MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



IcedID


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 8 File information Comments

SHA256 hash: 0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7
SHA3-384 hash: dc305fc9d6cab7fc5197835257afca7871cb0370bbe0d68f0bf55fc2579893e7803672857fb7fa1946a07763a662c125
SHA1 hash: bc42c60590cb908e765e2d97e8b3a92b4616cd30
MD5 hash: 9b692f43d575acb739decfc809db7f2e
humanhash: georgia-comet-one-romeo
File name:J5V5DR.dll
Download: download sample
Signature IcedID
File size:718'848 bytes
First seen:2022-05-23 18:55:52 UTC
Last seen:2022-05-23 19:39:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fc0865d8cfea72f745977b121a33fe9 (1 x IcedID)
ssdeep 12288:ls83XIJDjnYSwX+rX8UsV6C7u7v0euPFwdH1hOR6LF9aFpJv7B5pCYUtvRwzoH7n:vHIJLDc+rDCK7v0pFoVhRF9aFfDCFH7p
Threatray 205 similar samples on MalwareBazaar
TLSH T1A1E4BFB875143CD6E66E527BDAD6BDDD13B627638A8BA8CC8064B7C30563371FE02805
Reporter @AndreGironda
Tags:dll IcedID

Intelligence


File Origin
# of uploads :
2
# of downloads :
333
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
J5V5DR.dll
Verdict:
No threats detected
Analysis date:
2022-05-23 19:21:02 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
icedid packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632638 Sample: J5V5DR.dll Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 2 other signatures 2->37 7 loaddll64.exe 1 2->7         started        process3 dnsIp4 27 ilekvoyn.com 7->27 45 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->45 47 Tries to detect virtualization through RDTSC time measurements 7->47 11 cmd.exe 1 7->11         started        13 regsvr32.exe 7->13         started        17 rundll32.exe 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 21 rundll32.exe 11->21         started        29 ilekvoyn.com 64.227.182.2, 49740, 49741, 49743 DIGITALOCEAN-ASNUS Canada 13->29 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->49 51 Tries to detect virtualization through RDTSC time measurements 13->51 53 System process connects to network (likely due to code injection or exploit) 17->53 signatures8 process9 dnsIp10 25 ilekvoyn.com 21->25 39 System process connects to network (likely due to code injection or exploit) 21->39 41 Contains functionality to detect hardware virtualization (CPUID execution measurement) 21->41 43 Tries to detect virtualization through RDTSC time measurements 21->43 signatures11
Threat name:
Win64.Trojan.IcedID
Status:
Malicious
First seen:
2022-05-23 18:56:07 UTC
File Type:
PE+ (Dll)
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:icedid campaign:109932505 banker loader suricata trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
IcedID, BokBot
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
ilekvoyn.com
Unpacked files
SH256 hash:
0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7
MD5 hash:
9b692f43d575acb739decfc809db7f2e
SHA1 hash:
bc42c60590cb908e765e2d97e8b3a92b4616cd30

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:crime_win32_icedid_stage1
Author:Rony (@r0ny_123)
Description:Detects IcedID photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:IcedIDLoader
Author:kevoreilly, threathive, enzo
Description:IcedID Loader
Rule name:IcedID_init_loader
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, initial loaders).
Rule name:MALWARE_Win_IceID
Author:ditekSHen
Description:Detects IceID / Bokbot variants
Rule name:MAL_IcedID_GZIP_LDR_202104
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Reference:https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Rule name:SPLCrypt
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader
Rule name:win_iceid_gzip_ldr_202104
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Rule name:win_photoloader_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.photoloader.

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
ilekvoyn.com https://threatfox.abuse.ch/ioc/628465

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IcedID

Executable exe 0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7

(this sample)

  
Delivery method
Distributed via web download

Comments