MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1
SHA3-384 hash: 9b172554929a8fc6aec31a0ff226a84235d472a451a6a73673d125cdca3b9e654f0264baec6fedafe0bdf647841b49ad
SHA1 hash: 3ae9ee11f2df5f3d4e1d54a516420bf253c4c335
MD5 hash: c8e0e743397406f6c7c15588ef767fda
humanhash: item-blue-harry-lamp
File name:vtGE.jpg
Download: download sample
Signature IcedID
Create hunting rule
File size:855'040 bytes
First seen:2023-02-16 17:43:58 UTC
Last seen:2023-02-16 19:57:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f9dedfeda1e654e0c907f26f701683c4 (1 x IcedID)
ssdeep 24576:fEQudEkIk9Xvw1H1F8es1F118HjRD9oXXXrXXXzXXX9XXXr:fEQu2Vk9Y1H1z/HjM
Threatray 1'332 similar samples on MalwareBazaar
TLSH T110052B17E2A355B8C57BC13487A79731A931B4694A34FA7F5E94C7223F20E60DB2E720
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter k3dg3___
Tags:1953131356 azergapolak exe IcedID

Intelligence

File Origin
# of uploads :
5
# of downloads :
260
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vtGE.jpg
Verdict:
No threats detected
Analysis date:
2023-02-16 17:45:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9440175d-8f99-456a-9be3-1d41376584a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
IcedIDLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/367334/
Detection(s):
SecuriteInfo.com.TrojanSpy.Win64.ICEDID.SMYXDAVZ.8574.20706.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/70965/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/63ee6b6d87510c38b73506c0/reports/9b270fee-0475-42dd-b38d-5f97b7b4233d/overview
Verdict:
Malicious
Labled as:
TrojanS.3F7291CD
Link:
https://www.hybrid-analysis.com/sample/168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8309fea6-124c-4d78-94c9-551b696fabf5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1177163
Signature
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 809984 Sample: vtGE.jpg.exe Startdate: 16/02/2023 Architecture: WINDOWS Score: 48 37 Sigma detected: Execute DLL with spoofed extension 2->37 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 7 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 4 9 12->20         started        22 WerFault.exe 9 14->22         started        24 WerFault.exe 9 16->24         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 9 16->28         started        30 2 other processes 16->30 process6 32 WerFault.exe 17 9 18->32         started        dnsIp7 35 192.168.2.1 unknown unknown 32->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1/
Threat name:
Win64.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2023-02-16 17:45:06 UTC
File Type:
PE+ (Dll)
AV detection:
11 of 25 (44.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2hivexgj4begrw5oa7nsnlpjyf567jbgaci42g2gyurxpeuegqq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
01fcaac089adb57be61812b11860fb264cad44b7e3a60b3519ff964a9f459b73
IcedID
265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
IcedID
2b317f6a1ffc33b390ef0f9ca4c7227c250dc6e46e9eb198e2ef56ce00e0d360
IcedID
95ad74c1dff5293c49c955a4e77c17e6912c7b8d1fc8f5f4c6f05ac77a56a9ab
IcedID
99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef
IcedID
a5f81b3f092a05dc7026957e5d716e5976a38b152d1823ac76b84e189aa4a75b
IcedID
ca04842f4ead02f9ca4bb59856102b738ce2fb10bf18a4e087284e5a1b4d1380
IcedID
ea82f571c70046400d3e5967467d8b67c2e7592e353e3828d9bf20818d19ea87
IcedID
+ 1'322 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230216-wa8nqsae6y/
Behaviour
Program crash
Unpacked files
SH256 hash:
168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1
MD5 hash:
c8e0e743397406f6c7c15588ef767fda
SHA1 hash:
3ae9ee11f2df5f3d4e1d54a516420bf253c4c335
Link:
https://www.unpac.me/results/75749750-33eb-417b-9ff6-cb2fbe808dbc/
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/168e8a92e64f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IcedIDPackerD
Create hunting rule
Author:kevoreilly
Description:IcedID export selection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

IcedID

Microsoft OneNote (one) one bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975

IcedID

Executable exe 168e8a92e64f024346dd703ed9356f4e0bdf7d2130048e68da36291bbc9421a1

(this sample)

  
Link
https://bazaar.abuse.ch/sample/bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975/#intel
  
Dropped by
SHA256 bae645306145f5ca847e16add3371e197b1efbf32c8e63dbb3c14726446ca975
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/367334/
  
URLhaus
https://urlhaus.abuse.ch/url/2542234/
  
URLhaus
https://urlhaus.abuse.ch/url/2542231/
  
URLhaus
https://urlhaus.abuse.ch/url/2542239/
  
URLhaus
https://urlhaus.abuse.ch/url/2542238/
  
URLhaus
https://urlhaus.abuse.ch/url/2542233/
  
URLhaus
https://urlhaus.abuse.ch/url/2542235/
  
URLhaus
https://urlhaus.abuse.ch/url/2542236/
  
URLhaus
https://urlhaus.abuse.ch/url/2542241/
  
URLhaus
https://urlhaus.abuse.ch/url/2543115/
  
Dropped by
MD5 2103d55a7757a9941c46dcdb1fcd99c0

Comments