MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d
SHA3-384 hash: bc4b9850fec55f4a3c0139ee76ff82ebe9360b2a98d101dd092e80f80b454634a8094d390512a4bdfbbdd6d01491f4ea
SHA1 hash: 204aa579c9bf3a5bfdc7c74d4ba2ad56511e8805
MD5 hash: 2dbbe1ec452ac73afd255b2e719c72ae
humanhash: maine-emma-wyoming-shade
File name:Izipubob.dll
Download: download sample
Signature IcedID
Create hunting rule
File size:108'032 bytes
First seen:2020-11-24 22:43:18 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1ae6ba40e9dbf13143cd3d538d88f08a (3 x IcedID)
ssdeep 1536:ByRkPsWxFcd3pTwfUzk9HVOgiNXUjgzIBN6wfIPP26pw5ad2pl/H7ZvpZMBu+FIx:BK803NwTyEcIBN6u+26pKvpZMBpSx
Threatray 891 similar samples on MalwareBazaar
TLSH 3AB37C02B3D18032E57F1A390532C6B28A3E7D504FE09DAB674A253D5F706E1A735F6A
Reporter malware_traffic
Tags:dll IcedID Shathak TA551

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
IcedID
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/546494
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Early bird code injection technique detected
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected IcedID
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322343 Sample: Izipubob.dll Startdate: 24/11/2020 Architecture: WINDOWS Score: 96 43 Yara detected IcedID 2->43 45 Contains VNC / remote desktop functionality (version string found) 2->45 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 3 8->10         started        14 cmd.exe 1 8->14         started        dnsIp5 33 afromadness.club 68.183.54.143, 443, 49771, 49775 DIGITALOCEAN-ASNUS United States 10->33 47 System process connects to network (likely due to code injection or exploit) 10->47 49 Early bird code injection technique detected 10->49 51 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->51 53 4 other signatures 10->53 16 msiexec.exe 1 39 10->16         started        20 iexplore.exe 1 74 14->20         started        signatures6 process7 dnsIp8 25 afromadness.club 16->25 35 Changes memory attributes in foreign processes to executable or writable 16->35 37 Contains functionality to detect hardware virtualization (CPUID execution measurement) 16->37 39 Tries to detect virtualization through RDTSC time measurements 16->39 41 Creates a thread in another existing process (thread injection) 16->41 22 iexplore.exe 165 20->22         started        signatures9 process10 dnsIp11 27 img.img-taboola.com 22->27 29 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49752, 49753 YAHOO-DEBDE United Kingdom 22->29 31 9 other IPs or domains 22->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 22:44:05 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
3dfb74874b9c0b32b66ce96a97170fc430fed51a7cfdbf361e6c4febe2935e5d
IcedID
6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
IcedID
818076cbf3b8323b674d476b2862b3495cddcc13ef957f5bd9ec7f18bd436791
IcedID
a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5
IcedID
a24c5d4c11f1d46b03ae1539df341c7247e1f8809b27a3b873449a1be218bd1e
IcedID
a9f651747ef040972d25a7f039a4853c9ed151ad252380e1e75af32ddc4ece82
IcedID
c7a41aaae47af9ebc6bcabb267e1d11d903c937df275ab2bbdcda734efdbabbf
IcedID
d25e3a7ed538968e9b78367cd8f8d20f8f55471a1eb27aae2774272fc8c1c1ce
IcedID
e75612b515f036b54d63ed2efa45afc9b167b78116d65a77b1f0fa69674ed51f
IcedID
f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b
IcedID
+ 881 additional samples on MalwareBazaar
Result
Malware family:
icedid
Create hunting rule
Score:
  10/10
Tags:
family:icedid banker trojan
Link:
https://tria.ge/reports/201124-aqanlzznas/
Behaviour
Suspicious use of WriteProcessMemory
IcedID Core Payload
IcedID, BokBot
Unpacked files
SH256 hash:
1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d
MD5 hash:
2dbbe1ec452ac73afd255b2e719c72ae
SHA1 hash:
204aa579c9bf3a5bfdc7c74d4ba2ad56511e8805
Link:
https://www.unpac.me/results/3c5ba867-e638-42e4-ba96-8fdd8963e67a/
SH256 hash:
8b9962fc29fa67bbe5b25cdceac5938c61a99d11678885fd9b988cc4cbe47906
MD5 hash:
1de939a15341ca843d80e5d962a94a7f
SHA1 hash:
c598e90eb3564c69e8d6d729dad7e1b8a01cd762
Link:
https://www.unpac.me/results/3c5ba867-e638-42e4-ba96-8fdd8963e67a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IcedID
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments