MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14dbb4164d72baf15834966b4213023d2879cd9d5bedbac7e0e925ca4c4211b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 6


Intelligence 6 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14dbb4164d72baf15834966b4213023d2879cd9d5bedbac7e0e925ca4c4211b1
SHA3-384 hash: 6f7468a5a1de5773ea81e79f35e14e5528dc7d9e18723fb7e59786890801aadec5b1e253e7e076d4304847e7b1fbd968
SHA1 hash: 2fc925ef1207cf1dbb32bcbda514f60e12662fd0
MD5 hash: fb5274cee828ad6d1612a1352d842e7f
humanhash: bluebird-zulu-skylark-fix
File name:docs_InV_22-10-08.js
Download: download sample
Signature IcedID
Create hunting rule
File size:94'929 bytes
First seen:2023-04-21 05:41:16 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:yEimnYDf2d+/WTBJBpESkYTJFnphpU/9h4pSt1zxHkZXGK2/61awLIy/FLlKspbY:8mnYTQscXBqdeJFnphpeFxEZXGKQUTLW
TLSH T18E932FC233E2F85A155313B67B9161E5EA29CD90C5C9DCCCF044BC98F0ACD2DBAA8599
Reporter 0xToxin
Tags:IcedID js

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
IL IL
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6442222b72c1f8e0bafc32c7/reports/1e474768-d001-4d5e-bbab-cdba1f359f82/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/14dbb4164d72baf15834966b4213023d2879cd9d5bedbac7e0e925ca4c4211b1
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.bank
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1218420
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Malicious encrypted Powershell command line found
Multi AV Scanner detection for domain / URL
PowerShell case anomaly found
Snort IDS alert for network traffic
Suspicious powershell command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 851366 Sample: docs_InV_22-10-08.js Startdate: 21/04/2023 Architecture: WINDOWS Score: 92 37 ginomar.top 2->37 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 8 wscript.exe 1 1 2->8         started        signatures3 process4 signatures5 47 Malicious encrypted Powershell command line found 8->47 49 Wscript starts Powershell (via cmd or directly) 8->49 51 PowerShell case anomaly found 8->51 11 cmd.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        process6 signatures7 53 Malicious encrypted Powershell command line found 11->53 55 Suspicious powershell command line found 11->55 57 Wscript starts Powershell (via cmd or directly) 11->57 59 Bypasses PowerShell execution policy 11->59 20 powershell.exe 14 15 11->20         started        22 conhost.exe 11->22         started        61 Encrypted powershell cmdline option found 14->61 63 PowerShell case anomaly found 14->63 24 powershell.exe 15 14->24         started        27 conhost.exe 14->27         started        29 powershell.exe 15 16->29         started        31 conhost.exe 16->31         started        33 powershell.exe 15 18->33         started        35 conhost.exe 18->35         started        process8 dnsIp9 39 ginomar.top 46.149.79.227, 49813, 49814, 49815 ASARTTELECOMRU Russian Federation 24->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14dbb4164d72baf15834966b4213023d2879cd9d5bedbac7e0e925ca4c4211b1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ctn3ifsnok5pcwbuszvueeychuuhttm5lpw3vr7a5es4utcccgyq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230421-gd1pzagc4t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://ginomar.top/gatef3.php
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/14dbb4164d72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14dbb4164d72baf15834966b4213023d2879cd9d5bedbac7e0e925ca4c4211b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_icedid_stage1
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects IcedID photoloader
Reference:https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
Rule name:crime_win64_photoloader_packed
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects specific packed photoloader
Rule name:IcedIDLoader
Create hunting rule
Author:kevoreilly, threathive, enzo, r0ny123
Description:IcedID Loader
Rule name:IcedID_init_loader
Create hunting rule
Author:@bartblaze
Description:Identifies IcedID (stage 1 and 2, initial loaders).
Rule name:MAL_IcedID_GZIP_LDR_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Reference:https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Rule name:Windows_Trojan_IcedID_0b62e783
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_IcedID_11d24d35
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_IcedID_48029e37
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_IcedID_91562d18
Create hunting rule
Author:Elastic Security
Rule name:win_iceid_gzip_ldr_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 initial Bokbot / Icedid loader for fake GZIP payloads
Rule name:win_photoloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.photoloader.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments