MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0306e59d0b52279dc773e1cb8cba8203cc39023af0f34bae33c1eda484beeb0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 4


Intelligence 4 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0306e59d0b52279dc773e1cb8cba8203cc39023af0f34bae33c1eda484beeb0b
SHA3-384 hash: 7da1fbce34080aa26388c3d4aefd6dead4d62d50421f31b5240b39962f1eb7fd639e5a96439a230375588ce89b5ce5ad
SHA1 hash: 578bcc54ba7bf3b3451a66461bb99338a7495f17
MD5 hash: ba39392a433ad43ca8fd2b7e3b6d605f
humanhash: north-cold-comet-idaho
File name:redacted-doc-11.14.22.zip
Download: download sample
Signature IcedID
Create hunting rule
File size:469'018 bytes
First seen:2022-11-14 18:51:38 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: office141122
ssdeep 12288:ww6GYG+qDQXD09P2RUgB8fQcyAhU0M4md5:ww6Gn+09wyfpZqd5
TLSH T112A4233918927CF20FA4A78440589FEAF77B8BFBED224D92D8C506D97411DCDC131AA9
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter k3dg3___
Tags:1609463178 IcedID pw office141122 TA551 zip

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
trolspeaksunt.com https://threatfox.abuse.ch/ioc/1011868/

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
US US
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:ver123.dll
File size:98'816 bytes
SHA256 hash: 45704a092e0f331dec2c86dc2f7259b4680bb71c542aea59005bf1b1a8a18d3f
MD5 hash: f315325aecae49d502589694b6650bf0
MIME type:application/x-dosexec
Signature IcedID
File name:run.cmd
File size:159 bytes
SHA256 hash: f96ca4d15febe51758689d9c93c5ff06449a67aacc9b619c249dd00f7b65d179
MD5 hash: bc2545a660518ef0271bdd6a8be3513c
MIME type:text/plain
Signature IcedID
File name:pss10r.chm
File size:402'154 bytes
SHA256 hash: e6c58b329804c30442be8159296b54b612c32b038d826d7e2cb058042d9aa852
MD5 hash: 20fbaccd2166d324d53948e87fe15c26
MIME type:application/octet-stream
Signature IcedID
Vendor Threat Intelligence
Gathering data
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/0306e59d0b52279dc773e1cb8cba8203cc39023af0f34bae33c1eda484beeb0b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0306e59d0b52279dc773e1cb8cba8203cc39023af0f34bae33c1eda484beeb0b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=amdolhilkitz3r3t4hfyzoucapgdsar26dzuxlrtyhw2jbf65mfq._file
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid campaign:1609463178 banker loader trojan
Link:
https://tria.ge/reports/221114-xj9g3ada47/
Behaviour
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Malware Config
C2 Extraction:
trolspeaksunt.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0306e59d0b52279dc773e1cb8cba8203cc39023af0f34bae33c1eda484beeb0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

IcedID

zip 0306e59d0b52279dc773e1cb8cba8203cc39023af0f34bae33c1eda484beeb0b

(this sample)

  
Link
https://tria.ge/221114-xg9eaada24/behavioral1
  
Delivery method
Distributed via e-mail attachment

Comments