MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a0b3d91698a46d409791d4dd866e56ddd70f91a3f1d4557a0cb2899bda1e524. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a0b3d91698a46d409791d4dd866e56ddd70f91a3f1d4557a0cb2899bda1e524
SHA3-384 hash: dfdbd338da79d28d6fdab1c770d17b77fd07f7050e1e4cf11ac2507d2ff5fd0060ac38511d289c51bc4bec29001e213d
SHA1 hash: c4c0ca6b2b7779d870b0b69e5d7001453babbff0
MD5 hash: 7d7bdc559ae699579a700645d0fd5f03
humanhash: tennis-black-low-april
File name:ghnrope2.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:185'404 bytes
First seen:2021-04-09 14:26:16 UTC
Last seen:2021-04-09 14:52:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 418bb7afa91ee2677e9770deeeb77473 (15 x IcedID, 1 x Gozi)
ssdeep 1536:O65/LQ2n3qA3PSD1AWc15xX418gzMPA3MxGQk2x44XaN9QqGYwOo9:D/LQ26GPS5g1Xm1MY3+lx7oQqGnOo
Threatray 63 similar samples on MalwareBazaar
TLSH 200462BD06946674F092A2FE5F5BC2DC80F976F511FC239BA3309AF404489A54FE7289
Reporter ffforward
Tags:dll IcedID

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ghnrope2.dll
Verdict:
No threats detected
Analysis date:
2021-04-09 14:29:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14e4e37b-62f1-4784-86b3-ea08ad8fccad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
IcedIDStage1
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133412/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.2076.30294.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Deleting a recently created file
Creating a file in the Windows subdirectories
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89f5b6b8-e595-4f9b-b640-c0b6adbab4a9
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/671518
Signature
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384706 Sample: ghnrope2.dll Startdate: 09/04/2021 Architecture: WINDOWS Score: 60 28 provokordino.space 2->28 56 Yara detected IcedID 2->56 8 loaddll64.exe 1 2->8         started        signatures3 process4 dnsIp5 30 provokordino.space 8->30 32 tp.8e49140c2-frontier.amazon.com 8->32 34 2 other IPs or domains 8->34 62 Tries to detect virtualization through RDTSC time measurements 8->62 12 cmd.exe 1 8->12         started        14 regsvr32.exe 8->14         started        18 rundll32.exe 8->18         started        20 4 other processes 8->20 signatures6 process7 dnsIp8 22 rundll32.exe 12->22         started        42 provokordino.space 14->42 44 dr49lng3n1n2s.cloudfront.net 13.32.16.68, 443, 49705, 49732 ATT-INTERNET4US United States 14->44 50 3 other IPs or domains 14->50 64 Tries to detect virtualization through RDTSC time measurements 14->64 46 provokordino.space 18->46 52 2 other IPs or domains 18->52 66 System process connects to network (likely due to code injection or exploit) 18->66 48 provokordino.space 20->48 54 2 other IPs or domains 20->54 25 iexplore.exe 151 20->25         started        signatures9 process10 dnsIp11 58 System process connects to network (likely due to code injection or exploit) 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 36 provokordino.space 25->36 38 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 25->38 40 11 other IPs or domains 25->40 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a0b3d91698a46d409791d4dd866e56ddd70f91a3f1d4557a0cb2899bda1e524/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-09 14:27:04 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3a939d5f1bfd54e904e9d69c05eafb6007af8b80334cc5e8764c253fcaa1982a
IcedID
4da2043926cca759f672624da138ded20d82922ac1a7438efa0d193cf1cf6afa
IcedID
5da2e9166e532add80cda782122f07d05f869a9ffb5bc6ff8367e5ac2d10f58f
IcedID
6eaa904c3bd46870bdb533b8dc9cb7953bfc0c23ba49ad87bee84b6092f8c27a
IcedID
79f1a8f2d6ee1191a814af53a212a9bda8ce7c5aaccd27a38b3e04b36ce01bc0
IcedID
a106526331fa7c1e6e2bb3de6a5f8d5a848f314c539ff3b505225c18f161dd40
IcedID
aacdf284665bca76811d1afbd267c93a39f06aa93c73f2d0cfb1679bd5b076ea
IcedID
cf7958a90e919c98464b8fb3b7a204af7f66d9ab82549243cb82c619cb5607c1
IcedID
e71a6d9573488d852c2a12fd73859fa893af21e4021fd02f316f85e00686dbfd
IcedID
eeb0de4f4ecce356b213e09834c4b54bb942c51ed2a9808eeb99fa92236f0f53
IcedID
+ 53 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker loader trojan
Link:
https://tria.ge/reports/210409-qx4ny58bge/
Behaviour
Suspicious behavior: EnumeratesProcesses
IcedID First Stage Loader
IcedID, BokBot
Malware Config
C2 Extraction:
provokordino.space
Unpacked files
SH256 hash:
0a0b3d91698a46d409791d4dd866e56ddd70f91a3f1d4557a0cb2899bda1e524
MD5 hash:
7d7bdc559ae699579a700645d0fd5f03
SHA1 hash:
c4c0ca6b2b7779d870b0b69e5d7001453babbff0
Link:
https://www.unpac.me/results/082e9e4c-710f-491a-858a-0ff2b51ed8d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/0a0b3d91698a46d409791d4dd866e56ddd70f91a3f1d4557a0cb2899bda1e524

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xlsm f06910daadc7c66c8e9064d0719ed6727d69c1f04ab13566cadbb6e7a9f52a7e

IcedID

Executable exe 0a0b3d91698a46d409791d4dd866e56ddd70f91a3f1d4557a0cb2899bda1e524

(this sample)

  
Link
https://tria.ge/210409-gyxqwny2vj
  
URLhaus
https://urlhaus.abuse.ch/url/1105092/
  
Dropped by
SHA256 f06910daadc7c66c8e9064d0719ed6727d69c1f04ab13566cadbb6e7a9f52a7e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133412/

Comments