icedid | 68ee00ee736714ef1a247a34db582392ff75dd886c987b373fb4877e4e4fcf6d

Analysis

max time kernel
102s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-19_aab9c3fe916caca1e43641806e5fb5b5_elex_icedid.exe
Size

296KB
MD5

aab9c3fe916caca1e43641806e5fb5b5
SHA1

25decdd748eef9f964b76cff5225e5d0d672fb47
SHA256

68ee00ee736714ef1a247a34db582392ff75dd886c987b373fb4877e4e4fcf6d
SHA512

e11a8824d0108582f4690e6699be289a726c4f926baa58afb6b45481f008b5e04b763527df3de55b53c89b9645b361a21432b19e16139a9a362993d31f88e4f8
SSDEEP

3072:iLsPk8GT/OxyVXbh0d1iaP7nP31euHuGqhwQ217U/wFcwDlv1+sZ0be8OBmD:wss8Q/OYdJaznP3lfq65Uw++0Bi

Score

10^/10

icedid 2258898682 banker discovery loader trojan

Malware Config

Extracted

Family

icedid

Extracted

Family

icedid

Botnet

2258898682

enricowilli.top

lagunaway.top

teoreticaldanger.pw

uxanlabchina.top

Attributes

auth_var
5
url_path
/audio/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Icedid family
icedid

IcedID Second Stage Loader 2 IoCs

loader

resource	yara_rule
behavioral2/memory/2004-3-0x0000000002340000-0x0000000002343000-memory.dmp	IcedidSecondLoader
behavioral2/memory/2004-4-0x0000000002350000-0x0000000002356000-memory.dmp	IcedidSecondLoader

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-19_aab9c3fe916caca1e43641806e5fb5b5_elex_icedid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2004	2025-04-19_aab9c3fe916caca1e43641806e5fb5b5_elex_icedid.exe
2004	2025-04-19_aab9c3fe916caca1e43641806e5fb5b5_elex_icedid.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-19_aab9c3fe916caca1e43641806e5fb5b5_elex_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-19_aab9c3fe916caca1e43641806e5fb5b5_elex_icedid.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2004

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-3-0x0000000002340000-0x0000000002343000-memory.dmp

Filesize
12KB

Download
memory/2004-4-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads