B

  • MD5

    7ed83700f1db2f30269d8d7aab15fc38

  • SHA1

    787f6c843d5b41562baceeb67d1dea686f0891eb

  • SHA256

    2db50c09350bd707c6cd1c413f15f5360b8a9cd9145caafa07bffe29d1c6ea51

  • SHA512

    974202b6def2cc1463452384c94f2d3d562115b7e571170f128197bd6600fffdd73feb4381bd3a647d9f473d88b15838d10e733539b009bd2d29fd2ec257d3f4

Score
10/10
icedid2406015698bankercore_loadercore_payloadtrojan

Malware Config

Extracted

Family

icedid

Botnet

2406015698

C2

commamimubebe.site

asredetyr.site

aszepolityu.fun

likoportio.fun
Attributes
  • auth_var

    6

  • url_path

    /news/

Extracted

Family

icedid

rsa_pubkey.plain

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Icedid family
    icedid
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\clutch-32.tmp,Bjaskkas /i="license.dat"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\license.dat
    Filesize

    334KB

    MD5

    c3db0f946699412e8f3a2775516116a2

    SHA1

    a01448e2760dcb2fbed70a634baaae559d3b6de0

    SHA256

    dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed

    SHA512

    50b2e9b3446463f4b02980587b3f4bd716f5b018e26085f10d38c42fd0f6e07891438d13ccc5b36f38ab9c7f1ea874814ed266f8551a970c8ca3eb73ac6b4950

    Download Submit

  • memory/3040-2-0x0000000180000000-0x0000000180005000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3040-6-0x0000000180000000-0x0000000180005000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3040-8-0x00000000002C0000-0x0000000000319000-memory.dmp

    Filesize

    356KB

    Download

  • memory/3040-14-0x00000000002C0000-0x0000000000319000-memory.dmp

    Filesize

    356KB

    Download

  • memory/3040-15-0x00000000002C0000-0x0000000000319000-memory.dmp

    Filesize

    356KB

    Download